Sophos Cloud Optix
Finally we know, legally speaking, why the US thinks it’s just fine and dandy to collect metadata relating to whom we call, who calls us, how long we talk, and maybe even where we’re talking from.
The rationale will likely sound familiar to those who’ve been following ongoing news concerning National Security Agency (NSA) surveillance.
It boils down to a landmark case from 1976 – Smith v. Maryland – in which the Supreme Court ruled that calling a telephone number necessarily involves disclosing the number to a third party – i.e., the phone company.
Because the number was disclosed during the phone call, the number’s not private, the Supreme Court held, and the government can have easy access to the call records.
This is the origin of the “third-party doctrine”. The logic has, in the case of the NSA arranging metadata downloads from Verizon et al., been ported over to the idea of demanding massive amounts of phone metadata.
The rationale has been secret until now.
It was unveiled for the first time on Tuesday and published on the website for the nation’s most secret court, the Foreign Intelligence Surveillance Court (FISC), as reported by Ars Technica’s Cyrus Farivar.
As Farivar writes, the 46-page opinion [PDF], authored by Judge Claire Eagan, was written on 29 August but not published until this week.
The unveiling of the legal rationale comes after FISC Judge Reggie Walton ordered the Government to conduct a declassification review of such decisions and related orders in the wake of Edward Snowden having leaked documents and thereby set in motion a firestorm over the National Security Agency’s (NSA’s) extensive surveillance program.
In her opinion, Justice Eagan explains why the Fourth Amendment to the US Constitution, which prohibits unreasonable searches, doesn’t pertain in the case of the metadata sharing program:
The telephone user, having conveyed this information to a telephone company that retains the information in the ordinary course of business, assumes the risk that the company will provide that information to the government. Thus, the Supreme Court conclude that a person does not have a legitimate expectation of privacy in telephone numbers dialed, and there, when the government obtained that dialing information, it "was not a 'search'", and no warrant was required.
. . .
Put another way, where one individual does not have a Fourth Amendment interest, grouping together a large number of similarly situated individuals cannot result in a Fourth Amendment interest springing into existence ex nihilo. [Ed. a Latin phrase meaning "out of nothing".]
In sum, because the Application at issue here concerns only the production of call detail records, or "telephony metadata" belonging to a telephone company, and not the contents of communications, Smith v. Maryland compels the conclusion that there is no Fourth Amendment impediment to the collection. Furthermore, for the reasons stated in [REDACTED] and discussed above, this Court finds that the volume of records being acquired does not alter this conclusion. Indeed, there is no legal basis for this Court to find otherwise.
Farivar’s article is well worth the read, particularly given his analysis of whether the third-party doctrine on which Eagan bases her opinion might actually be starting to wobble.
As he explains, no telecomms company has to date challenged the legality of a FISC order.
Were Verizon, for one, to actually do so, it could well be bolstered by a January 2012 Supreme Court decision in the US v. Jones case, wherein the court ruled that law enforcement lacked the right to warrantlessly place a GPS tracking device on a suspect’s vehicle.
Justice Sonia Sotomayor wrote in that case that it well might be time to review the third-party doctrine:
...It may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties.
Is change in the air? Is the climate ripe for a shift in legal thinking on issues of the legality of NSA surveillance?
Let us know your thoughts in the comments below.
If the numbers a person calls are not private and we have no expectation of privacy for those numbers, then I say all the phone numbers all politicians call should be made public. I mean, it is "just metadata" right? Why should they expect privacy in the numbers they call if we can't expect the same?
When I make a phone call I trust and expect my telecomms provider to keep that information to itself, and not make the information available to anyone who just asks for it. I'd therefore suggest that I *do* have an expectation of privacy, and would want there to be more checks and balances involved in handing over that data than the powers that be merely asking for it – i.e. a specific court order that had been justified by reasonable suspicion of wrongdoing, not a bulk data grab for the purpose of mounting a fishing expedition. I dare say I'm not alone in these assumptions – so on the face of it I'd say the FISC rationale is based on an entirely false premise.
I'm a UK citizen, but not feeling particularly smug about it as our government are just as bad, if not worse. At least the US *has* a constitution to judge the legality of this behaviour against.
I agree with Andrew. If they go by Eagan's thought process then nothing would be considered private because almost every service provider (isps, banking, credit cards, email, doctors..etc) can be considered a third party just like the phone companies.
