Recent Developments Regarding the Legality of Government Data Collection Efforts
11th Circuit Upholds Warrantless Collection of Cell Phone Location Data
On May 5, the 11th U.S. Circuit Court of Appeals held that law enforcement agencies may obtain historical cell phone location records from wireless carriers without obtaining a warrant. The ruling is the latest of several to interpret the scope of the Fourth Amendment protection against unreasonable searches and seizures in the digital age. In June 2014, the U.S. Supreme Court held that police must almost always obtain a warrant before searching the digital contents of a cell phone seized from suspects upon arrest. With last week’s ruling, the 11th Circuit interpreted location data to fall outside the scope of the Supreme Court’s refined warrant requirement, possibly setting the stage for further review by the court.
In the 9-2 ruling, the en banc panel rested on two rationales to reach its result. First, the court held that cell phone location data were business records owned by the service provider, MetroPCS. Although the records contained information about both the location of the cell towers used to make calls and the quadrant from which a call was placed, the records themselves were “created by MetroPCS, stored on its own premises, and subject to its control.” Because these records do not belong to individual cell phone users, they are not the individual’s to withhold.
Second, the court held that individual cell phone users do not have a reasonable expectation of privacy with regard to historical cell phone location records. When placing a call, a cell user is aware that he or she transmits location information to the towers, and in doing so voluntarily shares that information. Absent a reasonable expectation of privacy, police may obtain these records directly from providers with a court order authorized by the Stored Communications Act.
The implications of this ruling are uncertain but potentially wide-ranging. Privacy advocates argue that the same interpretation could be applied to allow the government to access other types of sensitive data held by third parties, such as email and data stored by cloud service providers. Meanwhile, the ruling appears to push against trends in several states, including Montana, Maine, and Minnesota, which have all recently passed laws requiring police to obtain warrants before searching cell phone location data.
Second Circuit Invalidates NSA Metadata Collection Program
Two days after the 11th Circuit’s decision, the Second Circuit Court of Appeals held that the NSA’s long-standing bulk telephone metadata program violated the Patriot Act. The decision is significant for the breadth of its repudiation of the government’s surveillance practices even though it may have limited practical impact. The Patriot Act provision under which the NSA justified its practices is set to expire June 1 and is likely to be amended by Congress, as we explain below. Nevertheless, the rationales presented by the court have already influenced the ongoing debate on Capitol Hill.
The NSA justified its metadata collection program under Section 215 of the Patriot Act. That section authorizes the government to seek an order from the Foreign Intelligence Surveillance Court (FISA Court) to grant it access business records and other “tangible things” that are relevant to a counter-terrorism investigation. The NSA had argued for years that bulk metadata collection was relevant to investigations—even if not linked to a specific suspect—because the information could be subsequently searched to find connections between suspects.The court found that that the NSA’s surveillance practices far exceeded the scope of authorized data collection under Section 215. The court rejected the government’s expansive definition of relevance as “unprecedented and unwarranted,” and wrote that the continuation of the program would be an “unprecedented contraction of the privacy expectations of all Americans.” The ruling emphasized that metadata can serve as a “proxy” for the content of communications, revealing “civil, political, or religious affiliations” and other personal information.
The court did not reach the constitutional question of whether the program violated the Fourth Amendment, and declined to enjoin the NSA’s bulk collection of phone metadata, deferring instead to Congress to determine the future existence and scope of the program. Nevertheless, the NSA has respected the Second Circuit’s determination, and has not submitted any new requests to the FISA Court since the ruling.
USA Freedom Act Passes the House but Stalls in Senate
The Second Circuit’s decision adds an extra dimension of complexity to ongoing negotiations over the reauthorization of the Patriot Act on Capitol Hill. On May 13, the U.S. House of Representatives overwhelmingly passed the USA Freedom Act by a vote of 338 to 88. The bill would eliminate the bulk collection of telephone and other records using either Section 215, “pen register” authority of the Foreign Intelligence Surveillance Act (FISA), or the administrative subpoenas used in national security cases known as National Security Letters. The bill would also prohibit large-scale indiscriminate sweeps of information, such as the collection of records from an entire city or ZIP code. Instead, the NSA would be required to obtain court approval to request phone records from phone companies on a case-by-case basis.
The bill includes a number of provisions to bolster the accountability of the intelligence collection process. The FISA Court, which oversees intelligence requests under FISA, would be required to consult with a panel of experts to assist the court with considerations involving privacy, civil liberties, and technology, among other significant issues. In addition, the bill would require the Attorney General and Director of National Intelligence to regularly disclose data on the nature and volume of FISA requests that are granted.
Despite the wide margin of passage in the House, the USA Freedom Act faces a more sharply divided reception in the Senate. Senate Majority Leader Mitch McConnell (R-KY) and Sen. Richard Burr (R-NC) have pushed a competing bill that would reauthorize the existing Section 215 surveillance authority in its current form until 2020. Meanwhile, Sen. Rand Paul (R-KY) led several filibusters in opposition to the bill and is instead advocating even greater restrictions on the collection of data.
The Senate failed to pass the USA Freedom Act before beginning a one-week recess on Friday evening, forcing Sen. McConnell to call lawmakers back next Sunday, May 31, in an effort to break the impasse. One of three outcomes is likely. First, the gridlock in Congress could continue through the June 1 deadline. This would allow Section 215 and several other provisions of the Patriot Act to sunset. Congress would have to write new legislation in order to reinstate the expired authorities, likely in revised form. Second, Congress could pass the USA Freedom Act after bridging the remaining gaps during rare recess talks this week. Finally, Congress could pass a short-term reauthorization of Section 215. Given the stiff resistance Sens. McConnell and Burr have faced to their extension proposal, this appears to be the least likely scenario.
Regardless, the status quo regarding phone data collection practices will change soon. The White House announced Saturday that it had begun to take steps to shut down the NSA collection program, and has indicated that it will not invoke a grandfather clause that would permit existing legal authorities to continue for existing investigations.
Both court decisions and legislative action will help define the parameters of a debate that is likely to extend far beyond the boundaries of phone metadata collection. From geolocation tracking to drone surveillance, the explosion of digital information collection will continue to challenge the fluid balance between individual privacy, national security, and law enforcement.
Brian Kennedy, Associate in our Washington, D.C. office, contributed to this entry.
This entry original was posted on Hogan Lovells’ Chronicle of Data Protection