Online Service Providers and Surveillance Law Transparency
On June 5, 2013, the first revelation hit the front pages: documents provided by Edward Snowden showed that the National Security Agency (NSA) had for years ordered telephone companies to turn over our domestic telephone calling records en masse.1 The government had created a database of our phone calls going back years—a virtual time machine capable of reconstructing anybody’s past communications, should they come under scrutiny in the future. The program, we learned, had been authorized under section 215 of the USA PATRIOT Act.2
But this authorization required an extraordinarily broad reading of the law. On its face, the statute permitted only the collection of records that were “relevant” to an authorized national security or counterterrorism investigation.3 Yet behind closed doors, the Foreign Intelligence Surveillance Court (FISC) had stretched the statute to encompass all telephone records. Its theory was that all phone records are “relevant” to counterterrorism investigations because it is impossible to say in advance which will become useful in the future.4 Apparently, nobody outside the government knew or foresaw that section 215 could be interpreted in this way.
Nobody, that is, except the companies who received these FISC orders and were obligated to carry them out by turning over all of their customers’ telephone records on a daily basis.
The Snowden disclosures, and others that followed, illuminated a troubling feature of surveillance law: examining the statute books and other public sources of law can paint a radically incomplete or even misleading picture of how the government actually construes its legal authority to conduct surveillance. In other words, the government can reinterpret surveillance laws in secret, leaving the public in the dark if the rules have been stretched beyond recognition. This observation raises profound anxieties about public democratic control of the surveillance state. And these anxieties make a hard question very salient: how can we ensure a measure of transparency about how the law has been interpreted in practice?
This Essay argues that online service providers and other companies that mediate our digital communications are in a special position to enhance surveillance transparency. Because these private companies are subject to surveillance orders, they (or some of their employees) are privy to information that the rest of public is not: they know what kinds of information the government demands of them under a given surveillance law. For example, as alluded already, the phone companies that were ordered to comply with FISC surveillance orders knew all along that the government believed section 215 authorized bulk collection.5
If these companies could win the right to speak about the kinds of records the government is ordering them to disclose, they would be able to provide the public with crucial information about how the surveillance laws have been interpreted and applied in practice. This kind of limited disclosure would do much to allay democratic anxieties about secret reinterpretations of surveillance laws, and it need not reveal truly sensitive operational detail like the targets of surveillance, the circumstances in which particular surveillance tools are used, or other sensitive investigatory matters.
Unfortunately, the law forbids companies from engaging in this kind of speech. Gag orders routinely prevent companies from disclosing nearly everything about the surveillance orders they receive. Companies are forbidden even from providing a precise count of the number of orders received.
In this legal environment, it is simply off limits for a company to disclose how the government has construed its surveillance authority. But it need not remain so. This Essay offers a First Amendment strategy that online service providers (and others subject to surveillance orders) could pursue to attempt to improve surveillance transparency and reclaim their simple right to speak.
This First Amendment strategy was tested in a recent victory in court that may serve as a proof of concept for future legal challenges. The case was brought by Nicholas Merrill, a privacy advocate who previously operated Calyx Internet Access, a small service provider that counted various non-profit organizations among its clients.6 In 2004, the FBI served an administrative subpoena, known as a National Security Letter (NSL), on Merrill. The NSL—one of tens of thousands issued every year—demanded that he turn over records about a client. It was accompanied by a gag order that forbade him from disclosing it to anyone—it did not even specify an exception for speaking with legal counsel. Merrill consulted a lawyer anyway. With the help of the ACLU and, more recently, the Media Freedom and Information Access Clinic (MFIA Clinic) at Yale Law School, he challenged the order over more than a decade of litigation, asserting his First Amendment right to speak about what, exactly, the FBI believed it could obtain with the NSL.
