Protection from prying NSA eyes

Another provision of the Stored Communications Act may also apply here, with thanks to Professor Orrin Kerr of GW University for pointing this out.

Title 18 U.S.C. 2702(a)(3) generally makes it a crime for phone companies or ISPs to disclose either the contents of communications or non-content subscriber information, stating:

• (a) (3) a provider of remote computing service or electronic communication service to the public [say, a phone company like Verizon or AT&T] shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...to any governmental entity.
• (c) Exceptions for disclosure of customer records. A provider...may divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications...)

The statute is pretty clear – it prohibits disclosure to a government entity. When I last checked, the NSA was a government agency. The statute provides for civil penalties and a private right of action against the phone companies for violations. Note here that it is the telephone companies which would be violating the law by acceding to the government's request for data, not the government by requesting the data. Of course, it is possible that the government set up some kind of secret non-governmental corporation (a non-government agency) to receive the data, which then turned it over to the NSA (an ingenious ploy to avoid the statute, since the entity providing the data to the government would not be a provider of electronic communication services.) So far, that's just supposition.

The government could also argue that, by requesting the entire database and no individual records (and by sort-of anonymising the database) the phone companies were not turning over records “pertaining to a subscriber to or customer of such service...” but rather were turning over records pertaining to all subscribers in general, and no subscriber in particular. Because the goal of the statute was to protect the privacy of individuals, the government might assert, the turning over of the massive calling pattern database of all persons doesn’t implicate any individual. Of course, we all know how easily a reverse directory or other database link can be used to turn a database of numbers called into a database of subscribers.

Alternatively, the government could rely on consent, but I don't remember giving such consent, and the language of the phone company's privacy policies discussed later don't seem to support that finding. The statute also allows disclosure to protect the rights or property of the ISP or phone company (usually to prevent fraud or misuse of the network) but allowing disclosure under that exception would seem to eat the rule up entirely. In provisions modified by the USA-PATRIOT Act, the statute also allows disclosure if the phone company has a good faith belief that there is an emergency "involving danger of death or serious physical injury to any person" which requires disclosure without delay of information relating to the emergency.

While in general, preventing terrorist attacks will of course save lives, and while the disclosure of the calling pattern information might prevent future attacks, unless the government could have shown an immediate and pending attack and the disclosure of information about that pending attack, the disclosure would have seemingly violated that statute.

As Professor Kerr points out, the USA Patriot Act expanded the scope of this emergency provision, to allow the phone companies to turn over these records where there is a "good faith" belief that an emergency exists, not just a "reasonable" belief. Perhaps the NSA had this in mind when it suggested the amendment? However, the emergency provisions may not help the government. In 2004, for example, a court found that the government's argument that it was entitled to rely on the emergency provisions as an excuse for a defective search warrant was refuted by evidence that the provider (AOL in that case) did not even turn over the records requested until six days after the request – six days wasn't enough of an emergency to warrant the statute. The emergency provisions were really intended in cases like a kidnapping where death or bodily injury would occur if the information was not disclosed immediately. Essentially, where there was no time to get an appropriate court order, not where, as here, no order was ever going to be sought.

To date, at least two class action lawsuits have been filed against the telcos for giving data to the NSA, one in Fresno, California and one in federal court in Manhattan. The Electronic Frontier Foundation had already filed a suit with other civil liberties groups against the phone companies for their voluntary participation in what the administration now calls the "Terrorist Surveillance Network," and the Department of Justice has recently requested permission to intervene in that lawsuit to assert national security as grounds to dismiss the case.

Even if the government can't stop the lawsuit under the "state secrets" doctrine, and none of the exceptions that would permit the telcos to have given the documents over to the government apply, its not completely clear that they would have liability. The statute provides one other out for the phone companies. 18 U.S.C. 2707(e) provides that the phone company won't have civil or criminal liability if they relied, in good faith on, "(1) a court warrant or order, a grand jury subpoena, a legislative authorisation, or a statutory authorisation (including a request of a governmental entity under section 2703 (f) of this title); (2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or (3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of."

Now the provision of 2518(7) cited allows the disclosure of communications when an appropriate law enforcement official, "reasonably determines that..."an emergency situation exists that involves...conspiratorial activities threatening the national security interest...and (b) there are grounds upon which an order could be entered under this chapter to authorise such interception". Essentially, this is supposed to mean that if you could have gotten a court order for the information, but you didn't because it was an emergency, and you told the phone company this, and they relied on it in good faith, then they can't be successfully sued. That's a lot of steps for the phone company to go through.

Protection or Non-Protection of "Customer Proprietary Network Information"

There are two other laws that might govern the privacy of the numbers dialed. First, the Federal Communications Commission mandates that phone companies protect the privacy of customer data or what is called, "Customer Proprietary Network Information" or CPNI. This CPNI is defined under the statute as "information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier." So the numbers I call, and how long I am on the phone, who I talk to, and when, would all be protected CPNI.