A previous post laid out the reasons why the telcos appear to face enormous liability for handing stored phone records to the NSA. In sum, the Stored Communications Act (SCA) prohibits handing over the records, and it provides at least $1,000 in damages per customer for violations. For 50 million or more customers, that leads to big damages indeed.
This post responds to the legal questions and comments that we’ve seen so far. We still don’t see any decent legal defense against liability, and that may be why Qwest refused to go along with the NSA demands:
1. Isn’t the conduct covered under another part of the SCA? Maybe. If the phone companies “voluntarily” gave the records to the NSA, then 18 U.S.C. 2702(c) applies. If the phone companies were required to turn over the records, such as through a court order, then Section 2703(c) applies. The bottom line is the same — none of the exceptions apply, and liability exists.
2. What about the emergency exception? Section 2702 has an exception for “an emergency involving immediate danger of death or serious physical injury.” Other emergency exceptions in the wiretap laws have time frames such as 72 hours, giving time for the government to get a court order. This exception won’t cover the NSA program, which is now going on five years.
3. What about the consent exception? Section 2702 and 2703 both have an exception for disclosure with the consent of the subscriber or customer. Simple question — did you give your personal consent for a top-secret program to turn over all customer calls to the government? Will a federal judge think that all customers did so? It would take a huge factual leap for the judge to agree that everyone gave actual consent to what has happened here.
4. Does the SCA apply to phone records? Yes. The rules apply to an “electronic communications service,” which includes both phone and e-mail communications.
5. Does it matter that the telcos took out customer names and addresses? No. Phone numbers themselves are treated as personally identifiable information in American law, such as under the federal Privacy Act. The reason is that the NSA can instantly match the phone numbers back to subscribers using widely available services. It won’t work for the telcos to say: “We temporarily took out customer names, knowing that the NSA could put them back in moments later.”
6. Did the government use National Security Letters instead? Not according to the facts in the USA Today story, which says that the NSA asked for the data. The FBI does have the power to ask for phone calling records using NSLs, which are secret subpoenas issued without a court order. The NSA doesn’t have authority to issue NSLs, though. Even if the FBI issued an NSL on behalf of NSA, it would likely be unlawful. An NSL can ask only for records relevant to “an authorized investigation to protect against international terrorism or clandestine intelligence activities.” An “investigation” is ordinarily a narrowly-defined specific investigation, generally of one or a few suspects. It stretches the statute beyond the limit to say one “investigation” can be for all the phone calls made by all Americans. The telcos get off the hook only if they turned over the records “in good faith” that it was legal — using one NSL to get all the calls in the country is not a “good faith” read of the statute.
7. What about the counterintelligence exception for subscriber records? The analysis of Section 2709, part of the Patriot Act, is the same as for National Security Letters. Section 2709 allows the FBI to ask for call detail records that are “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.” As with NSLs, the NSA lacks such power, and USA Today reported that it was the NSA asking for the records. As with NSLs, it stretches the statutory language past the breaking point to say that “an authorized investigation” can be used for all calls made by all Americans.
In short, we still don’t see any legal defense to this enormous liability of the telcos.