Original URL: http://www.theregister.co.uk/2006/05/17/protection_from_nsa/

Protection from prying NSA eyes

A (Classified) proposal

By Mark Rasch

Posted in Media, 17th May 2006 10:16 GMT

Comment From the US Fourth Amendment, the Stored Communications Act and US wiretap laws to the Pen-register statute, Mark Rasch looks at legal protections available to the telecommunications companies and individual Americans in the wake of the NSA's massive spying program.

Imagine being the head of a major telecommunications company in the United States. You and your lawyers have developed a carefully worded privacy policy to conform with the law. In it you tell your customers that you do not share information about your customers' use of your services except for particular business purposes, and to ensure that the calls get through. You also tell your customers that you, of course, give information in response to lawful subpoenas or lawful mandates of law enforcement agencies. And that's about it.

One day, you receive a visit from agents of the National Security Agency (NSA), who make a formal "request" that you, as a patriotic American company, turn over records of telephone calls made by millions of customers in the interests of "national security". If you don't do it, the agent reminds you, you probably wont get those lucrative government contracts, and you certainly won't get any work with any classified government agencies. If you do it, you may open yourself up to class action litigation. What do you do?

Unfortunately, there currently is no way for you do go to any court and get a definitive ruling on what you are allowed – or required – to do. I propose that we open up the super-secret FISA court to allow private citizens or companies that receive requests or demands from the government to demand judicial intervention in a way that would protect national security, and act as a check and balance on any unlimited powers of the Executive Branch.

NSA monitoring millions of Americans

On Thursday, 11 May, USA Today disclosed that several US telephone companies gave over records relating to telephone calls made by millions of Americans to the National Security Agency in the wake of the events of 11 September, 2001.

We do not know the scope of this program. As reported to date, the government requested that various telephone companies turn over calling pattern information on millions of US origin telephone calls – these are reportedly calls that both originated and terminated in the United States.

At least one report has suggested that the program worked as follows: the government would have a suspected al-Qaeda suspect, and would learn of telephone numbers he or she called, or merely possessed. If any of these telephone numbers were located in the United States, the NSA would then attempt to learn what these numbers were, and who these people had called. Thus, if you operate a local Dominoes pizza, and received a call from someone who received a call from someone who the government suspected was associated with a terrorist, then Dominoes would make it to the list of suspects.

The President has suggested that the program is more narrow than this, stating so in his weekly radio address on 13 May, 2006.

"It is important for Americans to understand that our activities strictly target al Qaeda and its known affiliates...The privacy of all Americans is fiercely protected in all our activities. The government does not listen to domestic phone calls without court approval. We are not trolling through the personal lives of millions of innocent Americans. Our efforts are focused on links to al Qaeda terrorists and its affiliates who want to harm the American people."

Does this mean that the records of telephone calls requested from the telephone companies were only those of al Qaeda and its known affiliates? Does that mean that the NSA neither sought nor received the records of phone calls of "millions of innocent Americans" so it could troll through them? Or does it mean that, while the government didn't listen in on purely domestic calls (where the source and destination were in the United States), the NSA might have obtained records of the calls made by many millions of other callers, but did so in order to "target" al Qaeda or others? Or that the President doesn't believe that reviewing the records of calls made and received constitutes "trolling" into a part of American's "personal lives?" Right now, we just don't know, and if the NSA has anything to say about it, we probably will never know.

Other reports indicate that the program may not have even been as narrow as suggested. It is possible that the NSA requested all calling data from the phone companies – that is every telephone number called by every other telephone number. Indeed, this would not be very different from what the government did with the airlines in the wake of 9/11, when it asked for records of every flight taken by every person in America, despite the fact that the airlines had promised they wouldn't give that information out.

In the airline case, at least one federal court held that these records, being records of the airlines themselves, could lawfully be turned over to the government (in that case, NASA, not the NSA) privacy policies notwithstanding. So it is altogether possible that the NSA has requested, and the phone companies have disclosed, records of every call made and received. Assuming this to be the case, is it illegal? The answer is not so clear.

Whose data is it anyway?

