We now have a slightly better idea of the factual and legal issues surrounding the newly-disclosed NSA Call Records program, and I thought I would offer a second analysis that is more focused and more factually informed than the one I posted this morning. My still-very-tentative bottom line: The companies were probably violating the Stored Communications Act by disclosing the records to the NSA before the Patriot Act renewal in March 2006, although the new language in the Patriot Act renewal at least arguably made it more likely that the disclosure was legal under the emergency exception.
First, let’s update the facts. It now looks relatively clear that the NSA was not directing the telephone companies to conduct any particular monitoring on the NSA’s behalf. Rather, NSA officials were persuading the telephone companies to voluntarily disclose their call records to the government. In other words, the government wasn’t actually doing the monitoring, but instead was encouraging the telephone companies to disclose call records to them that the telephone companies already had collected.
In light of those apparent facts, the key issue to me becomes whether the disclosures were permitted under the Stored Communications Act, and specificially 18 U.S.C. 2702. (For a “user’s guide” to the Stored Communications Act, see here). Telephone companies are providers of “electronic communications service to the public” under the Act, and the Act regulates when providers can disclose non-content records of account information to the government. The ban is in Section 2702(a)(3):
[A] provider of . . . electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications . . . ) to any governmental entity.
Of the possible exceptions to the statute, three are most likely to be relevant. They permit disclosure under the circumstances listed in 18 U.S.C. 2702(c), as amended by the Patriot Act renewal of 2006:
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency[.]
(Note that the link to the Cornell site’s text of 2702 does not have the latest version of the exceptions, as it was last updated in the fall of 2005 and the exceptions were amended in March 2006. I was unable to find the new version on a website, and ended up taking it from Westlaw.).
Let’s take each of these exceptions in turn.
(1) The first exception permits disclosure if the subscriber consents. There are no cases interpreting eactly what consent means in 2702(c)(2), but like many of the exceptions in the SCA it is clearly a copy of an analogous exception in the close cousin of the SCA, the federal Wiretap Act, 18 U.S.C. 2510-22. We do have lots of cases on what consent means in the context of the Wiretap Act, so those cases presumably create the applicable standard here. The basic rule: Consent means that the user actually agreed to the action, either explicitly or implicitly based on the user’s decision to proceed in light of actual notice. Here’s what the First Circuit said on this in United States v. Lanoue, 71 F.3d 966, 981 (1st Cir. 1995):
Keeping in mind that implied consent is not constructive consent but ‘consent in fact,’ consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance from surrounding circumstances that the party knowingly agreed to the surveillance. We emphasize that consent should not casually be inferred, particularly in a case of deficient notice. The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.
Did users consent to the disclosure under this standard? The Washington Post reports that government lawyers seemed to think so, based on small print in the Terms of Service of the telephone service customer agreements:
One government lawyer who has participated in negotiations with telecommunications providers said the Bush administration has argued that a company can turn over its entire database of customer records — and even the stored content of calls and e-mails — because customers “have consented to that” when they establish accounts. The fine print of many telephone and Internet service contracts includes catchall provisions, the lawyer said, authorizing the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request. . . . Verizon’s customer agreement, for example, acknowledges the company’s ‘duty under federal law to protect the confidentiality of information about the quantity, technical configuration, type, destination, and amount of your use of our service,’ but it provides for exceptions to ‘protect the safety of customers, employees or property.’ Verizon will disclose confidential records, it says, “as required by law, legal process, or exigent circumstances.”
This seems like a very unpersuasive argument in light of the cases construing consent under the Wiretap Act, of which the consent provision in the SCA is a mirror. It reminds me of the argument that a DOJ lawyer once tried to make that monitoring prison phones was allowed because language in the Code of Federal Regulations clearly notified prisoners that their phones would be monitored. According to the lawyer, the notice in the fine print of the CFR was sufficient to make the monitoring consensual. Judge Posner rejected the argument, calling it “the kind of argument that makes lawyers figures of fun to the lay community.” United States v. Daniels, 902 F.2d 1238 (7th Cir. 1990). In light of these cases, I think the consent argument is weak. (Incidentally, if you look up Daniels, note that Posner incorrectly states later in the opinion that the Second Circuit accepted such a weak notice argument. If you read the Second Circuit case, it is clear that the CA2 did no such thing and that Posner was just being sloppy.)
(2) The next possible exception is disclosure “as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service.” This is known as the provider exception, and is also a copy of an analogous exception from the Wiretap Act, 18 U.S.C. 2511(2)(a)(i). You can read all about this exception here: basically, it gives providers rights to disclose information to the government to help the providers combat illegal service and unauthorized use of the network. It seems pretty clear that this doesn’t apply: The cases make clear that the provider exception exists to further provider interests, not government interests.
