pageok
pageok
pageok
Civil Liability and the NSA Call Records Program:
Some bloggers are trying to figure out the potential civil liability of the telephone companies if they violated the Stored Communications Act by disclosing call records to the NSA without a court order. I would guess that a lawsuit has been filed already, and if it hasn't a bunch are coming soon. If a court finds that the telephone companies violated the Stored Communications Act, will they face liability in the range of billions of dollars?

  I have two quick thoughts for those that want to look into this in more detail. First, be sure that you consider the good faith exception to liability under the statute, 18 U.S.C. 2707(e):
A good faith reliance on—
(1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703 (f) of this title);
(2) a request of an investigative or law enforcement officer under section 2518 (7) of this title; or
(3) a good faith determination that section 2511 (3) of this title permitted the conduct complained of;
is a complete defense to any civil or criminal action brought under this chapter or any other law.
  The language here is really unclear as a textual matter, but there are some cases on what it means in the analogous context of the Wiretap Act. When I looked into this when I was writing the DOJ manual, I found a big difference between how courts interpreted the exception in the context of government vs. civil action:
The relatively few cases interpreting the good-faith defense are notably erratic. In general, however, the courts have permitted law enforcement officers to rely on the good-faith defense when they make honest mistakes in the course of their official duties. See, e.g., Kilgore v. Mitchell, 623 F.2d 631, 633 (9th Cir. 1980) ("Officials charged with violation of Title III may invoke the defense of good faith under § 2520 if they can demonstrate: (1) that they had a subjective good faith belief that they were acting in compliance with the statute; and (2) that this belief was itself reasonable."); Hallinan v. Mitchell, 418 F. Supp. 1056, 1057 (N.D. Cal. 1976) (good-faith exception protects Attorney General from civil suit after Supreme Court rejects Attorney General's interpretation of Title III). In contrast, the courts have not permitted private parties to rely on good-faith "mistake of law" defenses in civil wiretapping cases. See, e. g., Williams v. Poulos, 11 F.3d 271, 285 (1st Cir. 1993); Heggy v. Heggy, 944 F.2d 1537, 1541-42 (10th Cir. 1991).
  I'd need to re-read those cases to get better up to speed on this, but it's not obvious to me whether a court would see this as a government good-faith case or a civil good-faith case. It's kind of a mix.

  Second, from a practical perspective it's worth asking how far a suit would go given that the Administration would presumably try to stop the suit by invoking the military and state secrets doctrine (.pdf), as they did recently in a suit over telco involvement in the 1st NSA program. It's unclear how those claims will pan out -- either in the EFF case or in one filed against the telephone companies for this program -- but they are at least a significant roadblock to an attempt to recover damages against the telephone companies for the disclosure.

  (cross posted at OrinKerr.com)
Allen Asch (mail) (www):

Second, from a practical perspective it's worth asking how far a suit would go given that the Administration would presumably try to stop the suit by invoking the military and state secrets doctrine, as they did recently in a suit over telco involvement in the 1st NSA program.

Administration claims of secrecy go even farther than the stonewalling attempts in the EFF suit. I read one of the more Kafkaesque sentences I've seen recently in an AP story yesterday:

"The government has abruptly ended an inquiry into the warrantless eavesdropping program because the National Security Agency refused to grant Justice Department lawyers the necessary security clearance to probe the matter."

Laugh or cry?
5.12.2006 6:24pm
Steve:
I think the government has a tougher time asserting national security concerns in this case, because the plaintiffs can get most of the way home merely by showing that the telcoms gave their records to the government. It is at least conceivable that the case can be litigated without any need for disclosure of what, exactly, the government did with the phone records once it got them.

Based on the prior analyses of the statute, I'm not sure how anybody can assert a good faith defense here. Let's assume the government standard applies; how could the government argue that they believed in good faith they were complying with the statute, particularly when they declined requests to get a FISA warrant, etc.?
5.12.2006 6:46pm
The Original TS (mail):
First, was the 2707 "good faith" exception also downgraded from "reasonably believes" in the March 2006 Patriot Act extension?

