Metadata, the NSA, and the Fourth Amendment: A Constitutional Analysis of Collecting and Querying Call Records Databases

In his recent Wall Street Journal op-ed, my co-blogger Randy Barnett argues that massive-scale collection of communications metadata by the NSA violates the Fourth Amendment because it is an unreasonable seizure. Randy’s colleague Laura K. Donohue recently argued in the Washington Post that such collection violates the Fourth Amendment as an unreasonable search. Jennifer Granick and Chris Sprigman made a similar argument in the New York Times.

Are they right? Does obtaining all telephony metadata under Section 215 — and then querying the database — violate the Fourth Amendment?

In this post, I’ll start with current law, and I’ll explain why current law supports the conclusion that massive-scale collection of communications meta-data by the NSA does not violate the Fourth Amendment rights of its customers. I’ll then consider alternate views of the Fourth Amendment and explain the prospects and challenges of using the mosaic theory to get to a contrary result.

I’ll then turn to the argument Randy flags that obtaining this metadata may violate the rights of the communications providers instead of customers. This strikes me as a plausible argument, but not a certain one; I find the issue doctrinally murky, and I don’t have a strong view of it. But in this post I’ll offer the arguments for the sake of those interested in them.

I. Metadata Surveillance and the Fourth Amendment Rights of Customers

First, the facts. From what we can tell, the FISC has signed an order requiring communications providers to disclose the telephony metadata they have collected to the federal government. We don’t know exactly what records are actually being turned over, but the order indicates that it includes all non-content information, which might include numbers dialed, duration of calls, and the location information of cell-phones. The NSA is then querying the database, although it seems that pursuant to a FISC order they can do so only when they have reasonable suspicion that the fruits of the query will reveal information relating to terrorist plots and the like.

The conventional account of the doctrine would indicate that this does not violate the Fourth Amendment. When I say “conventional account,” I mean the account found in conventional sources of legal authority like Supreme Court opinions and circuit court decisions. Here’s how the conventional account would go:

(a) First, obtaining telephone metadata is not a “search” under Smith v. Maryland, 442 U.S. 735 (1979). Smith held that the number dialed from a telephone call is not protected because it is information provided to the phone company to place the call. The caller sends the information to the phone company, and the phone company uses it; the information is the phone company’s record of what it did, not the user’s property. Smith built on United States v. Miller, 425 U.S. 435 (1976), which held that a person does not have Fourth Amendment rights in their bank records. The bank records are the bank’s business records of how the account was used, Miller reasoned, so the customer has no privacy rights in the information.

Under the reasoning of Smith and Miller, metadata that is account information about how an account was used — but not call contents — is not protected under the Fourth Amendment. See, e.g., United States v. Fregoso, 60 F.3d 1314, 1321 (8th Cir. 1995) (stored telephone records not protected). Lower courts have applied the same principles to Internet metadata, too. See United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008) (IP addresses); United States v. Perrine, 518 F.3d 1196, 1204 (10th Cir. 2008) (“Every federal court to address this issue has held that subscriber information provided to an internet provider is not protected by the Fourth Amendment’s privacy expectation.”).

(b) Under existing doctrine, the closer call is with cell-site location — location information about where phones are located — that is part of the same Section 215 order. There is pending litigation on how the Fourth Amendment applies to cell-site information collection in several circuits, and it’s not inconceivable that the issue might get to the Supreme Court within a few years. However, the predominant view in the caselaw is that cell-site location is unprotected under Smith v. Maryland. See, e.g., United States v. Skinner, 690 F.3d 772 (6th Cir. 2012); United States v. Booker, 2013 WL 2903562, at *9 (N.D.Ga. 2013); United States v. Graham, 846 F.Supp.2d 384, 389 (D.Md.2012); United States v. Benford, 2010 WL 1266507, at *3 (N.D.Ind. 2010).

