Did the FBI Violate ECPA By Improperly Obtaining Call Records in Terrorism Investigations?

The Washington Post has a new story, “FBI Broke Law For Years in Phone Record Searches”, reporting that the FBI violated the Electronic Communications Privacy Act by unlawfully obtaining non-content records about telephone calls in terrorism investigations. According to the story, FBI anti-terrorism investigators had a backlog of requests for National Security Letters that they cured by relying on the exigent circumstances exception to persuade providers to disclose records voluntarily:

The FBI illegally collected more than 2,000 U.S. telephone call records between 2002 and 2006 by invoking terrorism emergencies that did not exist or simply persuading phone companies to provide records, according to internal bureau memos and interviews. FBI officials issued approvals after the fact to justify their actions.

E-mails obtained by The Washington Post detail how counterterrorism officials inside FBI headquarters did not follow their own procedures that were put in place to protect civil liberties. The stream of urgent requests for phone records also overwhelmed the FBI communications analysis unit with work that ultimately was not connected to imminent threats.

A Justice Department inspector general’s report due out this month is expected to conclude that the FBI frequently violated the law with its emergency requests, bureau officials confirmed.

Reading over the story, I’m not entirely sure what actually happened, or what the alleged violation is. But I thought I would explain the law here so readers can understand the context, and then offer a few possibilities as to what might have actually happened.

I. The Electronic Communications Privacy Act

Under the telephone privacy laws, there are two basic ways that the government can get stored non-content telephone records from telephone providers. First, the government can order the provider to disclose the records. In the setting of a criminal case, the government does that with a grand jury subpoena (or, depending on the records, a specific facts court order). In the setting of a national security investigation, the government does that with a National Security Letter. In both cases, the primary limitation on the government in obtaining these orders is red tape and procedure rather than a showing of cause.

Second, the government can also get records if the provider is willing to voluntarily disclose the records and some exception to the non-disclosure rule applies. The relevant exception here is exigent circumstances. Under 18 U.S.C. 2702(c)(4), a provider is permitted to disclose non-content records to the government if the provider “in good faith, believes that an emergency involving danger of death or serious bodily injury to any person requires disclosure without delay of information relation to the emergency.” (The precise legal standard for exigent circumstances disclosure has changed over time, as well. Fom October 2001 until 2006, disclosure was allowed only when “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” The language changed from “reasonable” belief to “good faith” belief in March 2006.)

The concept of exigent circumstances is well known to Fourth Amendment fans, and it’s the basic concept animating the emergency exception. But exigent circumstances here is different from in the Fourth Amendment setting in two key ways. First, the government doesn’t actually conduct the search; instead, the government persuades the provider to disclose. Second, disclosure is optional, not mandatory. That is, the provider can disclose if it has that good faith belief but need not do so.

That means the Government has to play nice with providers; it can’t just claim an emergency and take the info. In response to that reality, the government has taken to sending so-called “exigent circumstances letters” with providers that provide some CYA paperwork for the provider in case it discloses after the government has made a representation of an emergency. If the provider is sued, it can then rely on the exigent circumstances letter to show its good faith letter. See, e.g., Jayne v. Sprint PCS, 2009 WL 426117 (E.D. Cal. 2009) (rejecting ECPA lawsuit against Sprint PCS based on exigent circumstances letter claiming that the plaintiff was a kidnapper and that the records were needed to identify and locate the suspect and rescue his victim).

II. The Legal Violations: Three Possibilities

Now, back to the Post story. According to the Post, the FBI found that when there was an emergency break in a terrorism case, or a new lead came in requiring a super-quick investigation, it took too long to issue an NSL. (One problem was than an NSL requires an already-open case; the FBI would need to first go through the paper work of opening the case, which took time.) The FBI approved a work-around in those emergencies: The FBI would file an exigent circumstances letter right away instead of waiting for the NSL. Then, later on, it would follow up with an NSL for the records ex post.

Now on to the key issue: How was the law violated? Here’s where I’m not so sure. I see three possibilities.

First, at various points the Post story seems to suggest that the legal violation was the failure to follow-up an exigent circumstances letter with an NSL. But if that’s the claim, then the story is rather misleading: There is no legal requirement that an exigent circumstances letter be followed up. The choice to follow up an exigent circumstances letter is apparently a policy choice by the FBI, but it’s not something the privacy statutes contemplate or require.

A second possibility is that the FBI was making false statements in the exigent circumstances letters themselves. It’s not entirely clear what the technical violation is in that case, but presumably the FBI becomes civilly liable for the disclosure violation that it induced. (That is, presumably the FBI can’t misrepresent the facts of what the emergency is to get the provider to have a good faith belief and then voluntarily disclose.) At the same time, I can’t quite tell in the story if that’s what was allegedly happening: The lead sentence suggests so, but there are other parts of the story that suggest that the authors may be thinking of the failure to follow up as the problem.

A third possibility is that the FBI was filing exigent circumstances letters properly, but was then getting NSLs after the fact improperly. That is, the technical violation was based on the FBI’s self-imposed policy: By following-up even when the law did not require it, the government ended up getting NSLs that did not satisfy the NSL standard. Again, parts of the story seem to suggest this, but it’s hard to know with certainty.

Anyway, this sort of story tends to have legs, so I assume we’ll be hearing more details shortly. Stay tuned.