Second, it appears to me that the most likely possible defense (18 USC 2511(2)(a)(ii)(B)) effectively shifts the liability from the telecoms to the government -- and the government is on the hook for $10,000 per person.
5.12.2006 7:02pm
ajftoo:
Prof. Kerr,

I think you dismissed 18 U.S.C. 2702(c)(3) too easily in a prior post.

(3) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;


Would it not be in the interest of the provider to assist the government in finding terrorists? After all, their customers, employees and infrastructure would be in the target pool. I suspect that all the 9/11 victims had phone service, some were employed by telcos and there was definitely extensive damage to telecommunications infrastructure.

Also, is it farfetched for the provider to assume that failure to provide data which could prevent an attack could lead to civil liability in the aftermath of an attack?
5.12.2006 7:15pm
OrinKerr:
ajftoo

Courts have rejected your theory, actually. Se ethe DOJ manual for an introduction to some of the cases.
5.12.2006 7:16pm
Lev:
I wonder if it makes a difference under the various statutes - they seem to be drafted to apply for the case in which the govt requests the "records" of a specific customer to be able to determine what that specific customer has been doing.

In this case, the govt is not requesting the "records" of any specific customer, but rather is requesting access to the all the records of the phone company for network analysis of traffic flows and connections.

The "business records" of the business as opposed to the "personal records" of the customer.

It seems as if it would be somewhat similar to individual hospitals and doctors disclosing to local govt health depts. numbers and types of infections of the patients they treat, how many times and how the individuals are treated - not identified by individual and neutralized of personal information, as opposed to turning over the individual's medical records and treatment dates themselves.
5.12.2006 7:19pm
The Original TS (mail):
It seems as if it would be somewhat similar to individual hospitals and doctors disclosing to local govt health depts. numbers and types of infections of the patients they treat, how many times and how the individuals are treated - not identified by individual and neutralized of personal information, as opposed to turning over the individual's medical records and treatment dates themselves.

The phone records are not statistical compilations, they're records of individual calls. Since the records identify the phone number from which a call originated and the phone number called, it is trivial to associate each record with an individual customer. Indeed, it must be so -- otherwise the records would be useless to the government.
5.12.2006 7:26pm
Norbert Wiener (mail):
If telco execs are questioned by congress under oath can they refuse to discuss the details of a classified program?
5.12.2006 8:15pm
Pete Freans (mail):
It appears two New Jersey lawyers have filed suit today in federal court. The story can be found here.
5.12.2006 8:29pm
Richard Blaine (mail):
I still don't understand why anyone expected this information to be confidental to begin with.
5.12.2006 8:45pm
Kate1999 (mail):
Richard,

Can you explain what your expectations of confidentiality are with respect to your phone calls and e-mails, content and noncontent?
5.12.2006 9:04pm
Steve:
Considering that there is a law prohibiting the phone companies from turning over my phone records to the government unless certain conditions are met - as we've been discussing for the last couple days - I certainly have an expectation that that law will be followed.
5.12.2006 9:16pm
Richard Blaine (mail):
None. Records are kept, traded, sold. Passing through many hands. They can be obtained by just about anyone. Without a warrant. I recall no one promising me confidentiality. Calls are transmitted via wire, radio signal and satellite. Easily intercepted, by anyone.

The fuss today is about calling records, not intercepted calls. The same calling records the phone companies regularly mine in order to try to sell me "... a plan suited to [my] needs and habits". The phone solicitor has my records at his/her fingertips. I should expect the government to be any different?

If you want privacy, you're not gonna get it on the phone. Nor through the mail, and certainly not on the internet.
5.12.2006 9:27pm
Kate1999 (mail):
Richard,

So just to be clear, if you found out that the Mafia had hired thugs to wiretap your phone and break into your e-mail account and read your e-mail, you would say that was no big deal? After all, you can't expect privacy in phone calls or e-mails.
5.12.2006 9:35pm
DaSarge (mail):
18 USC 2709 makes it a requirement for the telecom companies to cooperate.

