What You Need to Know About NSA Mass Telephone Call Tracking

What You Need to Know About NSA Mass Telephone Call Tracking

By David Bender

The flood of recent articles disclosing that the National Security Agency has engaged in a massive acquisition of information concerning the telephone communications of millions of Americans has shocked many. While sensationalizing this acquisition, most articles avoid discussing whether it has a legal basis. Questions abound, but two stand out. Does this acquisition violate the law – and should it?

The Order. The Guardian published 1 a copy of a top secret "Secondary Order" (the "Order") from the Foreign Intelligence Surveillance Court (the "FISA Court") that required Verizon to produce "all call records or 'telephony metadata' created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States . . . . Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information (e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier, telephone calling card numbers, and time and duration of call. Telephony metadata does not include the substantive content of any communication ... or the name, address, or financial information of any subscriber or customer." The Order included the "gag" provision customary in such orders. The Order's duration was almost three months, but it was not known whether Verizon received other orders, 2 or whether other carriers received similar orders.

Dose this demand for information violate the law?

The Fourth Amendment. The U.S. Supreme Court has not ruled on whether the Fourth Amendment 3 is violated by warrantless government acquisition of information about communications in a foreign intelligence investigation. In Katz v. United States, 4 the Court expressly reserved on whether a warrant was necessary for investigating national security matters. 5 In the Keith Case, 6 the Court held that the government must abide by the Fourth Amendment in domestic security matters. But Keith specifically cautioned that it was not speaking to matters involving foreign powers.

The Applicable Statute. The provision 7 cited in the Order is a section in the Foreign Intelligence Surveillance Act ("FISA"), 8 effective 1978 and since amended several times by the USA PATRIOT Act 9 and amendments thereto. The FISA is premised on the proposition that statutes restraining the government in "ordinary" criminal matters are overly restrictive for foreign intelligence matters.

Section 1861 empowers the FBI to apply ex parte to the FISA court in a secret proceeding for an order requiring production of records in an investigation to "obtain foreign intelligence information not concerning a US person, or to protect against international terrorism or clandestine intelligence activities." 10 The application must contain facts showing reasonable grounds to believe that the records are relevant to an authorized investigation conducted under the Attorney General's guidelines for Executive Order 12333 11 as amended. Executive Order 12333 is a lengthy order signed by President Reagan, and twice amended by President George W. Bush, that deals with the conduct of intelligence activities. 12 A judge finding that an application meets the requirements of this section must issue an order.

Orders must incorporate "minimization" procedures, and provide "clear and conspicuous" notice of a non-disclosure requirement. Minimization consists of procedures (i) reasonably designed to minimize retention and prohibit dissemination of nonpublic information about nonconsenting U.S. persons, consistent with the government's need for the information; (ii) requiring that nonpublic information that is not foreign intelligence information will generally not be disseminated so as to identify any U.S. person absent consent; and (iii) to allow retention and dissemination of evidence of a crime for law enforcement purposes. 13 The Attorney General must report semi-annually to Congress about these applications, and must annually submit an unclassified report showing the number of applications, and the number "granted, modified, or denied." 14 In 2012 the government made 212 such applications; the court granted all, after amending the proposed orders in 200 of them. 15

Some Legal Issues. Is this demand part of an investigation "to protect against international terrorism or clandestine intelligence activities"? The government may well be able to show that it is, even though it is arguably represents a blunderbuss approach. Are there reasonable grounds to believe the records are "relevant" to an investigation authorized by the Executive Order? The demand may indeed be relevant to such an investigation. If a broad-based investigation focused on terrorism were sanctioned by the Executive Order, the methodology apparently used here would be relevant to such an investigation. The theory apparently is that once the government knows the telephone numbers of suspected terrorists, it can attempt to identify other terrorists by determining with whom the suspects communicate.

Does this blunderbuss approach violate the "minimization" provision of the statute? Apparently not, for that provision applies only to data retention and dissemination – not to collection in the first place. Thus, it would appear that the sweeping nature of the government's conduct does not violate the letter of the statute. Whether it violates the spirit of the statute, or the Fourth Amendment, may be different matters.