(3) The third and final exception is the emergency exception, which permits providers to disclose “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” At the outset, it’s worth noticing something very interesting about this language: It is almost brand spanking new. The language that passed as part of the Patriot Act in 2001 allowed disclosure only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” This was the language in place from October 2001 until March 2006. Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don’t know of a reason to think that they had a reasonable belief of “immediate” danger. If this was a program ongoing for several years, then it’s hard to say that there was a continuing reasonable belief of immediate danger over that entire time.
As noted above, though, the Patriot Act renewal passed in March 2006 changed this language. And it did so in a way with potentially important implications for the legality of the NSA call records program. The new exception states that disclosure is permitted “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency.” Few people were paying attention to this change at the time, but I would guess that it was very important to the telephone companies: The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an “immediate” danger. I wouldn’t be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program. (Or perhaps not, come to think of it: Does the new language suggest that the information disclosed needs to relate to the emergency to be covered? What if the provider doesn’t know what information relates to the emergency?)
More tomorrow, I hope.
(cross posted at The Volokh Conspiracy)
The reference in WaPo to Daytona got me thinking: what if the telcos are doing the data mining for the NSA? This article in a Japanese paper has an interesting description of an affadavit from a former AT&T technician. He describes a secret room next to the company’s main switching equipment, to which only an “NSA-selected technician” had access. The article says that “the room contained special data mining equipment capable of processing vast amounts of communication traffic [...]”
So what if the NSA isn’t getting any of the raw data or doing any of the data mining? What if it’s helping the telcos do their own data mining? It seems like an argument could be made that the product of this data mining would not be a “record” under the SCA or “customer proprietary network information” under the Communications Act.
Further evidence (from NYTimes):
From the details we know thusfar, this isn’t a program that troubles me especially; however:
Even assuming that “any person” does not narrow the focus of the exception to a good faith concern of imminent harm to a specific group or indivudual, surely it would take a fairly broad reading of the term “emergency” – one that classified the threat of terrorism as an emergeny, rather than an ongoing threat – for §2702(c)(4) to apply?
Even factoring in the language change, which expands the scope from “immediate” to a standard less than immediate, we’re still stuck with the word emergency: “something dangerous or serious, such as an accident, which happens suddenly or unexpectedly and needs immediate action in order to avoid harmful results.” An attack may become an emergency when it happens or is immimently going to happen, but is it really an emergency when there is simply the ongoing possiblity of it? It a nuclear reactor a constant “emergency” because there is an ongoing possibility of meltdown?
It just doesn’t seem as if a permanent, ongoing background terrorist threat falls into the kind of “ermergency” that the normal use of the language in the §2702(c)(4) exception covers.
The word “emergency” still has to mean something. If there is an “emergency” because there could, in theory, be a terrorist attack anywhere in the US at any moment, then there will always be an emergency (and there always has been an emergency). I think a court would interpret the term a bit more soberly than that.
One can assume statutory changes like the one you identify happen for a reason, and it seems likely that this is the reason. However, if you were an attorney advising one of the phone companies, would you really feel protected by this new language? I have to think that the companies who participated in this program did so notwithstanding the advice of counsel; it’s hard to imagine that counsel would be that much happier with the new statute, although it’s a start. In any event, the accumulated civil liability from 4.5 years of violating the SCA would be enough to put them out of business anyway.
I wouldn’t read so much into the timing of the change to the emergency exception for non-content records. As Orin points out, there were no emergency exceptions in the SCA prior to PATRIOT. PATRIOT added 2702(b)(6)(C) for emergency disclosure of content records and 2702(c)(4) for non-content records. Both of these exceptions were of the form:
“if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires disclosure of the information without delay.”
Providers were concerned that this did not give them enough discretion to respond to emergency requests for the reasons that Orin notes. So, Congress changed it in the Law creating the Homeland Security Act. They deleted (b)(6)(C), renamed it (b)(7) and changed the text to read:
“if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.”
But here’s the odd thing. They didn’t change (c)(4) at the same time. This is what’s known in the biz as a “drafting oversight”. So for four years, the rules for emergency disclosure for content differed from the rules for non-content. DOJ and the ISPs had been asking for years for an amendment to harmonize the two emergency exceptions. It looks like Congress finally found an opportunity to harmonize the two sections last March. The subsection of the Law that made the change is entitled, “TECHNICAL AMENDMENTS TO CONFORM COMMUNICATIONS AND CUSTOMER RECORDS EXCEPTIONS.–”
None of this is to say that the change is irrelevant substantively. I just wanted to point out that I don’t find the timing to be all that suspicious.