The reports to date tend to indicate that the records turned over to the NSA were records of telephone calls from numbers within the United States. This would essentially be "raw data" – for example, that telephone number (202) 555-1213 called telephone number (313) 555-0802 on a particular date, at a particular time, and that the conversation lasted for a particular period of time.

There are various laws that protect the privacy of telephone records in the United States. First and foremost, there is the Fourth Amendment which provides that:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

For some reason, when this Amendment was drafted in 1791, the drafters left out the terms "telephone records" and "intercepted communications" and "Voice Over Internet Protocol". Possibly just an 18th Century oversight. Indeed, the United States Supreme Court initially found in 1928 that you can't "seize" a telephone call, and therefore the Fourth Amendment didn't apply to phone calls. It wasn't until 1967 that the Court finally realised that the Constitution protects the rights of privacy of persons, not just places, and therefore warrants were required if you wanted to listen in on the contents of communications.

The law has always recognised a distinction between listening in on the contents of a communication and just looking at data about the conversation. It is for that reason that the postal inspectors are allowed to put a "mail cover on mail to record the outside information without a warrant.

The US wiretap law, contained in Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (just called Title II for short) makes it illegal to intercept or disclose the contents of intercepted communications without an appropriate warrant, either for law enforcement purposes, or under the Foreign Intelligence Surveillance Act. For international telephone calls, the government has asserted that the inherent powers of the executive branch, or the 18 September, 2001 Authorisation for the Use of Military Force against those responsible for the attacks on the World Trade Centre, and the Pentagon as limited authority (or so they said at the time) to listen in on the contents of international communications if the President suspects (or more accurately, if some NSA employee suspects) that they are relevant to some terrorism investigation. This program was discussed previously.

Other US laws also regulate the improper disclosure of the contents of both telephone communications and electronic communications. These include the Electronic Communications Privacy Act (ECPA) and the Stored Communications Act. However, with the exception of the provisions of the SCA discussed below, these laws (like FISA and Title III) tend to focus on the contents of the communications – what was said or typed or emailed.

Wrapper information

So what if the government wants to know what telephone numbers you called, when you called them, and how long the calls lasted? The US Supreme Court, in a case called Smith v. Maryland in 1979 essentially said that the Fourth Amendment did not protect such data. You see, everybody knows, the Court reasoned, that the phone company keeps these records (unlike recording the contents of the communications). The Supreme Court noted:

"[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realise that they must 'convey' phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realise, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. In fact, pen registers and similar devices are routinely used by telephone companies 'for the purposes of checking billing operations, detecting fraud, and preventing violations of law'...Electronic equipment is used not only to keep billing records of toll calls, but also 'to keep a record of all calls dialed from a telephone which is subject to a special rate structure'."

So, how could you expect this to be private? Even if YOU thought it might be private, the Supreme Court disabused you of this notion saying that you of course can't expect anything you give over to third parties (like the phone company) to be private. The court observed:

"When he used his phone, petitioner voluntarily conveyed numerical information to the telephone company and 'exposed' that information to its equipment in the ordinary course of business. In so doing, petitioner assumed the risk that the company would reveal to police the numbers he dialed. The switching equipment that processed those numbers is merely the modern counterpart of the operator who, in an earlier day, personally completed calls for the subscriber."

The problem with this analysis is its application then to the contents of, lets say emails or VoIP calls. You see, the contents of such communications are routinely "exposed" to the ISPs in the ordinary course of business. They are also routinely stored by the ISP as well – albeit for greater or shorter periods of time. While the laws noted above – mostly the ECPA and the SCA - protect the disclosure of these communications, applying the rationale of the Smith case apparently the Constitution of the United States wouldn't protect even these contents.

So does this mean that the numbers you call have no legal protection at all? Not so fast. Smith just decided that the Fourth Amendment didn't protect the numbers dialed. Congress stepped in and passed the Pen-register statute, which provided that it was illegal to install a "pen register" or "trap and trace" device (a device to record numbers dialed, etc.) without first obtaining a court order after a certification by a federal or state prosecutor, or under FISA.