§ 2709. Counterintelligence access to telephone toll and transactional records

(a) Duty to provide.--A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section. (etc.)

This is nothing more than a pen register &the US Supremes have already held there is no expectation of privacy in these sorts of data. This is has been done since at least the 30's. Traffic analysis is one way the Mafia was mapped out and tracked.
5.12.2006 11:09pm
ThirdCircuitLawyer (mail):
Wrong, DaSarge.

Under 2709, Telcos have to cooperate if the FBI gives them a national security letter. The FBI was not involved here, and no one had a national security letter (nor could they get one). So 2709 doesn't apply.
5.12.2006 11:20pm
JustPostingOnce (mail):
No proof of actual harm, no damages. Doe v. Chao (2004). And, individualized proof of actual harm will doom the class action effort cited in the news article linked above.
5.12.2006 11:49pm
The Original TS (mail):
Doe v. Chao (probably the most useless styling in history short of Doe v. Superior Court) is construing a different statute. Section 2707 does seem to authorize general damages as does 2712. There is no analogous "adverse effect" element as discussed in Chao.
5.13.2006 12:59am
Lev:

The phone records are not statistical compilations, they're records of individual calls.


Of course the health data I referred is not quite a statistical compilation either. It would be more difficult, but not impossible, to identify individual patients if necessary.


Since the records identify the phone number from which a call originated and the phone number called, it is trivial to associate each record with an individual customer. Indeed, it must be so -- otherwise the records would be useless to the government.


Not so, or at least not necessarily so. It seems to me there are three stages to the process as it would be used.

1. NSA gets the raw data business records, billing records but not identifying any specific customer by name or address, from the phone company and loads it into a computer. That computer then "analyzes" the relationships among the various telephone numbers into a relationship database that includes international telephone numbers.

2. Upon some stimulus, say for example, an international number known to be terrorist linked that is already possessed, or, a new number is acquired that is terrorist linked, are input into the database for relationships and telephone numbers they called, and the ones those called, are identified.

3. The individual customers are now identified, emergency content monitoring pursuant to the FISA emergency exemption takes place, or, a FISA warrant is obtained.

The numbers have been useful, in the absence of specific customer information, to identify those customers who need to be identified.
5.13.2006 1:12am
Michael Poole:
Lev,
Regardless of what the government necessarily needs, the actual fact is that it is trivial to identify the registered owner of a telephone number. There are online services that provide telephone number to customer name and address mappings for free, for charge, and probably in bulk. Since the government would likely not permit the parties to subpoena the NSA to find out how the NSA actually uses this information, the triviality of identifying telco customers implicates the telephone companies.
5.13.2006 9:13am
Anonymous Reader:
Michael Poole,

You bring up and excellent point. You can go to various websites (superpages.com for instance) and type in someone's info and possibly get a name, address, and phone number. With that being said, doesn't that make that kind of information publicly available? I'm not a lawyer, but wouldn't that be kind of like evidence in someone's trash can (outside the house)?

I guess the hard part would be the fact that you didn't physcially "throw away" your info so the world could read it, but wouldn't it be treated the same way?

Therefore, the NSA wouldn't need to subpoena any company for contact info, since it's already publicly available, right?

Anonymous Reader
5.13.2006 10:19am
EricRasmusen (mail) (www):
I'm interested in any examples people might know of of statutes authorizing private lawsuits for civil damages for cases where actual damages can be clearly proven to be trivial. One example is infringement of registered copyright. Is there another one here? Some of the comments seemed to be arguing about that.

These are interesting statutes because they punish efficient "breach".

