By Daniel J. Solove
The U.S. Court of Appeals for the 2nd Circuit just issued a 97-page ruling limiting the NSA’s power to sweep up data about people’s phone calls. The case is ACLU v. Clapper, and the court held that the USA Patriot Act Section 215 doesn’t authorize the kind of sweeping collection of phone call metadata that the NSA has been engaging in. The court’s holding is limited to statutory interpretation — the scope of data collection authorized by Section 215. The court doesn’t base its holding on the Fourth Amendment, though it does note the uncertain status of current Fourth Amendment law.
The bottom line is that the NSA has been gathering a lot more data than it has been authorized to gather.
For some background, I wrote about the NSA metadata gathering in the following posts:
Why Metadata Matters: The NSA and the Future of Privacy — discussing why metadata shouldn’t be distinguished from other forms of personal data
NSA Metadata Surveillance and the Fourth Amendment — discussing why courts should hold that the Fourth Amendment restricts the NSA’s broad metadata collection program
The NSA’s Santa Surveillance Program — humorous post about NSA data gathering
Here are some key quotes from the opinion in ACLU .v Clapper:
1. “We hold that the text of section 215 cannot bear the weight the government asks us to assign to it, and that it does not authorize the telephone metadata program.”
2. “We conclude that to allow the government to collect phone records only because they may become relevant to a possible authorized investigation in the future fails even the permissive ‘relevance’ test. Just as ‘the grand jury’s subpoena power is not unlimited, § 215’s power cannot be interpreted in a way that defies any meaningful limit. Put another way, we agree with appellants that the government’s argument is ‘irreconcilable with the statute’s plain text.’ Such a monumental shift in our approach to combating terrorism requires a clearer signal from Congress than a recycling of oft‐used language long held in similar contexts to mean something far narrower.”
3. “The telephone metadata program requires that the phone companies turn over records on an ‘ongoing daily basis’ – with no foreseeable end point, no requirement of relevance to any particular set of facts, and no limitations as to subject matter or individuals covered.”
4. “Appellants argue that the telephone metadata program provides an archetypal example of the kind of technologically advanced surveillance techniques that, they contend, require a revision of the third‐party records doctrine. Metadata today, as applied to individual telephone subscribers, particularly with relation to mobile phone services and when collected on an ongoing basis with respect to all of an individual’s calls (and not merely, as in traditional criminal investigations, for a limited period connected to the investigation of a particular crime), permit something akin to the 24‐hour surveillance that worried some of the Court in Jones. Moreover, the bulk collection of data as to essentially the entire population of the United States, something inconceivable before the advent of high‐speed computers, permits the development of a government database with a potential for invasions of privacy unimaginable in the past. Thus, appellants argue, the program cannot simply be sustained on the reasoning that permits the government to obtain, for a limited period of time as applied to persons suspected of wrongdoing, a simple record of the phone numbers contained in their service providers’ billing records. Because we conclude that the challenged program was not authorized by the statute on which the government bases its claim of legal authority, we need not and do not reach these weighty constitutional issues. The seriousness of the constitutional concerns, however, has some bearing on what we hold today, and on the consequences of that holding.”
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 900,000 followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.