Thursday, May 11, 2006

New NSA program

Regarding the new NSA program outed in USA Today, it seems pretty clear that, if it has been described correctly, it is not even a potential violation of the Fourth Amendment. The Court ruled long ago that who you call and who calls you is not a "search" within the meaning of that provision.

There are statutes that it might violate, although it's not all that clear. Some commentators have said that it might violate the pen register statute, although that statute seems to apply to the installation or use of a pen register or "trap and trace" device and it doesn't appear that the government has done that. Now the telecom companies are allowed to gather such information for certain purposes. Perhaps they do it by use of a device falling within these descriptions (I'm not up on the technology) and maybe using it for some other purpose places them afoul of the statute, but that's not the easiest fit of facts within language.

There is also something called the Stored Communications Act, but that seems to prohibit disclosure of the contents of a communication and it doesn't look like that's what's happening here.
Update: The Act does prohibit disclosing a record or other information pertaining to a subscriber and I guess that could include the numbers that an (even unidentified)person calls, but that provision was subject to a rather broad exception which permits diclosure of information not including the contents of the communication to a governmental entity " if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information...." (The statute was just amended to eliminate the term "immediate" but to specify that the information relates to the emergency) Orin Kerr thinks that this makes all the difference. I'm not so sure. It doesn't seem a stretch to say that there has been an "immediate" danger of terrorist attack for sometime. But the real problem is that our laws aren't really written with computerized data mining in mind. They assume a paradigm of live government agents looking at particular communications or records as opposed to a machine looking for patterns, arguably a less intrusive form of surveillance after which we might require further requirements or approval before a closer look is taken.

The USA Today article mentions the Communications Act of 1934, but that applies to customer's confidential proprietary information and it seems unlikely that who you call and who calls you would qualify.

Update:: This Act defines customer proprietary network information as
"information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship;" Could the reference to "destination" and "location" cover this? It's possible, although I don't know how the definition has been constured by the courts. I haven't looked it up and haven't caught anyone else weighing in on that. Even if it does apply (which sure seems possible), there is an exception to prevent "unlawful" use of the service. While I don't buy that the purpose of catching terrorists in and of itself means all bets are off, is it possible that a carefully tailored data mining program that would only look for suspicious patterns which would then provide the basis for followup (presumably involving a warrant)might be considered "necessary" to prevent unlawful use under the circumstances of recent years?

Of course with all of this, the companies that provided the information also seem to be saying that customers consented in the fine print to their subscription agreements.

To answer this question obviously requires more detail and more than the fifteen minutes or so that I've given it, but it may well be that this is perfectly legal without resort to the President's Article II powers regarding war and national security.

But if it does come down to Article II, I would think that the administration is on a wobbly pier. It's one thing to say that those powers allow eavesdropping on international communications, it's another to say that they apply to domestic communications.

Of course, the nature of the intrusion on privacy is weaker because it involves not to the content, but the sender and recipient. But I can't see the President's national security powers adding too much here. But, again, we'd need to know more about what they have asked for and what they have done with it.


Jay Bullock said...

Rick, just curious as to what you think of Glenn Greenwald's analysis, and some of what he links to.

He says, for example, that the communications act ""requires telecommunications carriers to protect the confidentiality of customer proprietary information ("CPNI"), such as the telephone numbers called by customers and the length oftime of the calls. . . ." Which would seem to be in contradiction to this program.

Rick Esenberg said...

There's an issue under the Stored Communications Act but it could be that the "immediate danger" exception applies or, as I take it the companies who provided the information argue, that the fine print in customer subscription agreements constitutes consent.

As for the Communications Act, the companies are precluded from disclosing customary proprietary network information which is defined as:

information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship;

I suppose that, read literally, the terms "location" and "destination" could cover this, although if one reads the term "proprietary" into the definition (which, in fairness, should probably be done only to resolve ambiguity in the definition), then they probably don't.

And, again, there are exceptions, including protection from "unlawful use" of the services. Might turning the data over for pointed and limiting data mining fall within that exception?