The Problem With the Administration “White Paper” on the Telephony Metadata Program

On Friday, the Obama Administration released a “white paper” articulating its case for the legality of the NSA call records program under Section 215 of the Patriot Act and under the Fourth Amendment. I found the “white paper” a somewhat frustrating read, as it is essentially a brief for the government’s side with no brief coming to oppose it. Although the white paper raises some interesting points, it also fails to confront counterarguments and address contrary caselaw.

Consider the critical issue of whether a massive database of billions of records can be deemed “relevant” because some records inside the database are relevant. Here’s the key discussion of that issue from the white paper:

[C]ourts have held that the relevance standard permits requests for the production of entire repositories of records, even when any particular record is unlikely to directly bear on the matter being investigated, because searching the entire repository is the only feasible means to locate the critical documents.[FN7] More generally, courts have concluded that the relevance standard permits discovery of large volumes of information in circumstances where the requester seeks to identify much smaller amounts of information within the data that directly bears on the matter. Federal agencies exercise broad subpoena powers or other authorities to collect and analyze large data sets in order to identify information that directly pertains to the particular subject of an investigation. Finally, in the analogous field of search warrants for data stored on computers, courts permit Government agents to copy entire computer hard drives and then later review the entire drive for the specific evidence described in the warrant.

[FN7]See, e.g., Carrillo Huettel, LLP v. SEC, 2011 WL 601369, at *2 (S.D. Cal. Feb. 11, 2011) (holding that there is reason to believe that law firm’s trust account information for all of its clients is relevant to SEC investigation, where the Government asserted the trust account information “may reveal concealed connections between unidentified entities and persons and those identified in the investigation thus far . . . [and] the transfer of funds cannot effectively be traced without access to all the records.”); Goshawk Dedicated Ltd. v. Am. Viatical Servs., LLC, 2007 WL 3492762 at *1 (N.D. Ga. Nov. 5, 2007) (compelling production of business’s entire underwriting database, despite business’s assertion that it contained a significant amount of irrelevant data); see also Chen-Oster v. Goldman, Sachs & Co., 285 F.R.D. 294, 305 (S.D.N.Y. 2012) (noting that production of multiple databases could be ordered as a “data dump” if necessary for plaintiffs’ statistical analysis of business’s employment practices).

. . .

While these cases do not demonstrate that bulk collection of the type at issue here would routinely be permitted in civil discovery or a criminal or administrative investigation, they do show that the “relevance” standard affords considerable latitude, where necessary, and depending on the context, to collect a large volume of data in order to find the key bits of information contained within.

If you’re reading quickly, you might skip over the caveat “where necessary, and depending on the context” in that last paragraph. But it’s actually a significant caveat, and the white paper doesn’t discuss the precedent on the other side that complicates the Administration’s position.

A case that comes to mind is In re Grand Jury Subpoena Duces Tecum Dated Nov. 15, 1993, 846 F.Supp. 11 (S.D.N.Y. 1994) (Mukasey, J.). In that case, then-Judge (later Attorney General) Michael Mukasey quashed a grand jury subpoena that sought all computers and all electronic storage devices possessed by the target corporation. The subpoena failed Rule 17′s “relevance” standard because the computers contained so much irrelevant material intermingled with the data that was relevant to the investigation:

Government counsel have conceded on behalf of the grand jury that the subpoena demands irrelevant documents. Moreover, the government has acknowledged that a “key word” search of the information stored on the devices would reveal “which of the documents are likely to be relevant to the grand jury’s investigation.” Id. at 3. It follows that a subpoena demanding documents containing specified key words would identify relevant documents without requiring the production of irrelevant documents. To the extent the grand jury has reason to suspect that subpoenaed documents are being withheld, a court-appointed expert could search the hard drives and floppy disks.

“[B]ecause the subpoena at issue unnecessarily demands documents that are irrelevant to the grand jury inquiry,” Mukasey concluded, “it is unreasonably broad under Federal Rule of Criminal Procedure 17(c).”