Or am I wrong and "de minimis" always applies, even if a statute does not mention it?
5.13.2006 10:21am
Bruce Hayden (mail) (www):
As I noted in an earlier thread, if the NSA originally got the identifying information, they would quickly separate it from the call information anyway. What they are supposedly doing is extremely data intensive, and carrying around the identifying information would just make it 2-3 times as bad. Rather, the ability to tie keys to records in other databases is so well established now days, that we just take it for granted. For example, it is built in the Microsoft Access that I use on this computer (that is part of how relational databases work).

One reason that they might want telco subscriber information is that some of the stuff that you get on the Internet is accurate, but much is not. For example, I delisted my home phone maybe four years ago. When I was moving around the country, I left it at a residence here, and then forwarded it wherever I was living at the time. It never even went into the house there, because on the rare occasions I needed to change parameters, I would just go out and plug a phone into the demarcation box. Nevertheless, that address is still showing up connected to that phone number, and I still get a lot of advertisements about getting second mortgages for that house (which I never owned).

It is clear though that Qwest is selling current information, because every once in awhile there will be some indication that someone has tied the phone to its physical location, and the only place that can come from is Qwest. The phone number has been unlisted and unpublished since it moved.
5.13.2006 10:39am
DaSarge (mail):
I bow to ThirdCircuitLawyer's expertise as to the statutes. I would add that we are only assuming the FBI did not issue the requisite letter. One would hope there is good cooperation between the FBI & NSA but, as we all know, the reality is often to the contrary.

That said, I stand by the fact that what the gov't is doing is nothing more than traffic analysis, which has been held constitutional since the 30's. The data acquired is the electronic equivelent of a pen register & the Supremes have held there is no reasonable expectation of privacy there.

This sort of analysis was developed during WWI. If you want a fascinating view of how it is done, read David Kahn's "The Codebreakers" & see how much the Navy was able to learn about Japanese ship movements without actually being able to read their traffic. The FBI used the same techniques to map out the Mafia in the 50's and still uses it against the drug smugglers. Heck, I can learn much about my children just looking at the cell phone bill (I have teenagers).

What is happening here is that a lot of people are assuming what they wish the law to be is in fact what the law actually is. The Feds can look at your bank records without a warrant. The Feds and the states can look at your medical records without a warrant. In either case they don't have to tell you & they usually don't. That drives me nuts & it is plain wrong in my view. But the courts say it's OK.
5.13.2006 10:41am
DaSarge (mail):
A friend just emailed this:

SMITH v. MARYLAND, 442 U.S. 735 (1979)

[W]e doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must “convey” phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills. . . .

[E]ven if [a caller] did harbor some subjective expectation that the phone numbers he dialed would remain private, this expectation is not “one that society is prepared to recognize as ‘reasonable.’” . . . This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. . . . [W]hen [a caller] used his phone, [he] voluntarily conveyed numerical information to the telephone company and “exposed” that information to its equipment in the ordinary course of business. In so doing, [the caller] assumed the risk that the company would reveal to police the numbers he dialed.
5.13.2006 11:20am
Freder Frederson (mail):
That said, I stand by the fact that what the gov't is doing is nothing more than traffic analysis, which has been held constitutional since the 30's. The data acquired is the electronic equivelent of a pen register &the Supremes have held there is no reasonable expectation of privacy there.

Well, this is true, nobody is arguing that what the NSA is doing is unconstitutional, just illegal. When the Supreme Court decided that a pen registers were not covered by the fourth amendment the Congress passed laws to protect that information. That is why, according to USA Today, Qwest refused to cooperate with the program. They demanded a court order before they would turn over the information. The NSA apparently acted like a bunch of mafia bagmen running a protection racket threatening to cut off government contracts if Qwest didn't cooperate and saying in effect: "Badges, we don't need no stinking badges." (I realize I am mixing my metaphors and/or movie allusions between mob and spaghetti westerns)
5.13.2006 11:24am
Freder Frederson (mail):
DeSarge,

As noted in an earlier post, Smith v. Maryland was effectively overruled by the Stored Communication Act. It's the way our system works. If the Supreme Court says something is not prohibited by the constitution the Congress can still pass laws that makes that makes the act illegal. And the Stored Communication Act did just that, made the acts that the Supreme Court found constitutional in Smith v. Maryland illegal.
5.13.2006 11:32am
yebby61 (mail):
It's probably beneficial to note here, that one can google a listed phone number and discover who it is leased to (phone numbers are held in ownership by the service) and their address.

