The New York Times reported on a secret joint Drug Enforcement Administration (DEA)-AT&T program called “Hemisphere” which allowed the drug agency access to billions of telephone records. The fact that the DEA could get access to AT&T phone records with an administrative subpoena is neither surprising nor newsworthy. Indeed, that is what a subpoena is intended to be for – to obtain records of a third party.
What makes the Hemisphere program unique are three things. 1) The DEA instructed its agents and others sharing in the program never to use the term “Hemisphere” or to disclose the existence of the program which was not classified but was considered “law enforcement sensitive;” 2) the fact that AT&T employees were paid by the DEA and embedded with the DEA for the sole purpose of delivering AT&T documents – sometimes within 15 minutes – to DEA agents upon demands; and 3) the scope and breadth of records kept, maintained and delivered by AT&T to the DEA – sometimes more than 20 years of records. These records included not only calls dialed and subscription information, but where available and requested, cellular location data and other Customer Proprietary Network Information, or CPNI.
Is it Legal?
The short answer is, probably yes. When the government wants to obtain information from a third party (like AT&T) it has many ways of doing so. It can get a search warrant – an order from a court supported by probable cause and describing what to seize. It can get a subpoena from a grand jury – technically part of the judicial branch, but in reality issued by a prosecutor without probable cause but just because the prosecutor or investigator thinks it is relevant (e.g., they want it…).
There are various court orders like “trap and trace” or “pen register” orders which permit the government to obtain information with a court order, but the order is issued simply based on the prosecutor’s say so – their assertion that the information is “relevant” to a criminal case. In that case, the judge is required to issue an order for production. The government may also obtain information by a civil investigative demand letter, a national security letter, a FISA order, or finally by an administrative subpoena. Some federal agencies, like the DEA, have the authority to issue subpoenas on their own behalf, frequently without the approval of a prosecutor. They literally have them in their back pocket, and can fill them out and serve them at any time. So the fact that the DEA was able to issue an administrative subpoena for records is hardly surprising. But the subpoena authority of the DEA is not unfettered. As the Department of Justice noted:
Agencies are limited in their exercise of administrative subpoena authority by: (1) judicial review of subpoena orders prior to potential judicial enforcement; (2) notice or nondisclosure requirements imposed in an agency’s organic statutes; (3) privacy-protective constraints or notice requirements internal to the statute authorizing the subpoena power; (4) generally applicable privacy-protective statutes, prohibiting certain disclosures and requiring notice under certain circumstances; and (5) agency promulgated guidelines limiting or directing subpoena issuance.
DEA subpoenas must be issued by the appropriate persons (not just field agents) for the appropriate purposes (an investigation authorized by the Controlled Substances Act). Under factors set out by the Supreme Court, to enforce an administrative subpoena, the government must show that: (1) the investigation is conducted pursuant to a legitimate purpose, (2) the information requested under the subpoena is relevant to that purpose, (3) the agency does not already have the information it is seeking with the subpoena, and (4) the agency has followed the necessary administrative steps in issuing the subpoena.
The DEA also must meet its statutory requirement. 21 U.S.C. 876(a) provides that: “[i]n an investigation relating to his functions under this subchapter [the Controlled Substances Act] with respect to controlled substances, listed chemicals, tableting machines, or encapsulating machines, the Attorney General (AG) may subpoena witnesses, compel the attendance and testimony of witnesses and require the production of any records (including books, papers, documents, and other tangible things which constitute or contain evidence) which the Attorney General finds relevant material to the investigation.” Of course, the Attorney General doesn’t do this personally. The law allows the AG to delegate this authority and so now under 28 C.F.R. §0.100, Subpart R, the authority to issue administrative subpoenas lies with the DEA Administrator, who of course doesn’t have time to approve every subpoena, so he or she has delegated this authority to the DEA Chief Inspector; The Deputy Chief Inspector and Associate Deputy Chief Inspector of DEA’s Office of Professional Responsibility; Inspector; Special Agents in Charge; Associate Special Agents in Charge; Associate Special Agents in Charge; Resident Agents in Charge: and Diversion Program Managers.
Pretty cool in less than 15 minutes.
But these are no ordinary records. These records are actually protected by federal law.
These records are called Customer Proprietary Network Information, or CPNI under 47 USC 222. The FCC has authority to regulate the collection, use and dissemination of CPNI under the Telecommunications Act of 1996 and the FCC issued opinions on the use of CPNI in 1997 and 2013.
Specifically, the law protects the privacy of:
(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and
(B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.
These laws prohibit the disclosure of CPNI under certain circumstances, but permit it to be disclosed “as required by law.” Since an administrative subpoena, if properly issued, and within the relevant scope and by the proper legal authority mandates compliance, such compliance can be “required by law.”
But not always.