Last August, following the latest round of litigation, the federal district court in Manhattan finally invalidated the gag order in full. On November 30, 2015, the court’s decision went into effect.7 Merrill was finally able to reveal previously unconfirmed details about how the government has interpreted and applied the NSL statute in practice—for instance, he was able to disclose that the government believes it can lawfully compel production of individuals’ cellphone location information, online purchase records, and IP addresses by issuing this kind of letter.8 (Mr. Merrill was represented in the most recent phase of this litigation by the MFIA Clinic, where I was the supervising attorney on the case.)
This Essay explores how Merrill’s victory might open up a new strategy for achieving greater transparency about the interpretation of surveillance laws. If online service providers set their minds to win the First Amendment right to tell the public what they know about the government’s claimed surveillance powers, we might yet achieve a significant measure of transparency.
Part I describes the notion of surveillance transparency and how it has instigated legal reforms. Part II focuses on how online service providers may be well positioned to address the problem of surveillance transparency and uses NSLs as an example. Part III sketches the First Amendment legal strategy.
Over the past two-and-a-half years, we have had the most robust public discussion about surveillance in a generation. Edward Snowden’s disclosures have had a remarkable half-life, fueling a debate about the scope of the government’s surveillance powers that continues even today.9 In newspapers, on the Internet, in all three branches of the federal government, and in state capitals, citizens have been debating what limits and safeguards should be placed on the government’s surveillance powers.
This discussion led Congress to pass the USA FREEDOM Act, the first surveillance law in decades to curtail rather than expand surveillance powers.10 That law effectively ends the section 215 bulk data-collection program, replacing it with a system in which the government must bring more specific requests for information to the phone companies.11 At the same time, the U.S. Court of Appeals for the Second Circuit and U.S. District Court for the District of Columbia recently found the mass call-tracking program unlawful.12
The legal challenges that led to those rulings were possible only because the surveillance program was publicly disclosed.13 Indeed, if these programs had remained a secret, the extraordinary public ferment, policy debates, and legal reforms we have seen would have been impossible.
To those that view these democratic deliberations as a good thing, this insight provokes a number of anxieties. Have other surveillance laws been radically reinterpreted behind closed doors? Will the limits that we think various statutes impose on governmental surveillance prove illusory if the government continues to embroider them with layers of secret meaning? Must we depend on the happenstance of a public-spirited whistleblower willing to risk years in prison—or exile—to learn how the government understands the laws meant to constrain surveillance?
These anxieties have led many privacy advocates to search for a more durable (and legally sanctioned) way for the public to keep tabs on how the government interprets or reinterprets the surveillance laws in practice.14 Those efforts have largely focused on two fronts: (1) Reforming the practice of the FISC so that it publishes its significant legal opinions interpreting the surveillance laws;15 and (2) Seeking information directly from the executive branch through Freedom of Information Act lawsuits.16 Both of these strategies seek disclosure from officials who know about the secret legal interpretations of surveillance laws. But there is a third set of actors, often overlooked, who have that knowledge too: the technology companies forced to carry out the government’s surveillance orders.
Because private online platforms mediate so much of our communication and commerce, government surveillance efforts must focus on obtaining information from them.17 The government has many tools at its disposal to obtain this information, many of which involve an explicit demand to an online company that it turn over client data. For instance, in the context of national security and counterterrorism investigations, the FBI can issue NSLs directly to online companies without judicial approval, requiring them to disclose a variety of business records.18 Various provisions of the Foreign Intelligence Surveillance Act (FISA) authorize surveillance of the content of communications with prior approval from the FISC.19 Because online companies receive subpoenas and court orders under these kinds of authorities, they know firsthand how the government is using each one of them. They know, in other words, how the authorities are being construed in secret.
