A further review of the decision of the Southern District of New York approving the NSA’s bulk data collection of all telephone metadata shows huge legal gaps which can now be used not only by the intelligence community, but by prosecutors and other litigants in the future. Just a few to focus on here.
Collection vs. Invasion of Privacy
The District Court opines that “the collection of breathtaking amounts of information unprotected by the Fourth Amendment does not transform that sweep into a Fourth Amendment search.” (Slip. Op. 42). Thus, the court observes, if the government can get one document with a subpoena, warrant or consent of the “owner” it can get every document on everyone. Since the court later observes that people have no expectation of privacy in documents held by third parties (banks, accountants, hospitals, etc.) and because these records are owned by third parties, the government (from the NSA to FBI to a local prosecutor) could subpoena not YOUR bank records, but everyone’s bank records, or everyone’s medical records, every day (under the expansive definition of relevance to include any databases which might have records which might later be relevant). Thus, if the government wanted to look at patterns, or later look at specific records, it would require no additional subpoena.
Which is problem number 2.
The SDNY Court also concludes that “the Government’s subsequent querying of the telephony metadata does not implicate the Fourth Amendment – anymore than a law enforcement officer’s query of the FBI’s fingerprint or DNA databases to identify someone.”
This parrots the DOJ OLP legal memorandum analysis on the bulk data collection. Collecting the data from the phone companies is not a “collection” (which is why General Alexander could deny that the NSA was collecting data on U.S. persons) and implicates no privacy concerns because it is a mere transfer of the data from one place (the phone company) to another (the NSA). Moving data from one place to another does not implicate privacy. Besides, it’s not YOUR data, it’s the phone company’s data. So you are not harmed when the data is transferred from ATT to NSA. Once in the hands of NSA, when they query the database searching for patterns, this query does not implicate the Fourth Amendment because the Government already has the database. Just like when the government examines a seized gun, or reads a seized memo, they don’t need a warrant to do so.
The problem is putting these two concepts together. The SDNY relied on the fact that there were both legitimate needs for the NSA to take custody of the metadata and strict controls on its ability to access the data (the three hops rule, other FISC controls) to rule that the program was lawful, but then proceeded to remove any and all legal requirements for either of these. If the telephone metadata is not protected under the Fourth Amendment (like most third party documents) then the NSA or FBI need not show that transfer of bulk records is necessary. If the NSA or a grand jury can subpoena a single record, it can subpoena all of them, because, “the collection of breathtaking amounts of information unprotected by the Fourth Amendment does not transform that sweep into a Fourth Amendment search.” It’s not because the NSA had to collect the data that way that made it reasonable, it was that none of the data was protected, so the NSA could do what it wanted. The court went further to say that there is no requirement that the government subpoena records in the “least intrusive way” even if the records are protected under the First Amendment, and even when the collection has a chilling effect on free speech and free association. (“the Supreme Court has ‘repeatedly refused to declare that only the ‘least intrusive’ search practicable can be reasonable under the Fourth Amendment.’”) Bulk data collection is legal not because it is necessary to prevent terrorism (an argument can be made that the search is “reasonable” in light of the balancing of government need and privacy protections imposed by the court) but because there is no limit to the amount of data the government can collect.
The court is flat out wrong when it compares querying the FBI fingerprint database with the government’s querying of the documents subpoenaed in bulk from the phone company. Like the DOJ OLP policy it make the mistake of putting two perfectly acceptable legal doctrines together. There is no privacy invasion when I merely transfer records, and therefore there is no privacy invasion when I query those records. Each doctrine works on its own, but put together they are an absurdity. The truth is, the Government has records of every call I make and receive. Whether its possession of those records invades privacy is entirely dependent upon how they use the records. The SDNY court went to pains to point out that the NSA does not have access to the names of the subscribers called, and other Court imposed restrictions on their querying the subpoenaed database, and then removes the legal basis for requiring any of these restrictions.
The (Un)Invited Ear
A final problem with the SDNY opinion relates to the expectation of privacy in data voluntarily shared with third parties. And here is where the real privacy issue comes up. In a modern society, almost everything is “voluntarily shared” with third parties. Every phone call, every e-mail, every tweet, text message, etc. is shared. Everything stored on a cloud, typed on a social networking site, or monitored by a third party is shared. At CES in Las Vegas, the “Internet of Everything” is looking at smart toasters, refrigerators, and other devices which will monitor activities and share them with providers for analysis.
The Court is correct that when information is shared with third parties, one assumes the risk that the third party is unreliable and untrustworthy. So when I call someone, I run the risk (in many jurisdictions where it is legal) that they will record the call and turn it over to the cops. This does NOT mean that I have no expectation of privacy in the call, such that the police may without a warrant, record the call.
The same is true for information created by third parties about me. I “voluntarily provide” my call data to the phone company for specific and articulable purposes – to place the call and to bill me for doing so. There are other regulatory reasons and purposes for which the entity collecting the data may produce it. Beyond that, I may have a reasonable expectation of privacy in these records. I may not. It is not the fact that these records are created by or stored by a third party. My medical records are created by a third party. My documents are stored by a cloud provider. Assuming SOME risks is not the same thing as saying there is no expectation of privacy.
Reasonableness
The SDNY court concluded, “[w]hether the Fourth Amendment protects bulk telephony metadata is ultimately a question of reasonableness.” I agree. The Fourth Amendment does not prohibit searches and seizures, it prohibits unreasonable ones.
Unfortunately, by expanding the definition of “relevance” to include everything, by concluding that the right to subpoena a single document implies the right to obtain every document that ever existed, by concluding that the querying of a database (without any restriction on those queries) is perfectly acceptable and implicates no constitutional claim, and by concluding that the mere sharing of data destroys any privacy rights in that data, the court has opened the door for the government in other cases, (and private litigants) to obtain any records for any purpose and do anything they want with them. And that’s just not reasonable.