By David Bender

The flood of recent reports disclosing that the National Security Agency has engaged in a massive acquisition of information concerning the telephone communications of millions of Americans shocked many. The government contends that this acquisition complied with the Foreign Intelligence Surveillance Act (FISA). What is the legal framework that governs this conduct? Does this conduct violate the law—and should it?

The Order

On June 5, 2013, The Guardian published a copy of a top secret order from the Foreign Intelligence Surveillance Court that required Verizon to produce “all call records or ‘telephony metadata’ created by Verizon for communications between the United States and abroad; or wholly within the United States…Telephony metadata includes comprehensive communications routing information, including but not limited to session identifying information—e.g., originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.—trunk identifier, telephone calling card numbers and time and duration of call. Telephony metadata does not include the substantive content of any communication…or the name, address or financial information of any subscriber or customer.” The order included the “gag” provision customary in such orders. The order’s duration was three months, but it appears that Verizon received other orders and that other carriers received similar orders.

Does this demand for information violate the law?

The Fourth Amendment

The U.S. Supreme Court has ruled that the government must abide by the Fourth Amendment in domestic security matters, but specifically cautioned that it was not speaking to foreign intelligence.

The Applicable Statute

The order referenced 50 U.S.C. § 1861, a section of the FISA, premised on the proposition that laws restraining the government in “ordinary” criminal matters are overly restrictive for foreign intelligence matters. Section 1861 empowers the FBI to apply to the FISA Court, in a secret proceeding with no other party present, for an order requiring production of records in an investigation to “protect against international terrorism or clandestine intelligence activities.” The application must contain facts showing reasonable grounds to believe that the records are relevant to an authorized investigation involving intelligence activities.

Orders must include a “gag” provision and incorporate “minimization” procedures that are reasonably designed to minimize retention and prohibit dissemination, require that nonpublic information that is not foreign intelligence information will generally not be disseminated so as to identify any U.S. citizen or permanent resident and allow retention and dissemination of evidence of a crime for law enforcement purposes. The Attorney General must annually report the number of § 1861 applications and the number “granted, modified, or denied.” In 2012, the government made 212 such applications. The court granted all after amending the proposed orders in 200 of them.

Some Legal Issues

Is this demand part of an investigation “to protect against international terrorism or clandestine intelligence activities”? Are there reasonable grounds to believe the records are “relevant” to an authorized investigation? If a broad-based investigation focused on terrorism were so sanctioned, the methodology here might be relevant to it. The theory apparently is that once the government knows the telephone numbers of suspected terrorists it can attempt to identify other terrorists by determining with whom the suspects communicate. Does this blunderbuss approach violate minimization? Apparently not, for minimization applies only to retention and dissemination—not collection. Whether it violates the spirit of the statute or the Fourth Amendment may be different matters.

Should the Law Permit Such a Demand?

This episode is but another in the continuing saga of the tension between privacy and security. At any given time, the vast majority of U.S. citizens will tolerate a certain diminution of their privacy in return for enhanced security. But there is no general agreement on how much privacy should be sacrificed, and public opinion changes. The U.S. public today is more security-oriented than before 9/11 and less security-oriented than shortly after 9/11. How much of an incursion on privacy we will tolerate depends largely on how safe we feel at the moment.

The early reaction in the United States—and this could change—seems to favor the NSA’s conduct. A Washington Post-Pew Research poll taken June 6-9, 2013, asked whether it is more important for the government to investigate terrorist threats or to avoid intruding on personal privacy. Investigating terrorist threats won, 62 percent to 34 percent. Political leaders such as the president, Sen. Dianne Feinstein (D-CA) and Rep. John Boehner (D-OH) have voiced support for the conduct. But opinion is far from unanimous. Sens. Ron Wyden (D-OR), Richard Durbin (D-IL) and Mark Udall (D-CO) have expressed reservations. And a New York Times editorial stated: “The issue is not whether the government should vigorously pursue terrorists. The question is whether the security goals can be achieved by less-intrusive or sweeping means, without trampling on freedoms and basic rights.”

The government claims it needs a pre-existing universal database. But critics ask: If the government has suspects, why does it not take action pertaining only to them instead of obtaining a sweeping order covering millions of telephone subscribers? The present practice involves vacuuming an enormous amount of information, the vast majority of which pertains to people suspected of nothing. What pertinent information will the dragnet acquire that a much more focused demand would not?

But there may be an answer to that query. For example, once a suspect is identified, creating a contact database could require time, whereas an attack may be imminent. The pre-existing universal database may already include the suspect’s contacts. Moreover, the effort to identify contacts of a suspect may be too late to capture critical contacts, which may by then have ceased; the pre-existing universal database is more likely to contain those earlier critical contacts.

The government attempted to calm the waters by noting that the collection related only to information about communications and not content. Indeed, the Supreme Court made such a distinction in Smith v. Maryland, where it found no Fourth Amendment violation when, without a warrant, the police recorded defendant’s outgoing phone numbers. One basis for the ruling was the distinction it drew between content and addressing information. But a vigorous dissent argued that addressing information is not without content because “it easily could reveal the identities of the persons and the places called, and thus reveal the most intimate details of a person’s life.”