Mukasey’s decision seems to cut against the Administration’s position. It blocks a subpoena for all the electronically-stored information because lots of the information to be obtained is not relevant even thought some of it is. Plus, the opinion is written by a recent Attorney General of the United States, which should give it extra prominence. And it’s a lot more significant a precedent than are Fourth Amendment cases involving warrants to search computers: Warrants do not apply the relevance doctrine while subpoenas do, so it seems odd to discuss the cases about computer warrants but not the cases on computer subpoenas. But the “white paper” doesn’t mention this case, so we don’t know if the Administration has a response to it– or if the FISC was ever alerted to it.

Granted, it’s possible to try distinguishing Mukasey’s decision. Mukasey seemed to think that a key word search would be responsive to the subpoena, so getting all the data was not necessary. There was an alternative way to proceed, namely by doing key word searches. The Administration presumably would argue that the Section 215 program is different because getting the whole database is in fact necessary: If the government doesn’t have the whole database, many of the records will be destroyed before the government can find the links it is looking for.

Perhaps that’s right, but that argument would open up a difficult question of what the frame of reference is for assessing necessity. Does the risk that customer metadata would be deleted in the ordinary course of business create a “necessity” to overcollect? Do you assume that the government has a right to get access to all metadata of every telephone user in the United States, and that overcollection is “necessary” to effectuate that? Or do you assume that the government only has a right to get access to relevant metadata that exists at the time the government identifies the relevance of that specific metadata? I’m not sure there is a doctrinal answer to that issue, but the white paper doesn’t appear to acknowledge and confront the question.

In addition to not citing contrary precedent, the white paper also cites cases that strike me as relatively weak authority for its position.  Consider the three cases cited in Footnote 7 above. In the first case, Carrillo Huettel, LLP v. SEC, 2011 WL 601369, at *2 (S.D. Cal. Feb. 11, 2011), the SEC issued a subpoena to the Bank of America for all the trust account records of an 8-lawyer firm (Carillo) suspected in misconduct involving at least 42 clients. The firm objected that getting all the account records would reveal what it was doing with the funds of 100+ clients beyond the 42 already tagged as involving misconduct. The government argued that it needed all the client records to really understand what was happening to the funds, and the Court agreed: “On balance, the Court finds the SEC has demonstrated that there is reason to believe that the Carrillo trust account information sought by the subpoena is relevant to a legitimate law enforcement inquiry. Although not every responsive document produced by BofA may be relevant, there is reason to believe that the records overall contain information relevant to the investigation.”

This Carrillo case provides at least some authority for the government’s position, but it seems like relatively weak authority. In that case, the government was investigating the records of a single smallish law firm, and it already knew that about 30% of the records to be collected involving firm clients were involved in financial wrongdoing. In that instance, it seemed plausible that most or all of the records were involved in the scheme, even if the government didn’t know it yet. And it would make sense to look through all the records to see which ones were tainted by the firm’s practices. That’s far different from government access to the records of hundreds of millions of customers to find a mere handful of bad actors.

The other two cases cited by the government seem much weaker. Both involve requests for records in civil discovery disputes. In Goshawk Dedicated Ltd. v. Am. Viatical Servs., LLC, 2007 WL 3492762 at *1 (N.D. Ga. Nov. 5, 2007), the court allowed the plaintiff suing an insurance company to get a copy of the actuarial database used to set the terms of the plaintiff’s policy. The court allowed the plaintiff access to the database because “its methodologies, policies, and practices of conducting life expectancy evaluations are themselves at the center of this litigation,” and the database was the key way to understand the insurance company’s methodology and practices. In the third case, Chen-Oster v. Goldman, Sachs & Co., 285 F.R.D. 294, 305 (S.D.N.Y. 2012), the court mentions the possibility of a “data dump” as part of the discovery process. But the case also cites Nicholas J. Murlas Living Trust v. Mobil Oil Corp., No. 93 C 6956, 1995 WL 124186, at *5 (N.D.Ill. March 20, 1995), in which the Court rejected turning over an entire database of information during discovery and seemed to agree with the objecting party’s claim that the demand was “outrageous.”

Having read Goshawk and Chen-Oster, it’s not clear to me how they are supposed to support the government’s position except in a very indirect way.   The fact that a few courts have not categorically ruled out turning over things called “databases” does not shed a lot of light on whether it is lawful here. To be clear, there’s a lot of interesting and useful analysis in the white paper. But there is also a lot that the white paper leaves out, and some of the cases cited don’t seem to offer significant support the Administration’s position.