(c) One difference between the existing cases like Smith and the facts of the NSA program involves the scale of the records obtained. In the criminal cases Smith, Forrester, and Perrine, the government obtained and examined the records of a single customer — the criminal suspect. Under the current Section 215 order, however, the government is obtaining massive databases of tens of millions of customers. It is then only looking through that database when it has reasonable suspicion. So it’s a big difference in the facts. But do those facts make a constitutional difference?

I think that distinction can make a difference in the analysis on the Fourth Amendment rights of the phone companies — more on that in a minute. But I don’t see a doctrinal hook in existing caselaw for why it would make a difference in the Fourth Amendment rights of their users. If obtaining pen register information on one user is not a search, the obtaining that pen register information for 100 or 10,000 or 1,000,000 or more users is still not a search. Katz tells us that the Fourth Amendment protects “people, not places,” and it’s not clear how surveillance that is not a search when provides information about one person can become a search when it provides information about many. To be sure, it’s possible to devise theories of the Fourth Amendment that would make that relevant, but it’s hard to get there just based on the conventional sources of existing appellate cases.

(d) That brings us to the last part of the picture. If the information that is in the database is not protected by the Fourth Amendment, then querying the database does not raise any Fourth Amendment issues. See, e.g., State v. Sloane, 939 A.2d 796 (N.J. 2008).

II. The Mosaic Theory and the Rights of Customers

So that’s the conventional account. The most common arguments to the contrary invoke what I have called the mosaic theory of the Fourth Amendment. Specifically, they draw from the concurring opinions in United States v. Jones, 132 S. Ct. 945 (2012) to say that the collective acquisition and analysis of information about a person over time constitutes a search even if collecting individual discrete pieces are not searches. Here’s Chris Sprigman and Jennifer Granick making the argument:

The government has made a mockery of [Fourth Amendment] protection by relying on select Supreme Court cases, decided before the era of the public Internet and cellphones, to argue that citizens have no expectation of privacy in either phone metadata or in e-mails or other private electronic messages that it stores with third parties.

This hairsplitting is inimical to privacy and contrary to what at least five justices ruled just last year in a case called United States v. Jones. One of the most conservative justices on the Court, Samuel A. Alito Jr., wrote that where even public information about individuals is monitored over the long term, at some point, government crosses a line and must comply with the protections of the Fourth Amendment. That principle is, if anything, even more true for Americans’ sensitive nonpublic information like phone metadata and social networking activity.

Laura Donohue echoes the same point:

Americans reasonably expect that their movements, communications and decisions will not be recorded and analyzed by the government. A majority of the Supreme Court seems to agree. Last year, the court considered a case involving 28-day GPS surveillance. Justice Samuel Alito suggested that in most criminal investigations, long-term monitoring “impinges on expectations of privacy.” Justice Sonia Sotomayor recognized that following a person’s movements “reflects a wealth of detail about her familial, political, professional, religious, and sexual associations.”

This argument isn’t impossible to make, but it is certainly uphill. That’s true for three primary reasons:

1) The concurring opinions in Jones are only that — concurring opinions. They are not binding law. Most lower courts have rejected the rationale of the concurring opinions. See, e.g., State v. LeMasters, 2013 WL 3463219 (Ohio App. July 8, 2013) (“While [the appellant] spends a great amount of time in his brief quoting and referencing the concurring opinions in Jones that suggest that the Fourth Amendment should be stretched to include other privacy rights, we are bound only by the majority opinion of the court, rather than questions raised and suggestions made within the dicta of concurring opinions. “) So to succeed on this argument, first you need to argue that courts should adopt the mosaic theory and apply it in cases like the NSA surveillance. I have argued that courts should reject the mosaic theory; you can read my argument here if you’d like. But even if you disagree, I don’t think you can just cite the concurring opinions in Jones and call it a day. Instead, you need to offer an argument as to why courts should adopt those concurring opinions. As I explain in my article, that’s possible but not at all easy.

