Editor’s note: After this article was drafted but just before press time, the U.S. District Court for the Southern District of New York, entertaining a motion for injunctive relief identical to the instant motion, held on behalf of the government in ACLU v. Clapper, 13 Civ. 3994 (WHP) (S.D.N.Y. Dec. 27, 2013). Next month’s column will discuss that opinion.
In Klayman v. Obama, Civ. No. 13-0851(RJL) (D.C. Dec. 16, 2013), the U.S. District Court for the District of Columbia enjoined the National Security Agency and FBI from receiving telephonic metadata in bulk from telephone carriers and Internet service providers under the provisions of the Foreign Intelligence Surveillance Act and Patriot Act, which allow the government to obtain such metadata as “business records” and “tangible things,” respectively, based upon a showing that there were “reasonable grounds” to believe that metadata sought would be “relevant to an authorized investigation … to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.” In so doing, the court raised many interesting questions regarding what privacy is in the digital age, but simply ignored the fact, and the standing and merits issues that arose from this fact, that the metadata in question, although it may have pertained to the plaintiffs, resided with the carriers, and so the plaintiffs had no reasonable expectation of privacy in it.
Facts of the Case
The plaintiffs presented sufficient evidence to show that, under the “Bulk Telephony Metadata Program,” the government obtained from telecommunications providers, on a daily basis, electronic copies of telephonic metadata, which the government referred to as “business records” and would place into a large database and then search and analyze. The purpose of the program was to track the cellphones of known terrorists, to see which phones they contacted and which contacted them, so as to identify, at least potentially, terrorist contacts and networks. The data was provided pursuant to orders issued by the FISA court (FISC); through October 2013, 15 different FISC judges (district court judges selected to sit on FISC) issued 35 orders. The plaintiffs, who had good reason to believe that their call records were among those received by the government, argued that said gathering of records violated, inter alia, their Fourth Amendment rights.
The telephonic metadata in question was not generated at the request of the government, but rather as part of the workings of the carriers themselves, to support and facilitate communications. Such records included the telephone numbers of the caller and recipient and the call duration. Content, payment and subscriber information were not requested. Although plaintiffs alleged that the government also collected “cell site” information, i.e., information kept by carriers tracking the proximity of cellphones to cellphone sites (and thus allowing the movements of the millions of users in possession of said phones to be tracked granularly), the government denied this allegation in its pleadings.
The Court’s Reasoning
Regarding the plaintiffs’ claims that their Fourth Amendment rights had been abridged, the court first found that the plaintiffs had standing to challenge the program because, as Verizon customers, there was “strong evidence” that their telephonic metadata had been and would continue to be collected and analyzed. As we shall discuss, the court erred regarding the standing issue, an error intertwined with its ruling on the merits.
Turning to the merits of the Fourth Amendment issue, the court began with the obvious point that for the plaintiffs to claim they had been subjected to “unreasonable searches and seizures,” a search had to have taken place. Citing to the famous concurring opinion by U.S. Supreme Court Justice John Harlan II in Katz v. United States, 389 U.S. 347, 361 (1967), that a search occurs when “‘the government violates a subjective expectation of privacy that society recognizes as reasonable,’” the court noted that the threshold issue it had to address was whether the plaintiffs had a reasonable expectation of privacy that was violated when the government obtained the metadata of “hundreds of millions” of users.
The court reasoned that analysis had to start with the “landmark opinion” in Smith v. Maryland, 442 U.S. 735 (1979), where police, with no judicial authorization, installed a “pen register” to capture the date, time, duration and originating and destination telephone numbers of calls on the suspect’s phone. The Supreme Court held that the plaintiff possessed no reasonable expectation of privacy in the captured data because carriers “keep such information in their business records.” The government cited Smith in arguing that because users had no reasonable expectation of privacy “in the telephony metadata that telecom companies hold as business records,” the data downloads sent to the government under the program did not constitute a search.
The court disagreed. The court found Smith inapposite because the world had so changed, due to “the evolutions in the government’s surveillance capabilities, citizens’ phone habits, and the relationship between the NSA and telecom companies,” that Smith no longer applied. As the court saw it, the extensive gathering of data under the program for so protracted a period of time was simply so intrusive that such data gathering became, de facto, a search, rendering Smith inapplicable. The pen register in Smith was operational for fewer than two weeks, as opposed to the six-plus years that the program had been in place, with no end in sight. Moreover, the entrenched relationship between the government and the carriers had broken down the government/third-party relationship, making the program “effectively a joint intelligence-gathering operation” between carriers and “the government.”