There is good reason to believe that, even now, the government is construing its surveillance authorities in ways that are surprising, aggressive or otherwise troubling. Take, for instance, the government’s authority to issue NSLs, which it uses more than 10,000 times a year.20 The law permits the FBI to order disclosure of “subscriber information and toll billing records information” as well as “electronic communication transactional records” (ECTR).21 The scope of this warrantless surveillance authority therefore depends crucially on what constitutes ECTR. But the statute does not define the term. Even though the statute has included the phrase since 1986,22 the judiciary has not had an opportunity to interpret its meaning.23
Until November 30, 2015, when Merrill won the right to speak about the NSL his company received in 2004, the only official legal interpretation of ECTR was found in a 2008 memo from the Department of Justice’s Office of Legal Counsel to the FBI. That memo explains, in a footnote, that the inclusion of the phrase ECTR “clarif[ies] that NSLs can extend to other types of services” and “reaches only those categories of information parallel to subscriber information and toll billing records for ordinary telephone service.”24
But this footnote hardly clarified anything. The architecture of modern online services is so unlike “ordinary telephone service” that it is impossible to know what online records the FBI will regard as “parallel to” ordinary toll billing records. Moreover, because online service providers don’t typically bill users on a per-transaction basis, as legacy phone companies did, there is no telling which transactions the FBI believes are “parallel” to the call logs on a phone bill. Plus, online companies maintain a wide variety of “transactional” data about us that phone companies never did. Internet service providers know the websites we have viewed. Google keeps records of our searches. Facebook keeps records of our “friends,” our communications, and what we “like.” This just scratches the surface—Internet companies have gathered vast troves of data about us.
The OLC memo interpreting the scope of NSL authority thus left the most important question unanswered—which parts of the universe of customer data does the FBI believe constitute ECTR? In other words, how much of the data we create online, both intentionally and unintentionally, can the FBI gather up simply by issuing a letter?
As a result of Merrill’s successful lawsuit, he was able to disclose publicly a list of sixteen specific categories of information that the FBI believes it can obtain—and believed it could obtain from him—using an NSL.25 For instance, the public now knows that the FBI claims the authority to use NSLs to obtain records of an individual’s cell phone location based on cell tower pings; a person’s record of online purchases; and the IP addresses assigned to a user, which can serve to unmask anonymous online speech.26 The list that Merrill is now able to disclose is not exhaustive, representing only the categories specified in the NSL that he received more than a decade ago. But even this limited disclosure has raised significant concerns about whether these kinds of data should be accessible to the FBI simply by writing a letter, without any genuine prospect of judicial oversight.27
Other surveillance authorities contain similar ambiguities that may have enormous consequences for the scope of the government’s surveillance authority. For instance, even though the newly amended Section 215 no longer authorizes bulk telephone data collection, questions remain about how other key provisions will be interpreted, including the new “specific selection term” targeting requirement.28 Nor can we be sure how broadly the FISC has construed the government’s authority under Section 702 of the FISA Amendment Act, which goes beyond particularized court orders targeting individuals and instead appears to permit programmatic bulk surveillance of the content of electronic communications.29 Online service providers who receive surveillance demands from the government would be able to fill in pieces of these puzzles.
As it stands, however, online companies are almost entirely forbidden from discussing the surveillance orders they face. All of the surveillance laws discussed thus far include gag order provisions.30 These gags are not time-limited and do not simply prevent companies from tipping off the government’s targets. They are nearly absolute, forbidding discussion of nearly any aspect of the surveillance order. They typically prohibit companies even from acknowledging whether they have received an order or disclosing exactly how many they have received. As it stands now, it is strictly out of bounds for companies (or their employees) to describe the kinds of information that the government has sought to obtain.31
Even though these gag orders would appear to preclude online service providers from becoming outspoken agents for surveillance transparency, there may yet be a way for them to do so. The First Amendment, after all, commands that Congress “make no law . . . abridging the freedom of speech,”32 and there have now been a number of First Amendment challenges to these kinds of surveillance gag orders.33 So far, however, most plaintiffs asserting their free speech rights have primarily sought the freedom to disclose that they have received a surveillance order, or to disclose the precise the number they have received. But disclosing these statistical facts will not shed much light on how the government is construing its statutory authority in practice. Moreover, unlike the Merrill case, these challenges do not ask courts to confront directly the question of whether the government may impose permanent gag orders on private citizens in order to keep secrets about the scope of the surveillance powers it claims.
