Protection from prying NSA eyes

A (Classified) proposal

The Essential Guide to IT Transformation

Another provision of the Stored Communications Act may also apply here, with thanks to Professor Orrin Kerr of GW University for pointing this out.

Title 18 U.S.C. 2702(a)(3) generally makes it a crime for phone companies or ISPs to disclose either the contents of communications or non-content subscriber information, stating:

  • (a) (3) a provider of remote computing service or electronic communication service to the public [say, a phone company like Verizon or AT&T] shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...to any governmental entity.
  • (c) Exceptions for disclosure of customer records. A provider...may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...)
(1) as otherwise authorised in section 2703 [18 USCS § 2703];
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;
(5) to the National Centre for Missing and Exploited Children, in connection with a report submitted thereto under section 227 of the Victims of Child Abuse Act of 1990 (42 U.S.C. 13032);
(6) to any person other than a governmental entity.

The statute is pretty clear – it prohibits disclosure to a government entity. When I last checked, the NSA was a government agency. The statute provides for civil penalties and a private right of action against the phone companies for violations. Note here that it is the telephone companies which would be violating the law by acceding to the government's request for data, not the government by requesting the data. Of course, it is possible that the government set up some kind of secret non-governmental corporation (a non-government agency) to receive the data, which then turned it over to the NSA (an ingenious ploy to avoid the statute, since the entity providing the data to the government would not be a provider of electronic communication services.) So far, that's just supposition.

The government could also argue that, by requesting the entire database and no individual records (and by sort-of anonymising the database) the phone companies were not turning over records “pertaining to a subscriber to or customer of such service...” but rather were turning over records pertaining to all subscribers in general, and no subscriber in particular. Because the goal of the statute was to protect the privacy of individuals, the government might assert, the turning over of the massive calling pattern database of all persons doesn’t implicate any individual. Of course, we all know how easily a reverse directory or other database link can be used to turn a database of numbers called into a database of subscribers.

Alternatively, the government could rely on consent, but I don't remember giving such consent, and the language of the phone company's privacy policies discussed later don't seem to support that finding. The statute also allows disclosure to protect the rights or property of the ISP or phone company (usually to prevent fraud or misuse of the network) but allowing disclosure under that exception would seem to eat the rule up entirely. In provisions modified by the USA-PATRIOT Act, the statute also allows disclosure if the phone company has a good faith belief that there is an emergency "involving danger of death or serious physical injury to any person" which requires disclosure without delay of information relating to the emergency.

While in general, preventing terrorist attacks will of course save lives, and while the disclosure of the calling pattern information might prevent future attacks, unless the government could have shown an immediate and pending attack and the disclosure of information about that pending attack, the disclosure would have seemingly violated that statute.

As Professor Kerr points out, the USA Patriot Act expanded the scope of this emergency provision, to allow the phone companies to turn over these records where there is a "good faith" belief that an emergency exists, not just a "reasonable" belief. Perhaps the NSA had this in mind when it suggested the amendment? However, the emergency provisions may not help the government. In 2004, for example, a court found that the government's argument that it was entitled to rely on the emergency provisions as an excuse for a defective search warrant was refuted by evidence that the provider (AOL in that case) did not even turn over the records requested until six days after the request – six days wasn't enough of an emergency to warrant the statute. The emergency provisions were really intended in cases like a kidnapping where death or bodily injury would occur if the information was not disclosed immediately. Essentially, where there was no time to get an appropriate court order, not where, as here, no order was ever going to be sought.

To date, at least two class action lawsuits have been filed against the telcos for giving data to the NSA, one in Fresno, California and one in federal court in Manhattan. The Electronic Frontier Foundation had already filed a suit with other civil liberties groups against the phone companies for their voluntary participation in what the administration now calls the "Terrorist Surveillance Network," and the Department of Justice has recently requested permission to intervene in that lawsuit to assert national security as grounds to dismiss the case.

Even if the government can't stop the lawsuit under the "state secrets" doctrine, and none of the exceptions that would permit the telcos to have given the documents over to the government apply, its not completely clear that they would have liability. The statute provides one other out for the phone companies. 18 U.S.C. 2707(e) provides that the phone company won't have civil or criminal liability if they relied, in good faith on, "(1) a court warrant or order, a grand jury subpoena, a legislative authorisation, or a statutory authorisation (including a request of a governmental entity under section 2703 (f) of this title); (2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or (3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of."

Now the provision of 2518(7) cited allows the disclosure of communications when an appropriate law enforcement official, "reasonably determines that..."an emergency situation exists that involves...conspiratorial activities threatening the national security interest...and (b) there are grounds upon which an order could be entered under this chapter to authorise such interception". Essentially, this is supposed to mean that if you could have gotten a court order for the information, but you didn't because it was an emergency, and you told the phone company this, and they relied on it in good faith, then they can't be successfully sued. That's a lot of steps for the phone company to go through.

Protection or Non-Protection of "Customer Proprietary Network Information"

There are two other laws that might govern the privacy of the numbers dialed. First, the Federal Communications Commission mandates that phone companies protect the privacy of customer data or what is called, "Customer Proprietary Network Information" or CPNI. This CPNI is defined under the statute as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." So the numbers I call, and how long I am on the phone, who I talk to, and when, would all be protected CPNI.

Build a business case: developing custom apps

Next page: Privacy policies

More from The Register

next story
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Amazon says Hachette should lower ebook prices, pay authors more
Oh yeah ... and a 30% cut for Amazon to seal the deal
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
Nintend-OH NO! Sorry, Mario – your profits are in another castle
Red-hatted mascot, red-colored logo, red-stained finance books
Sonos AXES support for Apple's iOS4 and 5
Want to use your iThing? You can't - it's too old
Joe Average isn't worth $10 a year to Mark Zuckerberg
The Social Network deflates the PC resurgence with mobile-only usage prediction
Chips are down at Broadcom: Thousands of workers laid off
Cellphone baseband device biz shuttered
Feel free to BONK on the TUBE, says Transport for London
Plus: Almost NOBODY uses pay-by-bonk on buses - Visa
Twitch rich as Google flicks $1bn hitch switch, claims snitch
Gameplay streaming biz and search king refuse to deny fresh gobble rumors
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.