In today’s Washington Post, Richard Falkenrath defends the NSA call records program. He has this discussion of its legality:
There are, of course, strict legal limits on the ability of federal agencies such as the NSA to compel the provision of domestic information or to collect it secretly. The USA Today story, however, alleges that three telecommunications companies — AT&T, Verizon and BellSouth — provided it voluntarily. How else could one company (Qwest) decline to provide the information? Since there is no prohibition against federal agencies receiving voluntarily provided business records relating to their responsibilities, it appears that the NSA’s alleged receipt and retention of such information is perfectly legal.
The three companies reported to have supplied telephone records to the NSA also appear to be acting lawfully. The Telecommunications Act of 1934, as amended, generally prohibits the release of “individually identifiable customer proprietary network information” except under force of law or with the approval of the customer. But, according to USA Today, the telephone records voluntarily provided to the NSA had been anonymized. In addition, the Electronic Communications Privacy Act of 1986 explicitly permits telecommunications companies to provide customer records to the government if the government asks for them. So it would appear that the companies have been acting not just in the public interest, but also within the law and without encroaching on the privacy of any of their customers.
Three quick thoughts in response, taking these points in turn:
1. I think it’s right that the NSA did not act unlawfully by receiving and retaining the records. It may be a different picture if, as some stories have reported, the NSA was doing more than just receiving and retaining. But receiving and retaining alone doesn’t violate the law. If that’s all the NSA did, the issue is the liability of the phone companies, not the liability of the NSA.
2. I don’t know much about the Communications Act of 1934, so I can’t speak to this issue. Can others fill us in on whether this argument is correct? (Preferably with actual legal support rather than mere conclusions.)
3. Falkenrath is just wrong about ECPA. He states that “the Electronic Communications Privacy Act of 1986 explicitly permits telecommunications companies to provide customer records to the government if the government asks for them.” No, it doesn’t. There is no “government request” exception to the ban on disclosure.
I gather the exception Falkenrath has in mind is 18 U.S.C. 2702(c)(1), which allows disclosure if the government has a valid court order or subpoena under 18 U.S.C. 2703. But that exception only applies when the government is compelling the disclosure with a valid court order or subpoena. (There is also a curious exception allowing the government to get the names and phone numbers of suspected telemarketers in telemarketing fraud cases, but that’s obviously inapplicable here.) News reports indicate that the government did not have a court order or subpoena or other legal order. Given that, the exception does not apply.
Falkenrath’s op-ed is shamelessly dishonest. He refers repeatedly to “anonymized” records, as if calling records can’t be related back to the subscribers.
I think it’s right that the NSA did not act unlawfully by receiving and retaining the records.
Please tell me where my analogy goes wrong.
If a friend of mine shows up with a BMW and says, “Here, it’s yours,” and I know full well he stole it and thus shouldn’t be giving it to me, we’re both in trouble. I cannot accept an offer I know the offerer isn’t legally authorized to make.
If my phone company shows up with a lot of customer records and says, “Here, you can have these,” and I know full well that the company shouldn’t be giving this stuff out, only the phone company’s in trouble. I can accept this offer, even though I know the offerer isn’t legally authorized to make it.
What’s the difference?
[OK Comments: Possession of stolen property is a statutory crime. Accepting records isn't.]
While I certainly expect that the phone companies could not, I would imagine that they’d like to indemnify the government, arguing that the gov’t would be at least partially liable for the violations. Presumably, the phone companies were solicted for the information rather than shopping it around to government agencies until they found a taker.
I think what FMS means is that the phone companies would like to seek indemnity from the government. Given that the telcoms are sophisticated parties with access to the best legal advice, you’d frankly assume that they would have sought those type of assurances at the front end, before they agreed to turn over the records. I don’t know if a promise by the government to indemnify an illegal act would be technically enforceable, but even an unenforceable promise by the government is worth a lot. Maybe we’ll find out someday what the actual substance of the agreement between the telcoms and the government was.
For whatever it is worth, I spent a good chunk of today thinking and reading about all this, and I think you have it right, Orin.
Okay, Orin, so far I have honored your request for someone with real knowledge of the Communications Act to respond to you, but no one has been forthcoming.
So I will offer my own, purely textual interpretation of the key adjective in the phrase, “individually identifiable customer proprietary network information.”
I think a customer’s name and address are certainly “identifiable” from his phone number, since most subscriber-direectory information is readily obtained from commercially available open sources and the linking them is a trivial database operation. That is an easier test than “identified.”
Similarly, records without my name but with only my Social Security number or driver’s license number would be “identifiable” to the government.
Regarding the Communications Act (actually the Telecommunications Act of 1996, which is when sec. 222 was enacted):
I didn’t see any decisions interpreting the phrase “individually identifiable,” but there is an interesting one about private rights of action under the statute.
In Conboy v. AT&T Corp., 241 F.3d 242 (2d Cir. 2001), AT&T gave customer information to a credit card company, which used the information to locate and contact one of its debtors. The court assumed that the dissemination violated sec. 222, but nevertheless found that the plaintiffs did not state a claim for damages under 47 USC 206 and 207 for violations of sec. 222. There are no presumed damages for violations of 222, the court said, and the plaintiffs failed to allege any specific damages.
Given the difficulty of pointing to specific damages in the NSA case, it might be hard to recover on a sec. 222 claim (even if the courts agree that the phone numbers are “individually identifiable customer proprietary network information”).
Who owns Quest? Our good friend from the Carlye Group! Could be a power play — everybody switches over to Quest !!!
“[OK Comments: Possession of stolen property is a statutory crime. Accepting records isn�t.]”
But isn’t being an accessory to a crime also a crime? Here is definition of accessory I found on the web:
“A criminal charge of aiding and abetting or accessory can usually be brought against anyone who helps in the commission of a crime, though legal distinctions vary by state. A person charged with aiding and abetting or accessory is usually not present when the crime itself is committed, but he or she has knowledge of the crime before or after the fact, and may assist in its commission through advice, actions, or financial support. Depending on the degree of involvement, the offender’s participation in the crime may rise to the level of conspiracy.
For example, Andy draws a floor plan of a bank, knowing of Dan’s intention to rob it. After Dan commits the robbery, Alice agrees to let him store the stolen money at her house. Both Andy and Alice can be charged with aiding and abetting, or acting as accessories to the robbery.”
If what the telecom companies did was a crime, isn’t it obvious that the government officials were accessories? After all, presumably, the plan to give the records was the government’s (hence the Andy example applies). Also, the government stored those records (hence the Alice example applies). This violates both of the examples given in the Andy/Alice examples.
[OK Comments: Section 2702 is not a criminal statute. It is a civil statute. It is impossible to violate 2702 in a criminal way, which means that these principles are not relevant here.]
Pingback: Locus Medius
Pingback: ACSBlog: The Blog of the American Constitution Society
Re: 1, at least one court has found a likelihood of a government violation in similar circumstances under 2703:
McVeigh v. Cohen, 983 F. Supp. 215 (D.D.C. 1998). The text has been amended since then, but now 2703(c) parallels (a) and (b) in form, so the argument about reading (c) in context is no longer necessary.