2) Even if you accept the concurring opinions in Jones as controlling opinions, it’s far from clear that they should apply to the facts of the NSA program. That’s true for several reasons, but for the sake of brevity I’ll focus on just one: The key to the Jones concurring opinions was the combination of the collection of information and its subsequent analysis, and that subsequent analysis seems to be missing. Justice Alito’s opinion in Jones looked to whether a person reasonably expects others to “secretly monitor and catalog” a person’s movements. Justice Sotomayor asked “whether people reasonably expect that their movements will be recorded and aggregated” in a manner that creates the mosaic. Cataloging and aggregating are verbs that describe subsequent analysis instead of initial collection. These phrases suggest that the mosaic theory requires some step beyond the acquisition stage. In the case of the NSA program, it appears that the NSA gathers everything but then makes only very specific and targeted (and relatively rare) queries through the database. It’s not at all clear that the facts of the NSA program involve the systematic analysis of data that appears to be so important to the concurring arguments in Jones.

3) Next, even if you conclude that accessing location information is a search under the mosaic theory or some other theiry, there is work to be done to show that it is an unreasonable search. Not all warrantless searches are unreasonable searches. Indeed, there are lots of problems squaring the mosaic theory with a warrant requirement, as I explain in my article. Further, even if you say that a mosaic search requires a warrant generally, there is considerable appellate caselaw indicating that searching with the goal of finding national security information about foreign terrorist groups relaxes the warrant requirement. See, e.g., United States v. Brown, 484 F.2d 418 (5th Cir. 1973); United States v. Butenko, 494 F.2d 593 (3d Cir. 1974) (en banc); United States v. Buck, 548 F.2d 871 (9th Cir. 1977); United States v. Truong, 629 F.2d 908 (4th Cir. 1980). I don’t have a good sense of how those cases would play out in the context of the NSA program, as the facts are so different. But I flag the point just as a reminder that there would need to be some kind of analysis on what reasonableness means in this specific situation. You can’t just assume that a warrantless collective search automatically requires a warrant.

In sum, using the mosaic theory to say that at least parts of the NSA program violate the Fourth Amendment is a possibility, but it’s an uphill battle for a number of independent reasons.

III. Current Fourth Amendment Doctrine and the Fourth Amendment Rights of the Telephone Companies

My co-blogger Randy has taken a different approach to the question. Randy focuses on the Fourth Amendment rights of the telephone companies rather than the individual customers: If the provider doesn’t want to turn over the records, then does the Fourth Amendment stop the government from forcing the government to compel them? Is forcing the provider to turn over its records an unconstitutional “seizure”? To answer this, let’s start my assuming that the telephone companies do not want to turn over the records: They are only turning over the records because the FISC has ordered them to do so. Does the Fourth Amendment allow the FISC to order the companies to disclose the records?

The question raises a complex question because Section 215 orders are somewhat sui generis from a Fourth Amendment perspective. To simplify a lot of caselaw, there are two traditional kinds of legal process in Fourth Amendment law governed by two different legal frameworks. The first legal process is a warrant, which a judge issues based on probable cause. The warrant lets the government enter the place to be searched and retrieve the property described in the warrant. The second legal process is a subpoena, which is issued by a government agency without judicial supervision. The subpoena tells the recipient to hand over property it has or to come testify.

The two forms of legal process have different Fourth Amendment rules governing them. Warrants are governed by the standard found in the text of the Fourth Amendment: “no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” On the other hand subpoenas do not require probable cause or warrant-like particularity. Subpoenas to testify are not regulated by the Fourth Amendment at all, see United States v. Dionisio, 410 U.S. 1 (1973), and warrants to compel the disclosure of property are regulated primarily by the requirement that complying with the subpoena must not be overly burdensome. See, e.g., See v. City of Seattle, 387 U.S. 541, 544 (1967).

Also, the two legal standards are enforced in two different ways. When the government gets a warrant, the government can execute the warrant and the subject of the warrant can’t object until later. In contrast, subpoenas are not self-executing. The recipient of the subpoena can move to quash it before complying; it is only enforced if a judge is called on to review the constitutionality of the subpoena and issues a subsequent ruling.