In the case of phone calls, any information disclosed to phone companies is not voluntarily disclosed.The only reason that information is disclosed is because it is required by the company to complete a call.Tha would seem to be involuntary disclosure of information to me.
Voluntary disclosure means that you choose to disclose the information in order to serve some purpose that you wish to accomplish (or simply because you don't mind disclosing it). For the disclosure to be involuntary, you would have to be forced to disclose it even though you consider disclosing it to be against your interests. Since you have a clear interest in completing the call that you are making, disclosing a phone number to the phone company is not against your interests, and is therefore voluntary.
The real problem with the third party doctrine is that it assumes that your communication with the phone company isn't private—that is, that by revealing the number you wish to call to the phone company, you are making it public, not simply engaging in a private communication with the phone company pursuant to your business with the phone company.
This is actually a pretty absurd conclusion to draw. Clearly the government is not naturally privy to all communications between individuals and companies. We would expect the government to have to get a warrant in order to access your medical records, for example. The basis for saying that phone records are different than psychiatric records, for instance, is presumably the triviality of the information, not the fact that it has been shared with a business. So the third party doctrine seems more like a convenient pretext for snooping than it does a legitimate constitutional argument.
I think that Justice Sotomayor is correct to say that it should be revisited.
Excellent points there, Ted; explaining the difference between “voluntary” and “involuntary” in this context is important – and going on to say that there’s inconsistency of treatment across different types of data is critical to a) acknowledging the problem and then b) addressing it.
The main direction of the arguments is a false premise.
The disclosure of the phone number should not automatically give the right for the disclosure of the data in the call.
THe point I am arguing here is a false assumption of right.
Yes the disclosure of the number called may give a right for the company to disclose the fact that a call was made, and to which number it was made to. However once this is done the contents of the call are in fact still assumed to be private.You do not talk to the company and have the call passed on to the recipient, you are talking directly to the recipient. The premise that one disclosure allows for full disclosure is incorrect, and the original judgement should be revisited with this argument.
If this is not done then the same false logic could be applied to say a car, you disclose the VIN number to get the car registered, and its make and colour, with these disclosures, under this argument, you are saying that you are allowing any government authority to search the car, because you have disclosed its identity!
It seems to me that this is at odds with post (snail mail) where I believe it is an offence to interfere with the mail and open someone else's mail.
Whether the government has a right to know that you received a letter is another thing. However, with letters, there is no automatic identification of the sender, unlike the telephone system which knows which two numbers it is connecting (although it does not know who is actually using those numbers, but in the days of personal phones this is a fair assumption that it is the owner).
I think the whole issue of privacy needs reviewing from first principles for the modern age, rather than just keep tinkering around the edges.
Why the government thinks it is entitled to the equivalent of phone hacking without any form of independent oversight shows that it really is time to have a proper debate.
Governments are for the people. There are occasions where in order to protect the people for the greater good, this is at the expense of individual rights.
I have had my phone tapped many years ago; eventually a neighbour was prosecuted for a nuisance offence. But it does leave you with an uneasy feeling.
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
According to the mysteries I read, police must obtain a warrant in order to see the banking and credit card records of a suspect. If speed is important, a judge might have to be woken up to approve the warrant.
It sounds like this old-fashioned practice is becoming unnecessary in today's surveillance society, as Stac mentioned above.
So, when I use my credit card to buy something online, since the number goes to a 3rd party, the merchant, does that mean my card number is now part of the public domain?
Hey if you don't like it just don't go online anymore…
It's the same as driving a car. If you are driving too fast, drunk or worse, you get pulled over and get a costly ticket or lose your license. People think that using the Internet should be similar to activities.., like breathing. Guess what folks? People have their lives ruined by hackers and the bad guys plot terrorist events online too.
Phones are no exception. It isn't free and it can be abused in the wrong hands, so people that whine and cry about their 'rights' might be better suited living in a cave with no electricity, no computers, no phones and no life.
If your advice could be put into practice (doubtful) the residual effect would be that these state-sponsored activities woudl become pointless, and all tech companies going to the wall. Doesn’t sound much like security to me, rather the creation of universal fear, uncertainty and doubt; fertile ground for revolt and probably not in many’s people’s interests.