Should the Law Permit Such a Demand? Thisepisode is but another in the age-old continuing saga of the tension between privacy and security. It seems clear that at any given time the vast majority of US citizens will tolerate a certain diminution in their privacy in return for enhanced security. But there is no general agreement as to how much privacy should be sacrificed, and public opinion on this matter changes with circumstances. The US public today is more security-oriented than before 9/11, and less security-oriented than shortly after 9/11. How much of an incursion on privacy the public will tolerate depends in large part on how safe it feels at the moment.

The early reaction 16 in the United States – this could change as more information is disclosed and more public debate ensues -- seems to favor NSA's conduct. A Washington Post-Pew Research poll taken June 6-9, 2013 asked whether it is more important for the government to investigate terrorist threats, or not to intrude on personal privacy. Investigating terrorist threats won, 62%-34%. 17 Political leaders such as the President, Sen. Dianne Feinstein, and Rep. John Boehner have voiced support for the program. But opinion is far from unanimous. Sens. Ron Wyden, Richard Durbin, and Mark Udall have expressed reservations. 18 And in an editorial, the New York Times stated: "The issue is not whether the government should vigorously pursue terrorists. The question is whether the security goals can be achieved by less-intrusive or sweeping means, without trampling on freedoms and basic rights." 19

And indeed, this raises the question of why, if the government knows the telephone number of some suspects, it does not demand information pertaining only to those relatively very few numbers, instead of obtaining a sweeping Order covering Verizon's millions of customers (and, for all we know, numerous other orders). The practice involves vacuuming an enormous amount of information, the vast majority of which pertains to people suspected of nothing, when the government may already have a list of suspects. What terrorism-related information will this acquire that a much more focused demand would not?

Thus, critics argue there is no need for universal collection, because collection of contacts of known targets should suffice. The government disagrees, apparently claiming it needs a pre-existing database of contacts for essentially everyone. One can see two tactical differences between these databases: (1) Once a target is identified, creating a contact database could require time, whereas an attack may be imminent; the pre-existing database may already include the target's contacts. (2) The effort to identify contacts of a suspect may be too late to capture critical contacts, which may by then have ceased; the pre-existing database is more likely to contain those critical contacts.

One aspect on which the government relied in attempting to calm the waters after the disclosure was that the collection related only to information about communications, and not their content. 20 Indeed, the Supreme Court has made such a distinction. In Smith v. Maryland 21the Court found no Fourth Amendment violationwhere, without a warrant, the police attached a pen register 22 to a telephone line. One basis for the ruling was the distinction the majority drew between content of a phone message, and addressing information. But a vigorous dissent argued that addressing information is not without content because "it easily could reveal the identities of the persons and the places called, and thus reveal the most intimate details of a person's life." 23

The dissent's theme was echoed in a suit that the ACLU brought against the government on June 11, 2013. The Complaint alleged that this massive data collection "gives the government a comprehensive record of our associations and public movements, revealing a wealth of detail about our familial, political, professional, religious, and intimate associations." 24 The ACLU claims that this collection exceeds the scope of § 1861 and violates the First and Fourth Amendments.

Conclusion. The government has a non-frivolous argument for needing the universal database. There is also an argument against permitting collection of such a database. Far too often, the government's right to collect information has been abused. We need look back no further than the reign of J. Edgar Hoover to see that the FBI – an agency charged with responsibility under the FISA – has been guilty of many such abuses.

The legal issues are (a) whether creation of the universal database is authorized by the FISA, and (b) regardless of FISA authorization, whether the advantages of the universal database are outweighed by the wholesale invasion of privacy necessary to create it, so as to violate the Fourth Amendment. Perhaps the ruling in the ACLU suit, or in other suits likely to be brought as a result of this disclosure, will help resolve these issues.

n1 See <http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-Order>.

n2 Sen. Dianne Feinstein stated, however: "As far as I know, this is an exact three-month renewal of what has been the case for the past seven years." C. Savage, E. Wyatt, and P. Baker, "US Confirms That It Gathers Online Data Overseas," NY Times (6 June 2013), found at <http://www.nytimes.com/2013/06/07/us/nsa-verizon-calls.html?pagewanted=all&_r=0>.

n3 The Fourth Amendment provides: " The right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the person or things to be seized."

