Congratulations to EFF, which yesterday liberated another document on Section 215: a 2010 OLC opinion finding that the Department of Commerce (then counseled by Cameron Kerry who, curiously enough, hosted the Bob Litt speech the other day) did not have to turn over data to the FBI under Section 215 (which was the only one of many statutes it reviewed that OLC considered possibly binding).
After reviewing a bunch of legislative language on both Congress’ intent to provide affirmative confidentiality to census data and on its silence on census data during the PATRIOT Act reauthorization debates, Deputy Assistant Attorney Genereal Jeannie Rhee concluded,
We therefore conclude that section 215 should not be construed torepeal otherwise applicable Census Act protections for covered census information, such that they would require their disclosure by the Department of Commerce.Because no other PatriotAct provision that you have, identified, nor any such provision that we have separately reviewed, would appear to have that effect, we agree that the Patriot Act, as amended, does not alter the. confidentiality protections in sections 8, 9, and 214 of the Census Act in a manner that could require the Secretary of Commerce to disclose such information.
Many outlets are hailing this as OLC noting some limits to the otherwise unlimited demands the government thinks it can make under Section 215.
But I’m left puzzled.
Why did the Administration fight so hard to keep this secret? This suit has been going on for years, and ODNI tried to keep this secret long after reams of more interesting — and more classified — information got released on the phone dragnet and related authorities.
I can think of several possible reasons (and these are all speculative):
Perhaps the government thinks this might endanger FISC’s decision that Section 215 does repeal two other privacy statutes. In 2008, Judge Reggie Walton found that Section 215 overrode the privacy protections for call data under ECPA [SCA]. And in 2010, John Bates found that it overrode the privacy protections in RFPA. Effectively, both decisions found that the government could do with Section 215 (and court review) what the FBI could otherwise do with NSLs. But of course, by doing them under Section 215, the government managed to do them in greater bulk, and probably with some exotic requests added in. At least the ECPA opinon was probably elicited by DOJ IG pointing out that the NSL rule did prevent other access to such data. In both opinions, the FISC reviewed the absence of legislative language and used it to conclude something dissimilar to what OLC concluded here: that in the absence of language, it provided permission. Does ODNI think the publication of this OLC opinion will make it easier to challenge the use of Section 215 for phone and financial records?
Update: This passage, from ACLU’s challenge to the phone dragnet, more eloquently suggests this is precisely why ODNI wanted to bury this opinion. It cites the importance of statutory construction, and then notes ties it to earlier statements on the Census Act.
On its face, Section 215 provides the government with general authority to compel the disclosure of tangible things. However, the Stored Communications Act (“SCA”) specifically addresses the circumstances in which the government can compel the disclosure of phone records in particular. The SCA provision states that a “provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service . . . to any governmental entity.” 18 U.S.C. § 2702(a)(3). While the SCA provision lists exceptions to its otherwise categorical prohibition, see id. §§ 2702(c), 2703, Section 215 is not among them. This omission is particularly notable because Congress enacted sections 2702(c) and 2703 in the same bill as Section 215.
The district court held that Section 215 constitutes an implicit exception to Section 2702 because Section 215 orders “are functionally equivalent to grand jury subpoenas.” SPA027. But well-settled rules of statutory construction require that the list of exceptions in section 2702 and 2703 be treated as exhaustive. See United States v. Smith, 499 U.S. 160, 167 (1991) (“Where Congress explicitly enumerates certain exceptions . . . additional exceptions are not to be implied, in the absence of evidence of a contrary legislative intent.” (quotation marks omitted)). Congress has enacted a comprehensive scheme to regulate the government’s collection of electronic communications and records relating to those communications. That comprehensive scheme, which addresses the precise circumstances in which the government can collect the records at issue in this case, must be given precedence over provisions that are more general. See In re Stoltz, 315 F.3d 80, 93 (2d Cir. 2002) (holding that it is a “basic principle of statutory construction that a specific statute . . . controls over a general provision” (quoting HCSC–Laundry v. United States, 450 U.S. 1, 6 (1981))); see also PCLOB Report 92–93.
Indeed, the Justice Department has itself acknowledged that it would contravene the structure of the SCA to “infer additional exceptions” to the “background rule of privacy” set out in section 2702(a). See Office of Legal Counsel, Memorandum Opinion for the General Counsel [of the] FBI: Requests for Information Under the Electronic Communications Privacy Act 3 (Nov. 5, 2008), http://1.usa.gov/1e5GbvC (concluding that the FBI could not use national security letters to compel the production of records beyond those specifically exempted from the general privacy rule). Moreover, it has acknowledged that principle with respect to Section 215 itself, concluding that the statute does not override the privacy protections of the Census Act, 13 U.S.C. §§ 8, 9, 214. Letter from Ronald Weich, Assistant Attorney General, to Hon. Nydia Velázquez, Chair, Congressional Hispanic Caucus, U.S. House of Representatives (Mar. 3, 2010), http://wapo.st/aEsETd. [my emphasis]
The Second Circuit already sounded like it wanted to boot the dragnet on statutory grounds (if they did, doing so should have the same effect for financial records as well). And the release of this opinion may well help them do that.
Presumptive Section 215 Collection
In 2010, this OLC memo reveals, DOJ’s National Security Division — then headed by David Kris — believed that the government ought to be able to use Section 215 to obtain raw census data (the rest of DOJ, curiously, did not agree). Kris lost that battle.
But data very similar to census data is readily available, from private marketing brokers. If NSD saw the need to obtain this kind of data, it’s not clear what would prevent the government from just obtaining very similar data from marketing firms. Should we assume it has done so?
Census data in racial profiling
I also wonder whether this came up in the context of ways both the NYPD (with CIA assist) and FBI have used census data to conduct their racial profiling efforts. Both have relied on published (aggregated) census data to find which neighborhoods to spy on. Was there some kind of effort to fine tune this racial profiling by using the underlying data?
NCTC’s access to internal databases
Finally, I wonder whether ODNI’s reticence about this OLC opinion pertains to its own National Counterterrorism Center guidelines on information sharing, which permit NCTC to demand entire databases from other government agencies if it says the database includes information on terrorists (effectively making us all terrorists). Discussions about doing so started in 2011 and resulted in broad new data sharing guidelines in 2012, so that change actually took place after this opinion. Also note the opinion’s interesting timing: January 4, 2010, so probably too soon after the UndieBomb attempt on Christmas day in 2009 to be considered part of the expanded information sharing that happened after that attack, though not so long after the Nidal Hassan attack.
Whatever the timing, I’m curious how this opinion has influenced discussions about and limits to that data-sharing initiative — and how it should have influenced such data sharing?