So I go away for a little while and come back to these scary reports of massive NSA call databases. After tracking down the original story (since it was a few days old at that point, I was seeing a bunch of stories reacting to the USAT article), and I was horrified at what I saw. Not really surprised, alas -- since obviously the Administration's disdain for individual freedom, civil rights, and the rule of law (to say nothing of the truth) are abundantly well-documented at this point -- but horrified nonetheless.
It's actually an interesting question, though, to consider whether this new plan is legal as described. It appears to satisfy the Fourth Amendment restrictions on search and seizure, since ostensibly only metadata is being collected and not the contents of the calls themselves. The Supreme Court established that warrantless "pen register" or "trap and trace" devices -- which capture calling information but don't listen in to (or record) the calls themselves -- were legal vis-à-vis the Fourth Amendment, in Smith v. Maryland in 1979.
And, it seems to satisfy the Communications Act, which has prohibited interception or disclosure of communications without a court order since 1934 -- since again this NSA program, as described in press accounts, only captures the metadata.
However, this plan does run afoul of the law: in 1986 (i.e., seven years after Smith v. Maryland was decided), President Reagan signed the Electronic Communications Privacy Act into law, which added a general prohibition on warrantless "pen register"/"trap and trace" device use: 18 U.S.C. 3127 establishes the definitions of "pen registers" and "trap and trace" devices, and it seems to pretty fairly encompass what news reports of the new NSA program describe:
(3) the term “pen register” means a device or process which records or decodes dialing, routing, addressing, or signaling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, provided, however, that such information shall not include the contents of any communication, but such term does not include any device or process used by a provider or customer of a wire or electronic communication service for billing, or recording as an incident to billing, for communications services provided by such provider or any device or process used by a provider or customer of a wire communication service for cost accounting or other like purposes in the ordinary course of its business;
(4) the term “trap and trace device” means a device or process which captures the incoming electronic or other impulses which identify the originating number or other dialing, routing, addressing, and signaling information reasonably likely to identify the source of a wire or electronic communication, provided, however, that such information shall not include the contents of any communication;
And, §3121 of the same law is a general prohibition on both pen registers and trap & trace devices, absent a court order:
(a) In General.— Except as provided in this section, no person may install or use a pen register or a trap and trace device without first obtaining a court order under section 3123 of this title or under the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801 et seq.).
This seems pretty clear. Either you have to get a court order, using either the very specific procedure set up in §3123, or you have to go to the (notoriously government-friendly) FISA court. (And, like the FISA Act, the ECPA allows emergency use of a pen register or trap and trace device without a warrant, but only for forty-eight hours. A retroactive court order approving the devices must be obtained within that time, or else the emergency exemption expires.)
Simply put: the government isn't allowed to grab this information without the approval of a judge, despite the president's recent claims to the contrary. (The execeptions named in §3121 of the law seem to be mainly concerned with things like telco line quality and telcos protecting themselves from fraud.)
Incidentally, these prohibitions remain in force despite the 1994 Communications Assistance for Law Enforcement Act (CALEA), which mandated the installation of "backdoors" for government interception of electronic communication. Even the FBI's own CALEA site emphasizes that a court order is required. (Sidebar: the government is working to expand CALEA to wiretap the Internet as well, but that's another ball of wax.)
(By the way, here's a good rundown of the various federal laws regarding electronic surveillance.)
So: All of the above seems to indicate pretty persuasively that the government needs a court order if they demanded this information from the phone companies.
However, if they were asking the telcos for this information (and presumably leaning on them heavily to provide it), then the legality is a bit more questionable. And, the telcos’ oddly-worded, mealymouthed denials lead me to think this might have been the case.
A Georgetown law professor offers this interesting analysis. To summarize, the Stored Communications Act bars telcos from disclosing non-content records to the government , with only a few exceptions. The relevant exception seems to be “if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency[.]”
This language is very young, and took effect when the President signed the Patriot Act renewal into law on March 6th. Before this March, the previous language from the old 2001 Patriot Act read: “the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.” So they changed a “reasonable belief” of an emergency involving “immediate danger of death” to a good-faith belief of an emergency involving danger of death — they relaxed the restriction. (Note, especially, that the “provider” — the telco — has to have the good-faith belief, not the government. I’m guessing this is where the NSA-leaning-on-the-phone-company part comes into play.)
This Patriot Act exception (how much of the disclosure happened prior to March 6, 2006?) makes me dubious of the prospects of the big class-action suit against the phone companies...not that I wouldn't love to see it succeed.