However, these trap and trace statutes, either for national security under FISA or for criminal matters under the trap and trace statute, are more akin to a rifle than a shotgun. They are designed to obtain the calling records of a particular individual or small group of individuals, with a showing that the records are either relevant to a particular criminal investigation or anti-terrorism investigation. It is not designed to permit access to tens of thousands of such records (or millions) in the hope that they might later be helpful in some terrorism case. Besides, if there was a FISA warrant here, don't you think the government would have said so? It's pretty clear there was no trap and trace order, so the turning over the records was illegal, right? Not so fast. I love the law.

You see, there was no "trap and trace" or "pen register" installed on the phone company. In fact, the government did not even ask the phone company to create the massive databases which indicated what telephone numbers were dialed by whom and when. In fact, the phone company routinely does this on its own, for billing, call completion and anti-fraud purposes, and maybe even for load distribution, direct marketing, and other purposes as well. The law doesn't prohibit this. Indeed, the trap and trace law expressly states that it doesn't apply to a phone company or ISP's actions, "relating to the operation, maintenance, and testing of a wire or electronic communication service or to the protection of the rights or property of such provider, or to the protection of users of that service from abuse of service or unlawful use of service; or to record the fact that a wire or electronic communication was initiated or completed in order to protect such provider, another provider furnishing service toward the completion of the wire communication, or a user of that service, from fraudulent, unlawful or abusive use of service". Any lawyer with a subpoena can - and usually does – get copies of your phone bills. They are particularly useful to show things like adultery in divorce cases.

Another provision of the Stored Communications Act may also apply here, with thanks to Professor Orrin Kerr of GW University for pointing this out.

Title 18 U.S.C. 2702(a)(3) generally makes it a crime for phone companies or ISPs to disclose either the contents of communications or non-content subscriber information, stating:

(1) as otherwise authorised in section 2703 [18 USCS § 2703];
(2) with the lawful consent of the customer or subscriber;
(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;
(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency;
(5) to the National Centre for Missing and Exploited Children, in connection with a report submitted thereto under section 227 of the Victims of Child Abuse Act of 1990 (42 U.S.C. 13032);
(6) to any person other than a governmental entity.

The statute is pretty clear – it prohibits disclosure to a government entity. When I last checked, the NSA was a government agency. The statute provides for civil penalties and a private right of action against the phone companies for violations. Note here that it is the telephone companies which would be violating the law by acceding to the government's request for data, not the government by requesting the data. Of course, it is possible that the government set up some kind of secret non-governmental corporation (a non-government agency) to receive the data, which then turned it over to the NSA (an ingenious ploy to avoid the statute, since the entity providing the data to the government would not be a provider of electronic communication services.) So far, that's just supposition.

The government could also argue that, by requesting the entire database and no individual records (and by sort-of anonymising the database) the phone companies were not turning over records “pertaining to a subscriber to or customer of such service...” but rather were turning over records pertaining to all subscribers in general, and no subscriber in particular. Because the goal of the statute was to protect the privacy of individuals, the government might assert, the turning over of the massive calling pattern database of all persons doesn’t implicate any individual. Of course, we all know how easily a reverse directory or other database link can be used to turn a database of numbers called into a database of subscribers.

Alternatively, the government could rely on consent, but I don't remember giving such consent, and the language of the phone company's privacy policies discussed later don't seem to support that finding. The statute also allows disclosure to protect the rights or property of the ISP or phone company (usually to prevent fraud or misuse of the network) but allowing disclosure under that exception would seem to eat the rule up entirely. In provisions modified by the USA-PATRIOT Act, the statute also allows disclosure if the phone company has a good faith belief that there is an emergency "involving danger of death or serious physical injury to any person" which requires disclosure without delay of information relating to the emergency.

While in general, preventing terrorist attacks will of course save lives, and while the disclosure of the calling pattern information might prevent future attacks, unless the government could have shown an immediate and pending attack and the disclosure of information about that pending attack, the disclosure would have seemingly violated that statute.