The dissent’s theme was echoed in an ACLU suit brought against the government on June 11, 2013. The complaint alleged that this massive telephony metadata collection “gives the government a comprehensive record of our associations and public movements, revealing a wealth of detail about our familial, political, professional, religious and intimate associations.” The ACLU claims that this collection exceeds the scope of § 1861 and violates the First and Fourth Amendments.

The Balancing Act

The government has a very strong argument regarding the need for anti-terrorist information. From before 9/11 through the 2013 Boston Marathon, terrorists have attempted to attack U.S. civilian targets, sometimes causing grievous harm. One major concern of U.S. intelligence agencies is doubtless that terrorists will obtain a nuclear weapon and discharge it in a densely populated area of the United States. The government has every right – and indeed a duty – to guard against that. Accordingly, the government interest in maintaining security is exceedingly high.

Balanced against this interest is the right to privacy of the millions of individuals whose information resides in the universal database, with the attendant possibility of government abuse. Collecting this mass of metadata is highly intrusive to a multitude of people. We need look back no further than the reign of J. Edgar Hoover to see that the FBI—an agency charged with responsibility under the FISA—has been guilty of many such abuses.

Judicial Deference to Government National Security Claims

We have little guidance on the FISA Court’s deference, as almost all its proceedings are secret. According to the Attorney General’s reports, virtually all § 1861 applications are granted, but in the vast majority, the court modified the draft order submitted by the government. We have no insight into the scope of a typical draft order, or whether a typical modification is meaningful.

In assessing the deference that courts pay to national security assertions, perhaps the best window we have is the “state secrets” privilege. Protecting against a compromise of national security is the basis for this privilege, established in 1953 by the U.S. Supreme Court and asserted by the government in hundreds of cases since. Recognition of this privilege, which defeats an attempt to obtain evidence, is appropriate when a court finds “from all the circumstances of the case, that there is a reasonable danger that compulsion of the evidence will expose military matters, which, in the interests of national security, should not be divulged.”

Courts reportedly inspect the documents in question in less than one-third of the cases in which the privilege is asserted. Weaver and Palllitto, writing in Political Science Quarterly in 2005, observed: “Judges often accept invocations of the privilege because they feel incompetent to make a determination of what information would or would not be dangerous to national security if revealed. They are extremely reluctant, understandably, to replace administrative judgment on matters of national security with their own.” These commentators note that between 1953 and 2001, there were 55 reported cases in which the government asserted the privilege and that it was rejected in only four of them.

A Possible Resolution

If a national security claim does not appear frivolous on its face, it is a rare court that will rule against the government. It is obviously important to protect against terrorist attack. Accordingly, if the government can make a non-frivolous claim that deterrence is modestly more likely with the universal database than without it, a court will be reluctant to substitute its own view on the issue. It is possible that the government will be able to make such a claim here. If so, attention will focus on procedures to enhance privacy and minimize the likelihood and extent of government abuse. Possibilities—some of which are already embedded, but might be tightene— include requiring:

  • More extensive audit trails (who accessed a particular item, when and why);
  • The carriers (instead of the government) to retain metadata in such a format that the government, with appropriate judicial process, can immediately obtain it to establish and search a universal database;
  • Periodic assessments by an appropriate inspector general of the impact of FISA matters on the privacy of Americans and others;
  • Statutory restrictions on collection and use of data;
  • Heightened agency restrictions on collection, use, dissemination, retention, and access;
  • Agency procedures that require attention to detecting violations of rules on collection, use, dissemination, retention, and access;
  • Greater transparency to the public as to both agency procedures and FISA Court rulings;
  • Challenges to gag orders in open hearings in federal district court;
  • More judicial and congressional oversight, including more detailed public reporting to Congress, and
  • A mechanism for enforcing the rules, imposing realistic remedies against abusers and providing a private right of action with statutory damages for individuals whose information is abused.

Indeed, on February 24, 2013, Sen. Patrick Leahy (D-VT) introduced the FISA Accountability and Privacy Protection Act of 2013, designed to “strengthen privacy protections, accountability and oversight related to domestic surveillance conducted pursuant to the USA PATRIOT Act and the Foreign Intelligence Surveillance Act of 1978.”


The government may have a non-frivolous argument for needing the universal database or something resembling it. There is also an argument against permitting such a database, as far too often the government’s right to collect information has been abused.

The legal issues are whether creation of the universal database is authorized by the FISA, and, regardless of FISA authorization, whether the advantages of the universal database are outweighed by the wholesale invasion of privacy necessary to create it so as to violate the Fourth Amendment. If the government prevails in showing that there is a valid reason for creating and maintaining a universal database of some sort, the focus is likely to be on enhancing privacy, and on minimization procedures for the collection, dissemination, retention and use of information. Perhaps the ruling in the ACLU suit, or in other suits brought and likely to be brought as a result of this disclosure, will help resolve these issues.

David Bender formerly headed the global privacy practice at White & Case, LLP, and is the author of Bender on Privacy and Data Protection (LexisNexis 2012), and Computer Law (LexisNexis 2013). He is an Adjunct Professor at the University of Houston Law Center, where he teaches Privacy Law. He can be reached at dbender4@verizon.net.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»