David Kris Points to the Clause Loopholed Under David Barron on Metadata Collection

I’m working on a longer post on David Kris’ paper on the phone [and Internet] dragnets.

But for the moment, I want to note that he strongly implies the US is relying on 18 U.S.C. § 2511(2)(f) to collect international metadata. He does it when he first introduces the phone dragnet secondary order (page 2).

The order excluded production of metadata concerning “communications wholly originating and terminating in foreign countries.”5 215 Bulk Secondary Order at 2; see Business Records FISA NSA Review at 15 (June 25, 2009) [hereinafter NSA End-to-End Review], available at http://www.dni.gov/files/documents/section/pub_NSA%20Business%20Records%20
FISA%20Review%2020130909.pdf; August 2013 FISC Order at 10 n.10; cf. 18 U.S.C. §2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”). [my emphasis]

And he does it just after suggesting that the FISA Court may have approved the phone dragnet in 2006 — however shabby the legal case — just to have it under FISC supervision (note, he also nods to the Internet metadata dragnet, but as I’ll note he goes through some contortions to avoid addressing it all that directly).

More broadly, it is important to consider the context in which the FISA Court initially approved the bulk collection. Unverified media reports (discussed above) state that bulk telephony metadata collection was occurring before May 2006; even if that is not the case, perhaps such collection could have occurred at that time based on voluntary cooperation from the telecommunications providers. If so, the practical question before the FISC in 2006 was not whether the collection should occur, but whether it should occur under judicial standards and supervision, or unilaterally under the authority of the Executive Branch.147

147 With respect to metadata concerning foreign-to-foreign communications, which the FISC’s order expressly does not address, see 18 U.S.C. § 2511(2)(f)

This is important because it is precisely the clause (the one Kris cites above) that the Office of Legal Counsel reinterpreted in 2010 to cover past illegal access to phone metadata, including US based phone metadata.

The existence of that memo was first disclosed by Glenn Fine in his Exigent Letter IG Report. (See also this post.) He described how, in the context of its effort to clean up the legal process free access of phone data from the telecoms, DOJ had ordered up this opinion (though they claimed they were not relying on it). In 2011, DOJ provided enough information in response to a FOIA to make it clear the memo pertained to this passage.

Now, in context, Kris is just implying that the government is using this clause to get the telecoms to voluntarily turn over foreign to foreign communications.

Except we know precisely how the NSA defines “foreign communications.”

Foreign communication means a communication that has at least one communicant outside of the United States. All other communications, including communications in which the sender and all intended recipients are reasonably believed to be located in the United States at the time of acquisition, are domestic communications.

That is, so long as just one end of a communication is foreign, the NSA considers it a foreign communication (and therefore the telecoms can voluntarily disclose it under their interpretation of this clause of ECPA).

And remember: this opinion reinterpreting ECPA was written under the direction of — if not written by — David Barron, the guy Obama wants to have a lifetime appointment on the First Circuit.

I need to think through whether this means what I think it means. But it sure seems like Kris is not only saying that the government did use this loophole to collect metadata involving foreigners (and Americans). But given that DOJ claimed it could use this memo to clean up its entirely domestic communications problems (per the Fine IG Report), it sure seems like Kris is saying if we close the Section 215 collection, the government will just resume using ECPA.

Update: I just realized this post, which adopts an argument I made almost two weeks ago (that there is no original opinion for the phone dragnet) was written by Marty Lederman (who was at OLC during roughly the same period that Barron was).

Which is why I find it weird that Lederman makes an extended argument noting that an earlier clause in ECPA tweaked during the original PATRIOT Act bill prohibits this sharing of phone metadata.

You wouldn’t know it from Judge Eagan’s opinion–or from David Kris’s paper, for that matter–but Congress has actually considered the specific question about whether and under what circumstance service providers may disclose to the government the telephony metadata of their customers, and has enacted a statute dealing specifically with that question–a statute that expressly prohibits such disclosure.  Moreover, the prohibition in question was enacted as part of the very same law that includes Section 215, namely, the PATRIOT Act of 2001.

A provision of the Electronic Communications Protection Act (ECPA), 18 U.S.C. 2702(a)(3), states that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.”

Statutory language doesn’t often get much clearer than that:  A provider of remote computing service or electronic communication service to the public — a category that includes phone service providers — cannot knowingly convey consumer records or information to any governmental entity.

Remarkably, Congress added this prohibition to ECPA in section 212(a)(1)(B)(iii) of the 2001 PATRIOT Act itself–the same law in which section 215 expanded the “business records” provision upon which the government relies here.  The two provisions are only three pages apart in the Statutes at Large.  In other words, the government is relying here upon a broad, general “business records” provision included in the PATRIOT Act; but in that very same legislation, Congress included another provision specifically involving the business records of telephone customers, and in that more specific provision it precluded the very sort of records transfer at issue here.

The thing is, I find it almost impossible to believe that Lederman wouldn’t know about (or even didn’t review) that January 8, 2010 opinion. And he certainly must know what the implications of invoking foreign communications in the context of 18 U.S.C. § 2511(2)(f) to be.

I’m confused.

Update: I missed one other mention of 2511(2)(f), which comes in Kris’ incomplete description of all the violations in the phone dragnet program (it is incomplete, in part, because he cites from the June report of the problems rather than the August filing presenting them, which includes several more, probably more troubling violations; but he also misses details of a few of the other violations which is particularly interesting because he, of all people, must know this stuff).