I am a public utility guy. If the government’s view is that the carriers voluntarily turned over the phone records, then the carriers have run a substantial risk of violating the “customer proprietary network information” restrictions in 47 U.S.C. sec. 222. That statute, and the implenting FCC regulations (47 C.F.R. secs. 64.2001-.2009), preclude a carrier from disclosing call information (including call locations, duration, etc.) “except as required by law or with the approval of the customer.” I do not think the customer contract terms now being advanced by the carriers and government meet the statutory or in particular the FCC’s regulatory requirements for customer consent.
I’m confused — if the gov’t isn’t forcing the companies to turn over the records, then isn’t it the case that the gov’t isn’t violating any law at all since the laws you’re discussing only regulate the service provider (and because, as noted by you earlier, there’s no constitutional problem under Smith v. Maryland)?
So shouldn’t Leahy et al. be directing their ire at the phone companies, not the Bush Administration? The Administration is free to ask for whatever information they want — it’s the providers’ responsibility to figure out what the legal constraints are.
Thanks for the information, Paul. That does make it a bit clearer.
As Paul Ohm observes, the emergency disclosure provision for content (in 2702(b)) was tweaked in the Homeland Security Act. For those who ascribe significance to legislative history, heere are some germane excerpts from House Judiciary Committee Report 107-497:
Additionally, the word ‘‘immediate’’ is not needed. The language of the bill requires that the provider, in good faith, believes (1) that there is an emergency, (2) that emergency involves danger of death or serious physical injury, and (3) that the emergency requires disclosure of the communications without delay. The American Heritage College dictionary defines ‘‘emergency’’ as ‘‘a serious situation or occurrence that happens unexpectedly and demands immediate action.’’
Furthermore, the provider must have a good faith belief that the information should be disclosed without delay. Accordingly, the Committee believes Congress should not add an additional ‘‘immediate’’ requirement that makes the provider determine whether or not the danger itself is immediate. For example, if someone plans to bomb an elementary school next week, then the communications provider should be able to disclose that information and not have to guess whether an action which is to occur a week later constitutes ‘‘an immediate’’ danger or not. In such a case, law enforcement may need all the time it can get to locate the perpetrator and prevent the crime. Another example is where an individual sends an e-mail to another person describing an upcoming terrorist attack he or she is planning, but does not put a date on the attack. A terrorist attack would clearly constitute an emergency that threatens life or limb, but the timing of the attack may not be evident. The attack could be planned for tomorrow or for a year from now. It is clear that there is a danger, but the immediacy of that danger is unclear.
Accordingly, this section changes current law to reflect the fact that if a provider, in good faith, believes there is an emergency, the provider should not be held liable. The Committee would note that section 102 of this bill does not change the standard or lower the standard for law enforcement behavior. This section, instead, requires that a communications provider must have a ‘‘good faith’’ belief that there is an emergency involving danger of death or serious physical injury to any person that requires disclosure without delay. This section is aimed at protecting providers who in good faith attempt to assist law enforcement with an emergency situation.
It seems that the rationale behind the emergency expection is to permit disclosure when a disclosure is needed without any delay – when there is insufficient time to obtain a warrant or legislative authorization, for example. It does not seem plausible that the intent behind the third emergency exception is to permit the government to undertake an on-going, systematic monitoring program that will last in perpetuity.
A PERPETUAL “emergency” with a NEVER-ENDING “immediate” need – that would be quite a troublesome interpretation of such statutory provisions.
Pingback: ACSBlog: The Blog of the American Constitution Society
Pingback: Political Animal
Pingback: Info/Law » NSA Blog Stroll
Pingback: Schneier on Security
I find it cute that the NSA — the US government that has a wee bit of power over these guys — “persuased” the phone company to supply the information. Can I “persuade” them to do stop? I understand the legalisms here, but the word seems inapposite in this context. Like, as suggested by some replies, only the phone company should be liable as if they did all of this with no official pressure put on them. It was all just a good act of “persuasion.”
Pingback: Or How I Learned to Stop Worrying » The Effects Of Drinking Too Much Kool-Aid
Pingback: Homeland Security Watch » Blog Archive » Richard Falkenrath defends NSA telco revelations
Pingback: Exploring International Law
Pingback: Peter Robison » NSA Program #2: Is it legal?
Pingback: Think Progress » Did You Consent to Be Wiretapped?
Pingback: Privacy Digest: Privacy News (Civil Rights, Encryption, Free Speech, Cryptography)