As Professor Kerr points out, the USA Patriot Act expanded the scope of this emergency provision, to allow the phone companies to turn over these records where there is a "good faith" belief that an emergency exists, not just a "reasonable" belief. Perhaps the NSA had this in mind when it suggested the amendment? However, the emergency provisions may not help the government. In 2004, for example, a court found that the government's argument that it was entitled to rely on the emergency provisions as an excuse for a defective search warrant was refuted by evidence that the provider (AOL in that case) did not even turn over the records requested until six days after the request – six days wasn't enough of an emergency to warrant the statute. The emergency provisions were really intended in cases like a kidnapping where death or bodily injury would occur if the information was not disclosed immediately. Essentially, where there was no time to get an appropriate court order, not where, as here, no order was ever going to be sought.

To date, at least two class action lawsuits have been filed against the telcos for giving data to the NSA, one in Fresno, California and one in federal court in Manhattan. The Electronic Frontier Foundation had already filed a suit with other civil liberties groups against the phone companies for their voluntary participation in what the administration now calls the "Terrorist Surveillance Network," and the Department of Justice has recently requested permission to intervene in that lawsuit to assert national security as grounds to dismiss the case.

Even if the government can't stop the lawsuit under the "state secrets" doctrine, and none of the exceptions that would permit the telcos to have given the documents over to the government apply, its not completely clear that they would have liability. The statute provides one other out for the phone companies. 18 U.S.C. 2707(e) provides that the phone company won't have civil or criminal liability if they relied, in good faith on, "(1) a court warrant or order, a grand jury subpoena, a legislative authorisation, or a statutory authorisation (including a request of a governmental entity under section 2703 (f) of this title); (2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or (3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of."

Now the provision of 2518(7) cited allows the disclosure of communications when an appropriate law enforcement official, "reasonably determines that..."an emergency situation exists that involves...conspiratorial activities threatening the national security interest...and (b) there are grounds upon which an order could be entered under this chapter to authorise such interception". Essentially, this is supposed to mean that if you could have gotten a court order for the information, but you didn't because it was an emergency, and you told the phone company this, and they relied on it in good faith, then they can't be successfully sued. That's a lot of steps for the phone company to go through.

Protection or Non-Protection of "Customer Proprietary Network Information"

There are two other laws that might govern the privacy of the numbers dialed. First, the Federal Communications Commission mandates that phone companies protect the privacy of customer data or what is called, "Customer Proprietary Network Information" or CPNI. This CPNI is defined under the statute as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." So the numbers I call, and how long I am on the phone, who I talk to, and when, would all be protected CPNI.

The statute says that, "Except as required by law or with the approval of the customer, a telecommunications carrier that receives or obtains customer proprietary network information by virtue of its provision of a telecommunications service shall only use, disclose, or permit access to individually identifiable customer proprietary network information in its provision of (A) the telecommunications service from which such information is derived, or (B) services necessary to, or used in, the provision of such telecommunications service, including the publishing of directories."

In essence, this means that the phone company can't give out the records of who I have called, or who has called me unless otherwise required by law – not just permitted by law.

This apparently was the interpretation taken by the CEO of Qwest Communications, when he refused to turn over the records to the government. There was reportedly no subpoena, no court order under Title III, no trap and trace or pen register order, no Executive Order under the Authorisation for the Use of Military Force, or no other legal compulsion to produce these records delivered to Qwest. Nothing more than a request for Qwest and the other telcos to do their patriotic duties and pony records over to the government. Thus, Qwest figured, the government was seeking CPNI in excess of legal mandate, and therefore Qwest was prohibited by law from turning it over. Or were they?

The same statute specifically excludes from coverage "aggregate" subscriber information, which it defines as "collective data that relates to a group or category of services or customers, from which individual customer identities and characteristics have been removed." For this data, the phone company, "may use, disclose, or permit access to aggregate customer information" for any purposes, apparently. So if the identifying information is stripped out – that is, all that is disclosed to the NSA is records that one telephone number called another at a particular date and time, the information may be entitled to no legal protection.