This framework creates some difficulty for analyzing Section 215 orders because it’s not clear which framework applies. Section 215 orders are like subpoenas in some ways (they are orders to compel) and like warrants in other ways (they are signed by judges). Let’s assume that ordering a company to copy information “seizes” that information from the company. That point isn’t obvious, but I have argued that it is generally the case. See Kerr, Fourth Amendment Seizures of Computer Data, 119 Yale L.J. 700 (2010). Assuming that a seizure occurred, do you determine the reasonableness of the seizure using the warrant standard, the subpoena standard, or something else? For that matter, how does the Butenko/Trung foreign surveillance impact the reasonableness of the seizure? This is pretty novel ground, and I don’t know if there’s an obvious answer in existing caselaw.

Perhaps the best argument for saying that Section 215 orders are unconstitutional is to assert that they have to fit either the warrant standard or the subpoena standard but they can’t satisfy either one. It’s obvious that Section 215 orders aren’t valid warrants. And less obviously, but also quite plausibly, you could say that under the usual Fourth Amendment standard for administrative agency subpoenas, the orders violate the requirement “that the subpoena be sufficiently limited in scope, relevant in purpose, and specific in directive so that compliance will not be unreasonably burdensome.” See v. City of Seattle, 387 U.S. 541, 544 (1967). By ordering the disclosure of the entire database of collected metadata, the argument would run, the government is obviously not getting a limited and specific directive. It is making the providers turn over absolutely everything, not just a narrow and limited set of information. And that is “unreasonable” under the subpoena precedents.

The counterargument to this could run on two grounds. First, you could argue that whether a subpoena to obtain and query an electronic database is “sufficiently limited in scope, relevant in purpose, and specific in directive” to be reasonable requires considering not just whether the order to disclose the database is limited, but also whether querying the database is limited. In other words, you could consider reasonableness over the two steps — the acquisition of the database with strict protections from it being queried, and then the subsequent permitted queries — rather than just the one step of acquisition. This isn’t a perfect fit, as the burdensomeness standard is about burdensomeness to the recipient of the subpoena; it’s not clear how querying the database has anything to do with that. But it’s a plausible argument given the unusual facts here. And it may explain why the FISC has imposed a reasonable suspicion requirement on querying the database: Perhaps the FISC has concluded that the reasonableness of the seizure of the database under the subpoena precedents allows the whole database to be obtained but only actually queried when there is reasonable suspicion. It’s hard to know.

A second counterargument could rest on the many cases indicating that searching for information in national security cases is a “special need.” Perhaps you could say that this line of cases makes the reasonableness inquiry different in the context of Section 215 orders to try to stop terror attacks than it would be in the case of a routine administrative agency subpoena issued to investigate regulatory compliance and the like. That’s a possible argument, too.

A final counterargument would go to the assumption I made earlier, that the companies are not providing the information voluntarily. This is also murky Fourth Amendment ground. In general, subpoenas are enforced only when the recipient objects. There is no public sign that the companies have objected to the Section 215 orders. Further, as I recall the history that has been disclosed, the telcos originally were voluntarily disclosing the records but then asked for orders to be issued as a CYA move (triggering statutory good faith standards, for example) when the program was revealed in 2006. I’m not sure how that plays out: Do you analyze the Fourth Amendment question by assuming that the telcos objected, or do you not get to the Fourth Amendment issues because the telcos actually are playing along? Off the top of my head, I’m not totally sure.

IV. Conclusion

Anyway, that’s my tentative take. In light of recent experience with comment threads on posts about the NSA, I think it’s best to decline to open the post for comments. I’ve been frustrated to see that recent threads have too often become fora for venting by the angry and uninformed, and there’s enough such commenting around the Internet that I don’t feel the need to add more of that here. But I did want to offer my take on the questions for interested readers.

Comments are closed.