The Recent Revelations About the NSA's Access to Our Phone Records: The Laws that Were Probably Broken, and the Likely Consequences

By ANITA RAMASASTRY
Monday, May. 15, 2006

With the National Security Agency's warrantless wiretapping program still highly controversial, just last week, USA Today revealed that President Bush has authorized yet another secret surveillance program. Under this program, the NSA - apparently without the benefit of any court order -- has been compiling millions of Americans' phone records into a giant database.

It also appears - based on the facts that have become public so far -- that the phone companies that cooperated with the NSA may have violated a statute that Congress previously passed specifically addressing the issue: the Stored Communications Act.

The Administration's defense is the same as for warrantless wiretapping: The President claims that the NSA is trying to ferret out terrorist activity -- this time, not by listening in on calls, but rather by searching through U.S. phone call logs to detect possible patterns. According to USA Today, the relevant records show which number was called, when the call was placed, and where the call originated and terminated (geographically).

Bush Administration officials stress that the program does not involve listening to the contents of communications. At the same time, the phone records ostensibly allow the government to track where calls are being placed, and to uncover data patterns which might show signs of terrorist communications.

The Facts on the Program - Insofar as They Are Known

Little is known about the phone-log program, but here is what we do know thus far: Three telecommunications companies -- AT&T, Verizon and BellSouth -- have reportedly provided the NSA with phone records for over ten million Americans. The companies seem not to have questioned whether the NSA had legal authority to obtain the records - and certainly did not go to court over the matter.

One company, Qwest, apparently did investigate the legal situation, however. And after it did so, it refused to comply with the NSA's requests. Qwest had two reasons for balking: It believed warrants (or at least court orders) were necessary to make such requests legal, and it was concerned about who would have access to the information, and how it might be used.

The Law Applicable from 2001 to March 2006 Appears to Prohibit The Program

Based on what we know now, it seems Qwest was entirely correct to refuse to comply. A federal statute specifically forbade it - and the other companies - from doing what the government asked. While this law restricts the companies - not the government -- the government surely should not be secretly putting pressure on the companies to break the law.

That law is the 1986 Stored Communications Act (SCA), which specifically and clearly forbids phone companies from turning over records to the government without a warrant or court order: Under the law, providers of "electronic communications ... shall not knowingly divulge a record or other information pertaining to a subscriber or customer ... to any government entity." (Emphasis added.)

There is one particularly relevant exception to this rule: Companies, under the law applicable until March 2006 (when the SCA was amended), could only turn over records if they "reasonably" believed there was an "immediate danger of death or serious physical injury" that disclosure might help prevent. So for instance, if there were a specific investigation of an imminent terrorist act, the companies could instantly - without a court order or warrant - turn over the suspects' records.

It appears that the NSA program predated the March 2006 SCA amendment (which coincided with the renewal of the USA Patriot Act). Indeed, the program may have existed since shortly after September 11. If so, then the pre-amendment "reasonable" belief of "immediate" danger standard applied.

It's unlikely that the phone companies can argue that they had a "reasonable" belief of "immediate" danger throughout the entire period from whenever the program began, until the date of the amendment. Perhaps in the months just after the September 11th attacks, or during periods when the threat level was most elevated, a belief in "immediate" danger was conceivably warranted - even "reasonable." But even the government has only claimed that there was immediate danger in particular places, and during particular time periods.

Yet there is no suggestion by the government that the NSA's phone-log monitoring was restricted by place, time period or threat level. Instead, it appears to have been a continuing program, which undermines any claim that it was justified by "immediate" danger.

Moreover, the way the program has been described suggests that it is preventive, not responsive. According to the government, the NSA is scanning vast databases of phone records and trying to find patterns indicating future attacks; it is not seeking phone records because it has had, at particular times, knowledge of a specific and impending threat.

The "Customer Consent" and "Business Necessity" Exceptions Do Not Apply

In addition, it appears that the phone-log program does not fit under the other exceptions to the SCA's non-disclosure rule. The SCA allows records to be turned over with a customer's "lawful consent" - but it appears that there was no such consent here.