It's not content information, so not protected under ECPA or SCA. It's not protected under the Fourth Amendment under Smith v. Maryland. It's not CPNI, so not protected under that law. This is true despite the fact that it is trivial to turn this "aggregate" information from which customer identity has been stripped into identifiable information by cross referencing any directory or other database. Legal limbo. What is worse, courts have held that even if the phone company is improperly releasing CPNI, you cant go to court to get an injunction to prevent it, and you have to show that you were personally damaged (and have to specify your actual damages) resulting from the release. Since the NSA is unlikely to tell you whether your records have been reviewed and what was done with them, it will be impossible to demonstrate damages.

Privacy policies

Finally, there are the privacy policies of the carriers themselves. I have previously written about companies not following their privacy policies because the government has made requests of them.

Verizon promises its customers that, "access to databases containing customer information is limited to employees who need it to perform their jobs - and they follow strict rules when handling that information" while also reminding them that, "[s]ubject to legal and safety exceptions, Verizon will share individual customer information only with persons or entities outside the company when the customer has consented, or when we have advised the customer of the opportunity to 'opt-out' (to choose not to have the information disclosed)". Apparently, sharing with the NSA fits within these "legal and safety" exceptions.

AT&T similarly claims to protect privacy, with the caveat that: "We must disclose information, when requested, to comply with court orders or subpoenas. We will also share information when necessary to prevent unlawful use of communications services, when necessary to repair network outages, and when a customer dials 911 and information regarding their location is transmitted to a public safety agency." Nothing there about disclosing information on request by the NSA.

Some have suggested that these telco privacy policies created consent to the production of these records. The Washington Post quoted "[o]ne government lawyer who has participated in negotiations with telecommunications providers", who reportedly said: "The Bush administration has argued that a company can turn over its entire database of customer records - and even the stored content of calls and e-mails - because customers 'have consented to that' when they establish accounts. The fine print of many telephone and internet service contracts includes catchall provisions, the lawyer said, authorising the company to disclose such records to protect public safety or national security, or in compliance with a lawful government request."

Now that would be a dangerous and unreasonable interpretation of these privacy policies. Indeed, saying that you may turn a record over in response to a "lawful" demand essentially puts the cart before the horse - interpreting a demand which is not unlawful as therefore being a lawful demand or request. Moreover, these "consent" loopholes could be used not only to disclose calling pattern data, but the contents of emails, telephone calls, instant messages, chat room conversations – indeed, anything, since federal law generally permits disclosure with consent of one party.

All of this puts not only the telephone companies, but others who receive "classified" demands or requests from the government for information that would otherwise violate a company's legal privacy requirements or privacy guarantees in a quandary. For example, the Department of Justice filed a report with Congress in early May that indicated that they issued more than 9,700 "National Security Letters" – classified demands for information, akin to a subpoena but without any judicial oversight.

A modest (but Classified) proposal

One idea would be to allow the recipient of a National Security Letter, or a sealed or classified subpoena or demand for documents, or of a friendly "request" by a secret government agency for information to have access to a super-secret court, similar to the construction of the FISA court. As currently constructed, the FISA court's sole reason for existence is to review and ultimately approve (occasionally to modify, and extremely rarely to reject) applications by the government for wiretap, interception, or search or seizure orders. These applications are handled in secret, and the applications themselves are always ex parte – that is, with only one party (the government) present. Indeed, there is no party like an ex parte!

Why not open the process up a bit? Allow those aggrieved by classified demands or requests for information to go to the court in camera and under seal, with privacy, secrecy and national security protected, and ask the court whether they are permitted to and/or required to do what the government requests or demands? The court could then review the governments' stated rationale for the information, and their legal authority for the demand or request, and if reasonable and supported by the law, grant it. If not, the court could enjoin the enforcement or the request. The court might be empowered to go even further – granting the recipient of the demand or request with immunity from liability for complying, or requiring the government to post a bond or indemnify the recipient from liability for complying. In other words, determining whether the actions are legal before they are done.

Wait a second, a court actually adjudicating things? What has this country come to?

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

SecurityFocus columnist Mark D Rasch, JD, is a former head of the Justice Department's computer crime unit, and now serves as senior vice president and chief security counsel at Solutionary Inc.