Thus, if tech companies and service providers are to educate the public about what surveillance laws mean in practice, the next wave of First Amendment litigation against surveillance gag orders must focus on establishing their right to speak about how the government has used its surveillance authority, not simply the fact that it has done so or how often.
A brief tour of First Amendment litigation against surveillance gag orders will help explain the legal landscape that awaits such challenges. The first wave of litigation began a little more than a decade ago, focusing on the nondisclosure orders that routinely accompany NSLs. These challenges were brought mainly by small, non-profit groups: Calyx Internet Access and its president, Nicholas Merrill,34 the Internet Archive,35 and a group of Connecticut librarians.36 Each group ultimately won the right to say that they had in fact received an NSL. But none of them won the right to disclose what kinds of information the FBI demanded, and so none could describe how the FBI interpreted the key ambiguous language in the NSL statute authorizing it to obtain ECTR.37
The second wave of surveillance gag litigation began in 2011, when certain still-unnamed companies filed suit to challenge again the constitutionality of NSL gag orders.38 But in 2013, following the Snowden disclosures, challenges to surveillance gag orders truly went mainstream. Five major tech companies—Google, Yahoo, Microsoft, Facebook, and LinkedIn—opened a new front by filing suit in the FISC asserting a First Amendment right to publish aggregate statistics about the number of surveillance orders they had received from that court. Like the NSL lawsuits before, however, the FISC lawsuit did not envision a role for the companies to disclose the kinds of records sought or other information that might illuminate how the FISC interprets FISA.39
The fact many of the largest tech companies have entered the fray has the potential to change the course of the legal dispute over surveillance law transparency. These companies bring enormous legal resources to the table, as well as formidable political clout. By taking up a fight that had previously been populated mostly by small non-profits, privacy activists, and civil libertarians, they can make surveillance transparency a mainstream concern. They could stand as a major institutional counterweight pressing for transparency on surveillance policy.40 Indeed, since they have become involved, the transparency landscape has already begun to shift.41
Meanwhile, Nicholas Merrill, one of the first-wave plaintiffs, went back to court. This time, he focused squarely on winning the right to speak about the contents of the NSL his service company had received, and, specifically, the scope of authority the FBI claimed to compel his company to disclose ECTR.42 The case may therefore serve as a bellwether for larger tech companies and service providers seeking to make similar disclosures.
By the time he filed his second lawsuit, in 2014, it was more than 10 years after the NSL had been served. The surrounding circumstances had changed, neutralizing many of the government’s arguments for maintaining secrecy. The investigation had ended, the FBI had long since withdrawn its demand for Merrill’s records, and it had conceded that there was no longer any need to conceal the target of the investigation.43 Thus, the FBI could no longer argue that secrecy was necessary to protect the integrity an ongoing investigation or to avoid tipping off the target. Instead, as the district court put it, “the asserted government interest in keeping the [list of categories sought] confidential [was] based solely on protecting law enforcement sensitive information that is relevant to future or potential national security investigations.”44
The case thus squarely pitted the First Amendment right to speak against the government’s interest in keeping its surveillance methods secret. On the one hand, a private citizen asserted a right to speak truthful information about the government’s activities and its secret interpretation of a statute—clearly a matter of core public concern.45 On the other hand, the government asserted that preventing this disclosure was essential to protect investigatory methods for as long as the FBI deemed necessary.46