Reportedly, government lawyers may intend to argue that small print in companies' Terms of Service agreements allowing the company to share customer information for law enforcement purposes counts as "consent." But experts in the area believe that small print can't count as consent.

For example, Professor Orin Kerr, a former federal prosecutor and an expert on the Fourth Amendment points out that, although there are no cases interpreting what counts as "consent" under the SCA, the SCA's "consent" exception is "clearly a copy of an analogous exception in the close cousin of the SCA, the federal Wiretap Act," 18 U.S.C. sec. 2510-22. Kerr adds that consent, as defined under the Wiretap Act, requires that "the user actually agreed to the action, either explicitly or implicitly based on the user's decision to proceed in light of actual notice."

The SCA also allows records to be turned over as may be "necessarily incident to the rendition of the service, or to the protection of the rights or property of the provider of that service." For instance, records could be turned over to law enforcement to catch hackers who've broken into the network.

Here, however, neither the companies' rights nor their property had been imperiled - and the turnover was hardly incident to the rendition of the phone services; it had nothing to do with the companies' provision of phone services, and everything to do with the government's goals.

Does the Recent SCA Amendment in March 2006 Change the Situation?

The March 2006 amendment to the SCA modified the emergency exception. Companies may now turn over records to a governmental entity if they in "good faith believe[] that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency."

How does this differ from the original emergency exception? Basically, the company need not be reasonable; it just has to act in good faith. And there need not be an "immediate" danger - just an emergency that poses a risk to life or limb.

It may well be that this recent amendment shields the phone companies for their post-amendment disclosures of phone records to the NSA - but not for those during the time period from when the program began, to when the amendment was passed.

The Consequences If the Law Was Indeed Violated

With strong evidence of probable violations of the law, what happens next?

The SCA gives consumers the right to sue, and several lawsuits have already been filed against the phone companies. The SCA sets damages at a minimum of $1,000 for each violation.

Accordingly, one suit is demanding up to $5 billion from the three companies that reportedly turned over records -- Verizon, AT&T and BellSouth - on the theory that each record improperly turned over to the NSA counts as a separate violation.

The SCA also allows recovery of punitive damages, and if the plaintiffs prevail, the phone companies will have to pay their attorneys' fees. Punitive damages may be unlikely, however, in light of the fact that polls show that a majority of Americans are comfortable with the Administration's review of phone records - suggesting some jurors may be, too.

Government employees who participated in a violation may face administrative discipline. And Congressional hearings may - and should - begin.

Why Congressional Hearings Are Urgently Needed

As noted above, most Americans don't seem too upset by news of the NSA's secret phone-log requests.

What will the government do when it uncovers possible terrorist phone calls through its data mining? Will it go back to a court such as the Foreign Intelligence Surveillance Act Court to obtain more specific authority to listen in on certain phone calls? The Administration has not provided answers to those questions.

Hearings can underline how the results of such surveillance can be - and have been in the past - misused. I wrote earlier about the dangers of "digital dossiers." Phone logs, which can easily be matched to names, can allow the government to further fill out those dossiers - providing an extensive picture of citizens' business and personal associations and patterns of daily life.

It is important for Congress to press the Administration to reveal more about its plan and the safeguards it has in place. Will our phone records be on file forever? When will the government choose to peek at our records?

The public should learn whether the phone-log program might inadvertently lead to racial-profiling, for example, or target certain groups for further surveillance, without real probable cause. .

Suppose there is a pattern of calls from a particular number to numbers in the Middle East, or Afghanistan. Then that number is matched with a name. If the name simply "sounds Arab," will the person have a higher probability of being investigated - even though a person of Arab descent may also be very likely to be merely calling relatives abroad?

Congress has the power and the means to examine the scope and legality of the government's actions here - as in the case of the warrantless wiretapping program -- without compromising national security. Indeed, national security demands that there be a full understanding of how the government is invading the privacy of Americans and whether that snooping is properly focused.

Finally, even if the phone-log program is ultimately held to be legal, it is still wrong as a matter of policy, and a matter of privacy. Hearings can, at a minimum, help Congress ensure that proper safeguards are in place for governmental collection of such data.


Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.

Ads by FindLaw