Circa 1995, the FCC legislation demanded co-operation with local, state and federal law inforcement, by the telecommunication company's.

The objective of CALEA's implementation is to preserve law inforcement's ability to conduct "lawfully authorized" electronic surveillance, while preserving public safety and the publics right to privacy.

Data basing every phone call, to and from every telephone ever made in America, since even 9/11, must be a tremendous effort, and a rather huge expense to the government, which technically is you and I. And personally, I can't afford the share of my liability for this expenditure. Especially since the money has to be borrowed from China.

Links to faq's about CALEA can be found here:

http://www.askcalea.net/faqs.html
5.13.2006 1:52pm
Jay:
I'm curious - considering the alleged threats to Qwest regarding future contracts - is the NSA or whoever made those threats in possible trouble for extortion?
5.13.2006 2:02pm
Just an Observer:
Freder Frederson,

I think you are quite correct to say, "nobody is arguing that what the NSA is doing is unconstitutional, just illegal. When the Supreme Court decided that a pen registers were not covered by the fourth amendment the Congress passed laws to protect that information."

But it goes too far to say the the Stored Communications Act "effectively overruled" Smith v. Maryland, which as you note was interpreting the Fourth Amendment.
5.13.2006 2:07pm
Bruce Wilder (www):
Does it make any difference that NSA is not a law enforcement or investigative agency?
5.13.2006 4:01pm
Fub:
It looks like somebody already did sue. And the VC's own Orin Kerr had something to say about the case:

Verizon sued for $50 billion over wiretap program
By Leslie Wines, MarketWatch
Last Update: 11:31 AM ET May 13, 2006

NEW YORK (MarketWatch) - AT&T Corp., BellSouth Corp and Verizon Telecommunications are facing lawsuits seeking billions of dollars in damages for the decision to turn over calling records to the government, the New York Times reported Saturday.

A federal lawsuit was filed in Manhattan yesterday seeking as much as $50 billion in civil damages against Verizon on behalf of its subscribers.

Under telecommunications law, the phone companies are at risk for at least $1,000 per person whose records they disclosed without a court order, according to Orin Kerr, a former federal prosecutor and assistant professor at George Washington University.

[snip and pray for fair use exception]

Link found on SlashDot.
5.13.2006 10:56pm
Richard Blaine (mail):
Kate1999

My, what an imagination you have! Of course I'd be concerned if I found out that the "Mafia" had hired "thugs" to wiretap my phone and break into my email. Granted, the "Mafia" is not known for great intellects, but anyone stupid enough to hire "thugs" to do a job more easily accomplished by a 14 y/o hacker or with a bird watchers parabolic microphone is surely a cause for concern. And I consider the "Mafia" less of a threat to my safety, security and freedom than our Government. If I found out that someone walked in off the street to the office of my phone company or ISP, and asked about my information, and the company had provided it, I might be concerned. But I'd have no cause for action. No one has promised me security or privacy. Absent a specific contractual clause, these records are theirs to do with as they please.

Data packets are feathers in the wind. They can't be recovered.

Out of curiosity, just where in your life do you think you have privacy? Medical records? Banking records? Nope. They even put security cameras in rest rooms nowadays!
5.14.2006 3:15am
yebby61 (mail):
What about false positives?

Suppose, for example, a group of people who haven't contacted each other in years, and suddenly they begin calling and emailing and planning a trip to D.C.

Wouldn't it be likely, using this storage data base, that a computer program would flag this 'social networking' as a possible terrorist cell, when in actuality it's only a group of Vietnam vets planning a reunion at the Vietnam Memorial?
5.15.2006 3:17am