The Merrill case presented a number of powerful First Amendment arguments that would be available to a tech company facing a gag order in this posture. First, facts already in the public domain about the government’s surveillance powers might render a gag order untenable under the First Amendment.47 Second, and more categorically, a gag order is a highly suspect content-based restriction on speech because “on its face [it] draws distinctions based on the message [the] speaker conveys” and because it “cannot be justified without reference to the content of the regulated speech.”48 Third, gag orders can be likened to classic prior restraints, which are generally forbidden by the First Amendment. Like a prior restraint, the gag order prevents speech in advance, in circumstances where the speaker is a private citizen who has not agreed to be censored.49 Fourth, when the investigation concludes but the gag order remains, it effectively becomes an indefinite prohibition. Historically, the First Amendment has been especially hostile to such unlimited restrictions.50 Finally, the gag order is anathema to the First Amendment precisely because the information it restrains is important, true and newsworthy speech regarding “the manner in which government is operated”—specifically, the manner in which it interprets and carries out a statute.51 Surveillance gag orders thus “deprive[ the community] of informed opinions on important public issues.”52
The upshot of most of these arguments would be to subject the gag order to the most stringent test of constitutional necessity.53 The Court, faced with such a challenge, would have to judge whether the government may suppress truthful speech regarding the manner in which the government has interpreted and applied a surveillance law. The government would undoubtedly claim a compelling interest in protecting investigatory methods and, by extension, national security.54 But it is not at all clear that the specific interest in preserving the secrecy of an investigatory tool is sufficiently strong to justify a restraint of truthful speech about the scope of the government’s claimed authority.55 And even if the government could state a sufficiently compelling interest, the question of whether a gag order is strictly necessary and narrowly tailored to serve that interest is a difficult case-specific question. So far, no court has held that, outside of an ongoing investigation, the government may permanently ban public discussion on investigatory techniques.56
In the Merrill case, the district court sidestepped a direct constitutional confrontation, ruling instead on the first basis mentioned above: that the government could not meet its burden to justify the continuing necessity of the gag order because there was already significant information in the public domain suggesting what kinds of information the FBI obtained using NSLs.57 Because of this public information, the Court concluded that the government could not show that disclosure would create a substantial risk of the harms the government asserted.58 As a result, the Court ordered the gag order to be lifted in full, and the government declined to appeal.
Tech companies and online service providers should take note of Merrill’s success. They should consider similar challenges to other sources of surveillance authority. In the interest of their customers’ privacy (and their own reputations) online companies should strongly consider mounting First Amendment challenges to gag orders—particularly longstanding gag orders in closed investigations—that prevent them from discussing secret surveillance techniques and their underlying legal interpretations.
Such lawsuits could become an important part of our system of surveillance transparency and accountability. In a future challenge to another gag order, the court may not be able to avoid the stark constitutional question, as the court did in Merrill’s case. Do national security concerns justify imposing permanent, involuntary restraints on speech about the government’s interpretations of surveillance laws? Can gag orders not only protect the integrity of a particular ongoing investigation, but also prevent companies and citizens from disclosing their knowledge of how the government uses a particular surveillance tool in general?
Merrill’s recent victory suggests that the courts will not easily acquiesce in such restrictions on free speech.59 Moreover, the mere fact of such First Amendment challenges would serve to focus the government’s attention on questions of surveillance transparency and could prompt voluntarily disclosures by the executive branch or stepped-up oversight by Congress.
Perhaps in the future we will not need to rely on the happenstance of another Snowden to learn whether the limits written into the country’s surveillance laws have been contorted in secret. The combined power of the First Amendment and Silicon Valley may yet be strong enough to ensure a measure of transparency about surveillance.
Jonathan Manes is a Research Scholar in Law; Abrams Clinical Fellow, Information Society Project; and Clinical Lecturer in Law at Yale Law School.
Preferred Citation: Jonathan Manes, Online Service Providers and Surveillance Law Transparency, 125 Yale L.J. F. 343 (2016), http://www.yalelawjournal.org/forum/online-service-providers-and-surveillance-law-transparency.