The question for AT&T is, if they are producing records within 15 minutes, who is challenging the scope, authority, and reasonableness of the subpoenas? Not every subpoena is enforceable. Indeed, compliance with a subpoena – particularly an administrative subpoena is not actually required by law. Even though the subpoena is an “order” to produce records, the recipient of the subpoena can – and frequently does – go to court and ask that the subpoena be quashed, narrowed, clarified or modified. Indeed, if the subpoena is ignored, the issuer (the DEA) can’t just go in and take the records – they have to go to court and get an order to compel production. Only when the order to compel is ignored, or the motion to quash denied, does the subpoena have an actual effect. So while AT&T CAN comply with the subpoena, and it is authorized by law to do so, it is not quite required to do so. Just look at what happens when someone subpoenas not YOUR records from AT&T, but AT&T’s records from itself – say in a tax or antitrust investigation.
Why So Secret?
According to the New York Times’ reporting:
The program was started in 2007, according to the slides, and has been carried out in great secrecy.“ All requestors are instructed to never refer to Hemisphere in any official document,” one slide says. A search of the Nexis database found no reference to the program in news reports or Congressional hearings.
If this is just an administrative subpoena, then why the secrecy? The admonition against referring to Hemisphere in ANY official document appears to be an invitation to conceal information from supervisors, defense lawyers, Congressional investigators, and even the courts. If, as the DOJ asserted, this is nothing more than a routine subpoena program, then why not have the scope and extent of the program aired in the public, albeit without disclosing the times and targets of its use? If there is no expectation of privacy in these records, why not tell the consuming public about the program designed to protect them?
Embedding
The law permits telephone companies to be reimbursed for their reasonable expenses associated with complying with subpoenas. Many statutes, like the wiretap law 18 USC 2511, the Communications Assistance to Law Enforcement Act (CALEA) and others have express provisions for such reimbursement, and it has recently been revealed that billions of dollars have been paid by the NSA and CIA to the phone companies for their participation in the wiretap and surveillance programs known generically as PRISM.
These payments typically cover the costs of technology and manpower associated with the production of documents and records. However, there is no provision in the law specifically authorizing reimbursement of expenses associated with production of records requested (demanded?) by administrative subpoena. As a general rule, particularly for government subpoenas, the party receiving the subpoena bears the cost of production. If a hotel chain gets a subpoena for the production of a hotel bill, they have to produce that record as a cost of doing business, or they can go to court and quash the subpoena as being unduly burdensome and oppressive. In that case, a court could order the party seeking production (the government) to pay for the costs of production.
But in this case, AT&T appears to have employees whose sole job it is to comply with DEA administrative subpoenas in less than 15 minutes. If their salary is paid by the DEA, then who do they really work for? Do they really have an incentive to reduce or increase the number and scope of these subpoenas?
Imagine if AT&T was involved in civil litigation against, say Verizon, and designated a team of AT&T employees whose primary job function was to produce records – in 15 minutes or less – as demanded by Verizon. If their salaries were paid by Verizon, one could reasonably ask whether they were serving the interests of AT&T and its customers in protecting the confidentiality of CPNI on behalf of the customer. AT&T’s primary function is to run a phone company. Its secondary function is to deliver customer service. Then its job is to protect its corporate assets, and the privacy of its customers. Only after that, should they then be an agent of law enforcement. To think about it another way, imagine if, instead of the DEA, this was VEVAK, the Iranian secret police, or the North Korean State Security Department? Would we be that happy about AT&T embedding employees with these agencies for the sole purpose of turning over customer records without legal review – in 15 minutes or less?
Records Retention
The most troubling aspect of the Hemisphere program is the scope of documents and records subject to administrative subpoena. While the DEA was undoubtedly interested in recent records (including records of calls just made, and location data for suspects for a few days or months) published reports indicate that records of phone calls for at least 20 years are available for subpoena. This means that a call you made in 1993 (“Hey, dude, want to see Weekend at Bernies 2?”) is subject to subpoena by the DEA.
While the phone companies likely did not collect location data that far back, it is not clear what the records retention policies for CPNI are. More importantly, it is not clear WHY such records are retained for such a long time. Does AT&T keep your phone data for two decades because it has a genuine business interest in doing so, or is it because the government has either demanded, or has paid AT&T to retain these records for governmental purposes? In other words, how does keeping my phone records from at least 1993 (and maybe longer) help me as an AT&T stockholder?
This may represent another instance of the government demanding that entities that have no real need to retain records (like ISP’s and mail providers) retain such records solely so that they can be subpoenaed by law enforcement agencies.
Companies which generate records — whether it is a payment service, a movie rental service, a library, whatever — should keep those records of customer data for as long as they need for business purposes. They should also tell the customers what records are retained and for how long, and who has access to these records. If a company like AT&T is retaining records for decades solely to give them to the cops, people should consider this fact in using the company’s services.
But, as Lily Tomlin’s Ernistine said, “We don’t care. We don’t have to. We’re the phone company.”