The recent ruckus over what may be a warrantless electronic surveillance program initiated by the National Security Agency once again has brought electronic privacy rights to the forefront of public discourse. The White House and the Department of Justice have stuck to their guns, claiming that some combination of explicit and implicit executive branch powers authorizes warrantless surveillance in the interests of national security. On the other side, many members of Congress, and according to polls, the vast majority of Americans, are dubious about those claims.
Now, a federal judge in San Francisco has been thrust into the debate, in the case known as Hepting v. AT&T Inc., raising more doubts about the legality of the federal government’s program, while also acknowledging questions about precisely what the federal government is doing. Although at this writing there’s more about the government’s electronic surveillance program that we don’t know than we do know, it’s not too early to draw important lessons from the court’s recent denial of the government’s motion to dismiss. It reflects a fairly comprehensive concern for the protection of the electronic privacy rights of Americans. The clear implication of this hotly contested litigation is that corporate America needs to be particularly cautious with respect to communications records and communications networks.
What’s this case about?Press reports, Department of Justice releases and statements from the White House have described two different NSA programs that have raised privacy concerns. One program involved the monitoring of international telephone communications to identify terrorists. The other program involved NSA requests to telephone companies that they turn over customer call records; NSA then would sift through these records to try to discern links to terrorists or some calling patterns that would be useful for national security purposes.
After the federal government’s warrantless surveillance programs were revealed in the press, and after AT&T and President Bush admitted the existence of these programs, a class action lawsuit was filed in San Francisco federal court against AT&T alleging that its participation in the program violated numerous constitutional and federal laws, as well as California’s unfair competition law.
The Hepting case appears to involve not the monitoring of conversations, but the disclosure by AT&T to NSA of customer call records. How do we know this? Well, it’s not because either AT&T or the government has admitted as much; indeed, Judge Walker’s decision states that “neither AT&T nor the government has confirmed or denied the existence of a program of providing telephone calling records to the NSA.” The crux of plaintiffs’ complaints is revealed from the judge’s resolution of the defendant’s motion to dismiss.
The plaintiffs had opposed AT&T’s and the government’s efforts to dismiss their complaint based on three things: the testimony of a former AT&T technician, the declaration of a “putative expert” who reviewed the technician’s testimony, and press reports in The New York Times and USA Today about the NSA’s surveillance programs.
The technician claims to have seen a “secret room” at AT&T’s San Francisco network offices where “the public’s phone calls are routed” to special equipment installed by the NSA. This arrangement enabled NSA agents to “sift through large amounts of data looking for preprogrammed targets.” Given that neither AT&T nor the government felt at liberty to admit or deny these allegations, the court had little choice but to accept these factual allegations as true, at least for purposes of dealing with the defendant’s motion to dismiss.
The state secrets defenseAT&T moved to dismiss the class action complaint on grounds of standing, and various forms of statutory and common law immunity; the federal government intervened and moved for dismissal or summary judgment based on the “state secrets” privilege. The state secrets privilege is a common law evidentiary rule that protects information from discovery when disclosure would be inimical to national security. Judge Walker obviously had trouble buying that argument, noting that “none of the subject matter in this litigation could be considered a secret given that the alleged surveillance programs have been so widely reported in the media.”
Nevertheless, the court went through a detailed legal analysis, citing judicial precedents dating back to the Revolutionary War, before determining that the state secrets privilege did not apply here, in part because “the very subject matter of this action is hardly a secret.” Second, the court rejected the federal government’s claim that AT&T will not be able to mount an effective defense without disclosing state secrets because it would be “premature” to make that determination before plaintiffs’ lawyer could conduct “at least some discovery.” The court then found that much of the evidence plaintiffs will rely upon already has been disclosed publicly. In short, Judge Walker ruled that the government had opened the door for judicial inquiry by publicly confirming and denying material information about its monitoring of communications.
While that conclusion might make sense with respect to the government’s claim of state secrets, it’s hard to see how that analysis is appropriate from AT&T’s perspective. Unlike the White House, AT&T wasn’t holding press conferences touting its participation in a “secret surveillance” program. And, if NSA did indeed tell AT&T that this was a national security mission that required its cooperation and silence, it’s hard to understand why AT&T should be punished for honoring that request. It probably didn’t help AT&T any that, as the judge pointedly notes in his opinion, two other communications companies publicly declared they did not participate in one of these NSA surveillance programs. Still, given that under some federal statutes a telecom carrier is prohibited expressly from disclosing the existence of a wiretap or electronic search warrant, this case appears to be the epitome of “damned if you do, damned if you don’t” for this communications company.
So, who was harmed?The “standing” question in this case — that is, whether these particular plaintiffs had the right to sue AT&T — is a particularly interesting one. But the way it was resolved by the District Court should cause most corporation attorneys to lay awake nights. The court concluded that plaintiffs had adequately alleged injury in fact to establish standing to prosecute the class action, without pointing to any evidence of injury.