n4 389 U.S. 347, 88 S. Ct. 507; 19 L. Ed. 2d 576 (1967).

n5 Id., 389 U.S. at 358, note 23.

n6 United States v. United States District Court, 407 U.S. 297, 92 S. Ct. 2125; 32 L. Ed. 2d 752 (1972).

n7 50 U.S.C. § 1861.

n8 50 U.S.C. §§ 1801 – 1811, 1821 – 1829, 1841 – 1846, 1861 – 1862. The FISA is the subject of D. Bender, Computer Law: A Guide to Cyberlaw and Data Privacy Law § 23.01 et seq. (Matthew Bender 2013). [lexis.com subscribers may access this treatise by clicking here.]

n9 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, Publ. L. No. 107-56, 115 Stat. 272 (26 Oct. 2001), 107th Congr., 1st sess., as amended.

n10 § 1861(a)(1). A "United States person" is a US citizen or permanent resident. §1801(i).

n11 Exec. Order 12333 (Dec. 4, 1981), 46 FR 59941, 3 CFR, 1981 Comp., p. 200.

n12 Exec. Order 13355 (Aug. 27, 2004); Exec. Order 13470 (July 30, 2008).

n13 § 1861(g).

n14 § 1862.

n15 DOJ letter to various members of Congress, 30 Apr. 2013, found at <http://www.justice.gov/nsd/foia/foia_library/2012fisa-ltr.pdf>.

n16 This article was submitted on June 13, 2013; the Guardian disclosure occurred on June 5, 2013.

n17 Pew Res. Center, "Majority Views NSA Phone Tracking as Acceptable Anti-terror Tactic," found at <http://www.people-press.org/2013/06/10/majority-views-nsa-phone-tracking-as-acceptable-anti-terror-tactic/>.

n18 C. Savage et al, supra.

n19 Id.

n20 See Savage et al, supra.

n21 442 U.S. 735, 99 S. Ct. 2577; 61 L. Ed. 2d 220 (1979).

n22 A pen register is a device that, when attached to a phone line, records the phone numbers of outgoing calls. It does not record content.

n23 Id., 442 U.S. at 748 (Stewart, J., dissenting).

n24 American Civil Liberties Union v. Clapper, Complaint par. 1 (filed 11 June 2013).

David Bender is the author of Bender on Privacy and Data Protection (LexisNexis Matthew Bender), published in 2011 and updated annually, and of Computer Law (LexisNexis Matthew Bender), initially published in 1978 and now a six volume set updated twice annually. He is an Adjunct Professor at the University of Houston Law Center, where he teaches Privacy Law, and a sole practitioner in Dobbs Ferry, NY, with extensive experience in privacy, information technology, and intellectual property litigation, counseling, and transactional matters. He was a founder of the IP practice at White & Case LLP, where he spent the majority of his career, and was head of the firm's privacy practice, which he also helped found. Mr. Bender previously served in-house at AT&T, where he was responsible for all IP litigation brought by or against any Bell System company. Before his service at AT&T, he was engaged extensively in antitrust litigation. He is a past president of the International Technology Law Association (formerly called Computer Law Association). Mr. Bender has made over 250 presentations at conferences sponsored by numerous organizations such as PLI, bar associations, and law schools on various topics in the realm of privacy, IT, IP, and antitrust, across the United States and in 19 other nations, and has authored over 100 law review articles and conference handbook papers. Before turning to the law, Mr. Bender served as an engineer with the aerospace division of Ford Motor Co., and as a mathematician with Hughes Aircraft.

Information referenced herein is provided for educational purposes only. For legal advice applicable to the facts of your particular situation, you should obtain the services of a qualified attorney licensed to practice law in your state.

Lexis.com subscribers can access the complete set of Emerging Issues Analyses for Cyber & E-Commerce Law and the Cyber & E-Commerce Area of law page.

For more information about LexisNexis products and solutions connect with us through our corporate site.


  • 03-12-2014

30 years ago I had sinus surgery that cost $6,000; in today's dollars that would be at least $13,508.14

My father had lung cancer and each of his chemo treatments cost $12,000 and he had 6 for a total coat of $72,000

In today's medical market $8,100 ain't worth spit. www.fiverr.com/mr_jurme1