What Is “Project Vigilant,” and Is It Violating the Law?

Salon’s Glenn Greenwald has an interesting post about a group called “Project Vigillant,” which it seems is some sort of volunteer private-sector group that tracks hackers (and perhaps other bad guys). I say “seems” because I’ve never heard of the group, and it’s not entirely clear what it does. But a report in Forbes includes the following claim by someone named Chet Uber, who apparently is the head of it:

Uber . . . says the 600-person “volunteer” organization functions as a government contractor bridging public and private sector security efforts. Its mission: to use a variety of intelligence-gathering efforts to help the government attribute hacking incidents. “Bad actors do bad things and you have to prove that they did them,” says Uber. “Attribution is the hardest problem in computer security.”

According to Uber, one of Project Vigilant’s manifold methods for gathering intelligence includes collecting information from a dozen regional U.S. Internet service providers (ISPs). Uber declined to name those ISPs, but said that because the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs), Vigilant was able to legally gather data from those Internet carriers and use it to craft reports for federal agencies. A Vigilant press release says that the organization tracks more than 250 million IP addresses a day and can “develop portfolios on any name, screen name or IP address.”

Greenwald’s coverage suggests that the group is in cahoots with the feds, and that it is conducting some sort of mass surveillance of lots of people and then handing over the leads to the federal government. If that is true — which remains unclear to me — then the legality of the project’s work strikes me as questionable. The Stored Communications Act (SCA), codified in relevant part at 18 U.S.C. 2702, generally protects the privacy of ISP records in the United States, including IP addresses, from voluntary disclosure. The question is, does Project Vigilant violate the SCA, and specifically, Section 2702?

There are a few exceptions to this rule in 18 U.S.C. 2702(c) that might apply to “Project Vigilant” — but then, they might not. The weakest rationale for the legality of the disclosure is the rationale offered in the story — that “the companies included a provision allowing them to share users’ Internet activities with third parties in their end user license agreements (EULAs).” There is a consent provision in Section 2702, found in 2702(c) (2), but given that it mirrors the language of the Wiretap Act’s consent exception — and that exception requires actual notice, not constructive notice — I doubt a claim hidden in a EULA suffices to generate consent. As the First Circuit stated in United States v. Lanoue in interpreting the Wiretap Act’s analogous consent provision:

Keeping in mind that implied consent is not constructive consent but “ ‘consent in fact,’ ” consent might be implied in spite of deficient notice, but only in a rare case where the court can conclude with assurance “ ‘from surrounding circumstances ․ that the [party] knowingly agreed to the surveillance.’ ”  Griggs-Ryan v. Smith, 904 F.2d 112, 116-17 (1st Cir.1990) (quoting Amen, 831 F.2d at 378) (emphasis supplied).   We emphasize that “consent should not casually be inferred,” Griggs-Ryan, 904 F.2d at 117, particularly in a case of deficient notice.   The surrounding circumstances must convincingly show that the party knew about and consented to the interception in spite of the lack of formal notice or deficient formal notice.

I don’t see how a term in a EULA no one actually reads can satisfy that standard.

Another exception is the exception permitting disclosure of non-content records to a non-government entity found in 2702(c)(6). It seems that Project Vigilant is formally a private sector group, but that raises a question that no cases have addressed: What sort of line does the Stored Communications Act draw between a private group and the government? Can a private group essentially launder data and give it to the government to get around the 2702 limitations on voluntary disclosure? I doubt it. Given that the SCA is essentially a statutory version of the Fourth Amendment, I would guess that the private/government line in the SCA is the same as the line drawn in Fourth Amendment law for when a private group becomes a state actor. The Supreme Court has never been entirely clear about what the standard is (circuit court tests vary somewhat), but the general idea, as stated in Skinner v. Railway Labor Executives’ Association, is that “[a]lthough the Fourth Amendment does not apply to a search or seizure, even an arbitrary one, effected by a private party on his own initiative, the Amendment protects against such intrusions if the private party acted as an instrument or agent of the Government.” Does “Project Vigilant” act as an agent of the government? It’s not clear, but if it does, I would think they cannot rely on the exception permitting disclosure to a non-government entity in 2702(c)(6).

There are two more exceptions that would apply only if the scope of “Project Vigilant” is much much narrower than the Forbes and Greenwald stories suggest. To make a long story short (or at least a long post slightly less long), ISPS can disclose records about actual computer intrusions. They can release records of the intrusion to protect their own network under 2703(c)(3), although the scope of the disclosure has to be tailored to the actual threat to the network. And they can disclose records of individuals who were not legitimate subscriber or customers, such as the hackers themselves, as the limit on disclosure only applies to the records of actual legitimate subscribers. So those disclosures are allowed, but they’re of a much more limited nature than the stories suggest.

If I had to guess, I would guess that “Project Vigilant” is a lot narrower than Uber’s quote suggests. Perhaps this was a bit of exaggeration to the press, or some poor reporting by Forbes (in general, reporters on the surveillance beat turn every story into Big Brother). But if Uber’s quote reflects the reality of what the “Project” does, its legality strikes me as questionable.