Before reviewing the judge’s analysis that led to this conclusion, let’s recap the relevant facts as we know them. Plaintiffs’ claims are based almost entirely on the testimony of one former employee of the defendant. That employee has not testified that he witnessed AT&T turning over to NSA any records or conversations of the named plaintiffs, nor have the plaintiffs cited any evidence of unauthorized disclosure of their own communications records. Assuming that the protected information in question is indeed customer calling records, there’s also no evidence that NSA did anything with the call records of anyone other than those customers who were, according to the NSA’s analysis, somehow linked to national security risks. Other than reading the data to look for some terrorist links, it’s also not apparent that any NSA agent ever actually “disclosed” the customer call data to anyone.
However, that’s not for a moment to defend unauthorized government perusal of everyone’s phone records without probable cause or appropriate judicial authorizations. But, for the moment at least, no one has shown these plaintiffs’ call records were abused in ways that are actionable under our laws.
Moreover, if this dispute truly involves “customer call records,” that is, the date, time and originating and terminating telephone number of a call, it’s not crystal clear that the federal laws cited in the complaint are relevant. Plaintiffs cite the Electronic Communications Privacy Act, which protects against unauthorized “interception and disclosure” of wire and electronic communications; but, so far, there’s no evidence that the NSA ever eavesdropped on these plaintiffs. The Stored Communications Act comes closer to the mark; that law protects against unauthorized disclosure of “the content of communication while in electronic storage” and “record or other information pertaining to a subscriber.” Nevertheless, that law is unproven with respect to the type of surveillance described so far in the Hepting case.
There is a provision of the federal Communications Act that expressly protects customers from unauthorized disclosure of call records, formally known as Customer Proprietary Network Information; curiously, for some reason, the plaintiffs didn’t mention that statute in their complaint. Still, even that statute would allow AT&T to turn over customer records to the NSA under a pretty loose standard “as required by law.”
Despite all these legal uncertainties, the presiding judge had little difficulty finding sufficient “injury in fact” at this stage of the proceedings to deny AT&T’s motion to dismiss. Oddly enough, it was the sheer vastness of plaintiffs’ allegations that led the court to find they had standing to sue. Said the court, “the alleged injury is concrete even though it is widely shared.” Borrowing plaintiffs’ vivid description of the government surveillance program, the court found there was sufficient evidence AT&T and the government had created a “dragnet to intercept all or substantially all of its customers’ communications.” Consequently, to prove for now they had been injured, plaintiffs merely had to show they were customers of AT&T.
What does all of this have to do with me?Despite everything we don’t know about the facts of this case, a few things are obvious. AT&T is the nation’s largest communications company, sophisticated in the ways of Washington, and well advised by scores of internal and external attorneys, executives and advisors. Despite all of its savvy and expertise, it now finds itself smack dab in the middle of a very embarrassing, public and potentially costly dispute over how it treats its customers’ telephone records. For now, we don’t know whether the government gave it a court order or other appropriate certifications before launching this program; yet, it’s probably fair to assume AT&T gave plenty of consideration to the legality of this program before doing what it did.
At the same time, it is a telecommunications carrier, and federal laws quite naturally place higher burdens on telecom carriers to maintain the privacy of customer communications and records. For the rest of corporate America, what are the odds of your company getting embroiled in a legal spat like this one?
Well, if your organization has never been served with a search warrant or subpoena seeking telephone records about a current or former employee or customer, bless your heart. But, for most businesses, if it hasn’t happened already, it probably will someday. The fact is most enterprises these days own their own telecom switches, and are installing VoIP and other communications networks that enable a wide and sophisticated array of monitoring, retrieval and storage of vast amounts of communications data. This data covers not just your own employees, but all inbound and outbound electronic communications traffic coming into your business. Most of the same state and federal electronic privacy statutes that are being batted around in Hepting apply to your company’s communications traffic and data storage.
Hepting surely does not mean that CTOs and their IT staffs promptly should take a sledge hammer to the company’s data servers. For one thing, despite the rather breathtaking scope of the judge’s initial rulings, this dispute might never see the light of trial. In the meantime, there are many ways to honor electronic privacy laws, while appropriately responding to law enforcement and civil litigation inquiries. A company’s compliance with requests for communications data ought to be based on an informed understanding of its legal rights and obligations, as well as the development of company-wide procedures for handling these requests.
 Rick Joyce |
Frederick M. Joyce is chair of the communications group at Venable LLP law firm in Washington, D.C. His telecommunications work includes domestic and international regulations and treaties, public and private financial transactions, appellate and civil litigation matters, and state/federal telecommunications legislation, with a particular emphasis on wireless communications and new technologies such as VoIP and BPL. He can be reached at rjoyce@venable.com.
| Links |
| Venable LLP www.venable.com |