Finally, the court found that the biggest change was in what metadata analysis could tell the government about people, not because, as the court conceded, the metadata had changed, but because the “ubiquity of phones” had “dramatically altered the quantity of information” now available and, more important, “people in 2013 have an entirely different relationship with phones than they did 34 years ago.” Users today “make calls and send text messages now that they would not (really, could not) have made or sent back when Smith was decided.” Citing Justice Sonia Sotomayor’s concurrence in United States v. Jones, 132 S. Ct. 945 (2012), the court found that the metadata generated in our “cellphone-centric culture” provided the government with “‘a wealth of detail about … familial, political, professional, religious and sexual associations’ … that could not have been gleaned from a data collection in 1979.”
The result of this trend of cellphone usage, the court concluded, was “a greater expectation of privacy” in the data kept by the carriers “and a recognition that society views that expectation as reasonable.” Thus, the court found, the data turned over to the government through the program was protected by the Fourth Amendment. Since the orders compelling the carriers to supply the data were not supported by probable cause or sufficiently particularized, there was a substantial likelihood that plaintiffs would prevail on the merits.
Few would disagree that the world has changed since 1979. What the court weakly defends, however, is its position that those changes should result in so fundamental a change in Fourth Amendment jurisprudence as the court would make.
The fundamental problem with the court’s argument, and one that it sidesteps with acuity but sidesteps nevertheless, is that the data at issue are business records of the carriers, which makes the right of privacy at issue the right of the carriers, not the telephone subscribers or users. This simple point is the one driven home in Smith, as well as in United States v. Miller, 425 U.S. 435 (1976), another case cited and discussed by the court, where the Supreme Court held that while a bank held a reasonable expectation of privacy in the banking records it maintained, the bank customer had none.
Nothing in how the world has changed creates for the phone user a reasonable expectation of privacy in its carrier’s business records. The court tries to distinguish the instant matter from Smith and Miller by implying that the “collaboration” between the carriers and the government made the former an agent of the latter, but such is not the case. Rather, the FICA court’s orders have simply required the carriers to supply the data. The ongoing nature of the program does no more to elide the distinction between the government and a private entity than does the regulatory oversight of publicly traded instruments or drug development turn Wall Street or pharmaceutical companies into governmental entities.
Moreover, the court misconstrues the significance of the changes time has brought. The Miller court, for example, held in 1976 that bank customers had no reasonable expectation of privacy in the records held by the bank. Many people, then and now, would regard records of financial transaction equally private to phone records. In other words, the world was pretty complicated in 1976, and the Supreme Court dealt with that complexity in Miller by taking an approach that the court in the instant matter has eschewed. The court has its reasons, but they are philosophical, not historical.
The concerns raised by the court are valid and have their place, but they are wholly insufficient to allow the court to disregard Fourth Amendment jurisprudence. First, despite the court’s citations to Jones and other cases, no Supreme Court case has held as the court did here. In Jones, the court held that evidence gathered by a GPS device should be suppressed because the order allowing the device to be attached to the vehicle was executed outside of the jurisdiction in which it could be executed and beyond the date the order gave to allow agents to attach the device. The discussion of “prolonged surveillance” by Sotomayor was in a concurring opinion. And, indeed, the court admitted that other district courts, as well as another judge in the District of Columbia District, have held opposite to it.
Most importantly, the court ignored the way in which the concerns it has raised have traditionally been addressed: through legislation. When the Supreme Court has refused to recognize a constitutional right of privacy that the electorate believes should be recognized, Congress has created such rights via statute. In the wake of Miller, for example, Congress passed legislation to protect the privacy of bank customers. The Electronic Communications Privacy Act and the Stored Communications Act were passed to protect the privacy interests of email and cloud-storage users. The Health Insurance Portability and Accountability Act was enacted to protect the privacy of medical records. These laws are but a few prominent examples of how Congress has responded to the evolution of privacy concerns that are not afforded Fourth Amendment protection. (It should be noted that states have also acted to create rights of privacy; most recently, numerous states have passed laws prohibiting employers from demanding access to the social media sites of their employees.)
Congress has done a good job over the 35 to 40 years since Miller and Smith of creating rights of privacy not found in the Constitution but demanded by the citizenry. The court should trust that such will work its way out with regard to telephone business records in the post-9/11 age of global counterterrorism.
The court, then, erred not only in its analysis on the merits, but even in its standing analysis. As Rakas v. Illinois, 439 U.S. 128 (1978), makes clear, if a claimant has no reasonable expectation of privacy in the place searched, he or she has no standing to challenge the search. Here, the court’s desire to make a statement about what it described as the dangers of governmental overreaching caused it to ignore the very rule of law—Fourth Amendment jurisprudence—it believed the government was ignoring. The program may be unwise, or unproductive, but it is not unconstitutional.
Leonard Deutchman is vice president and general counsel of LDiscovery LLC, a firm with offices in New York, Fort Washington, Pa., McLean, Va., Chicago, Atlanta, San Francisco and London that specializes in electronic digital discovery and digital forensics.