(8) acquisition of metadata for foreign-to-foreign telephone calls from a provider that believed such metadata to be within the scope of the FISC’s orders, when it was not, NSA End-to-End Review at 15; cf. August 2013 FISC Order at 10 n.10 (“The Court understands that NSA receives certain call detail records pursuant to other authority, in addition to the call detail records produced in response to this Court’s Orders.”); see generally 18 U.S.C. § 2511(2)(f) (“Nothing contained in this chapter or chapter 121 or 206 of this title, or section 705 of the Communications Act of 1934, shall be deemed to affect the acquisition by the United States Government of foreign intelligence information from international or foreign communications, or foreign intelligence activities conducted in accordance with otherwise applicable Federal law involving a foreign electronic communications system, utilizing a means other than electronic surveillance as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978”);

His inclusion of it here is interesting because this violation is likely the collection that Reggie Walton shut down temporarily on July 9, 2009. Does that mean they just kept collecting from this provider (I wonder, by the way, whether it’s something exotic like Skype), and deemed it covered by 18 U.S.C. § 2511(2)(f)? If so, Kris would have been among those who made the decision to do so.

image_print
10 replies
  1. Snoopdido says:

    For Emptywheel weed-whackers reading the latest PDF on “On The Bulk Collection Of Tangible Things” from David Kris, it might also be worthwhile to keep in mind his January 2006 23-page legal memorandum that criticized the Bush administration’s legal argument that it had authority to conduct warrantless domestic wiretapping due to the Congressionally approved 2001 AUMF: http://balkin.blogspot.com/kris.fisa.pdf

  2. emptywheel says:

    @Snoopdido: That’s the problem with doing my general post after I put this one up–I give lots of background in that!

    Thanks for linking it, though.

  3. peasantparty says:

    I think you are correct on the ECPA. Which reminds me of all those crazy reasons they had the lawyers rewrite or re-interpret laws. I keep going back to the last speechify from Stewart Baker. He said that Americans had no expectation of privacy after they willingly gave their information to telecoms and ISPs. He more or less insinuated that our communications and info no longer belonged to us when we paid for the services, and purchased the products to communicate. That has had me scratching my head since.

    He evidently had some line of a document, or a specific interpretation to base that comment on. Otherwise, domestic non-suspects should not be included. I have read and re-read the Patriot Act many times. While there are eye popping sections in it, there is no basis for non Bin-Laden bulk meta data collection on innocent citizens.

  4. Snoopdido says:

    @emptywheel: As I was weed-whacking my way through the latest from David Kris, I thought that it might be more helpful to me if I stopped and first took a stroll through his previous thoughts on the PSP warrantless wiretapping topic. So far, so good.

  5. Snoopdido says:

    @Snoopdido: This is where I’m getting stumped. David Kris states quite clearly on page 7 of his January 2006 23-page legal memorandum (http://balkin.blogspot.com/kris.fisa.pdf) in regards to whether “the NSA Surveillance [is] Unconstitutional?”, that there are only 3 avenues to examine:

    “If FISA and the AUMF do not authorize the NSA surveillance, then a constitutional issue arises. Does the President’s Article II power allow him to authorize the NSA surveillance despite [FISA’s] exclusivity provision?”

    In essence, what I’m reading from that earlier 2006 Kris document states that FISA and the 2001 AUMF do not offer authorize the NSA surveillance, and that he believed then that the only other place to look for that authority is the President’s Article II power.

    So then the question arises as to how and why does Kris now come to the conclusion that ECPA provides that NSA surveillance dragnet loophole?

    More weed-whacking is required.

  6. emptywheel says:

    @Snoopdido: Different things. Wireapping is electronic surveillance. Collection of metadata is not.

    That said, what no one seems to have considered is how they interrelate, which is probably definitely illegal.

    That said, I do think Kris believes the 2006 opinion was bogus.

  7. Snoopdido says:

    @emptywheel: Maybe yes, maybe no. What I mean by that is the fact that the Bush administration was indeed collecting metadata right from the start in late 2001 (and the NSA may have been doing so even earlier), and the Bush administration was also collecting bulk phone records right from the start.

    Kris, when he wrote that 2006 piece, apparently had no knowledge and acknowledges it, exactly what really constituted the warrantless electronic surveillance program conducted by the NSA.

    Yes, his 2006 piece “assumes” warrantless electronic surveillance program of phone calls based on the then breaking news of December 2005 from the New York Times by James Risen and Eric Lichtblau, but it may be that warrantless electronic surveillance program of phone calls and the same of bulk US domestic phone records and metadata are all really a legal distinction without a difference for the purposes of the arguments that Kris made in his 2006 piece.

  8. C says:

    @Snoopdido: Regarding the question over Article II:

    Does the President’s Article II power allow him to authorize the NSA surveillance despite [FISA’s] exclusivity provision?”

    Here is the full text of Article II of the constitution:

    The President shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States; he may require the Opinion, in writing, of the principal Officer in each of the executive Departments, upon any Subject relating to the Duties of their respective Offices, and he shall have Power to grant Reprieves and Pardons for Offenses against the United States, except in Cases of Impeachment.

    There is, of course, extensive caselaw that goes with this as well as congressional actions such as the War Powers Resolution, and IANAL, but if the authority to authorize dragnet surveillance of U.S. Persons arises then it seems to me that the argument would have to be that said surveillance is simply the duty of the respective offices or that the president is responding to an existential threat per the WPR. If the latter, however, that would only be temporary and should go for congressional authorization in 90 days, authorization from the whole congress not just DiFi. If, however we have a succession of temporary crises that the authorization addresses then somewhere someone is filling up a filing cabinet with finding after finding calling the surveillance a temporary necessity.

    This is of course just my speculation but Article II authority seems pretty far fetched for indefinite surveillance.

  9. klynn says:

    Question…

    So, a US employee who is the contact for a foreign division of their company has their communications swept up?

Comments are closed.