Last week the Washington Post broke news that the National Security Agency has collected international traffic between Google and Yahoo data centers. I happened to be delivering a course lecture on signals intelligence the same day, so I made brief mention of the program—and how it appears particularly aggressive under the Fourth Amendment.
A sharp student pressed for specifics. How, he asked, could data center tapping be more legally questionable than previously leaked surveillance initiatives? This post is an expanded and refined version of my response.
In short: The firms evade Fourth Amendment pitfalls of citizenship, personal interest, and metadata. They also have enough evidence to establish standing. Finally, the NSA would have difficulty demonstrating that its surveillance was reasonable.
The parties to the communications are known to be United States corporations, which are entitled to Fourth Amendment protection against unreasonable searches.
Google and Yahoo are unambiguously protected by the Fourth Amendment. The Supreme Court has consistently held for over a century that American corporations have a constitutional right to privacy against government searches. Hale v. Henkel, 201 U.S. 43 (1906). And “every Court of Appeals to have considered the question” has held that “the Fourth Amendment applies to searches conducted by the United States Government against United States citizens abroad.” United States v. Verdugo-Urquidez, 494 U.S. 259, 283 n.9 (1990) (Brennan, J., dissenting). I am not aware of any authority suggesting that American corporations relinquish their Fourth Amendment rights merely by operating overseas, and I would be surprised to hear the executive branch argue as much.
The companies were not, to be sure, necessarily entitled to the full panoply of Fourth Amendment protections. Corporations generally have narrower privacy rights than individuals. United States v. Morton Salt Co., 338 U.S. 632 (1950). Both the Second and Seventh Circuits have held that extraterritorial searches are exempt from the Warrant Clause. In re Terrorist Bombings of U.S. Embassies in East Afr. (Fourth Amendment Challenges), 552 F.3d 157 (2d Cir. 2008); United States v. Stokes, 726 F.3d 880 (7th Cir. 2013). And the Foreign Intelligence Surveillance Court of Review has fashioned a foreign intelligence exception to the warrant requirement. In re Directives [Redacted] Pursuant to Section 105B of the Foreign Intelligence Surveillance Act [Yahoo Challenge], No. 08-01 (FISA Ct. Rev., Aug. 22, 2008). Even if all these caveats apply, however, the Fourth Amendment baseline remains: intercepts of Google and Yahoo data center traffic cannot be “unreasonable.”
Contrast all this with the PRISM and upstream surveillance programs, where at least one party to a communication is believed to be a foreign citizen outside the United States. No public court has adjudicated the constitutionality of that targeting; the Electronic Frontier Foundation’s litigation has been pending for seven years. Whatever one’s views of the merits, there are undeniably some arguments for sustaining the PRISM and upstream programs: The Supreme Court held in Verdugo that foreigners outside the nation’s borders are not covered by the Fourth Amendment, and Congress enacted the underlying surveillance authority in the FISA Amendments Act of 2008. Both the Foreign Intelligence Surveillance Court and the Foreign Intelligence Surveillance Court of Review have apparently found those arguments persuasive. Google and Yahoo skirt these issues, since they are American corporations.
Since Google and Yahoo were communicating with themselves, they maintained their Fourth Amendment interest.
Under current Supreme Court doctrine, Fourth Amendment rights are personal in nature. See, e.g., Rakas v. Illinois, 439 U.S. 128 (1978). Google and Yahoo can only assert a constitutional privacy claim if they retain a sufficient stake in electronic communications or records.
It would be challenging for the firms to establish enough personal interest in upstream surveillance. For example, imagine a foreign Gmail users sends an email to a foreign Yahoo mail user, and the NSA intercepts the message in transit. If Google or Yahoo were to claim a Fourth Amendment violation, the government would assuredly challenge their interests as too attenuated. Google had put the message out of its possession and Yahoo did not yet possess the message; the message was in a standard format that did not reflect proprietary information from either firm; and the message was transiting the public Internet.
Contesting the PRISM program would raise similar issues about insufficient privacy interests. When the government serves a FISA Amendments Act Section 702 order on a cloud service, it demands user data, not the service’s own data.
The companies might be able to raise Fourth Amendment claims on behalf of their users. In fact, the Foreign Intelligence Surveillance Court of Review allowed Yahoo to proceed with just such a challenge to PRISM. Yahoo Challenge. Claims of this sort, however, devolve into claims about communications involving non-U.S. persons. As noted above, that continues to be a constitutional gray area.
Google and Yahoo can avoid this entire morass by asserting their own constitutional privacy rights. When they sent messages between their own data centers, they never plausibly forfeited their Fourth Amendment interest and protection.
The argument is even stronger where the firms used dedicated lines. As a matter of longstanding Fourth Amendment doctrine, physical property rights (e.g. a residence or business complex) are generally sufficient to establish constitutional privacy rights. See, e.g., Dow Chemical Co. v. United States, 476 U.S. 227, 234-39 (1986). Google or Yahoo might be able to fashion data center intercepts as a trespass on their leased infrastructure, physical property in which they assuredly hold a Fourth Amendment interest.
Google and Yahoo sent themselves content, not metadata.
Some of the NSA’s surveillance programs rest on the legal theory that metadata is exempt from Fourth Amendment coverage. The argument generally goes that Smith v. Maryland, 442 U.S. 735 (1979), and its progeny render metadata outside constitutional guarantees; the counterargument generally goes that Smith applied to a specific defendant and technology, and is inconsistent with opinions in the more recent United States v. Jones, 132 S. Ct. 945 (2012). Orin Kerr and Jennifer Granick have written a particularly detailed exposition of this debate.
Google and Yahoo once again fall outside the familiar surveillance law tussle. They sent content (i.e. proprietary instructions and records) between their data centers, not just metadata.
What’s more, even if the firms had just sent metadata, United States v. Jones would provide a path forward. 132 S. Ct. 945 (2012). In that case, the Supreme Court sidestepped precedent that indicated public movements (much like metadata) are categorically exempt from the Fourth Amendment. Instead, the Court ruled that a Fourth Amendment search occurs where there is a trespass plus “an attempt to . . . obtain information.” 132 S. Ct. at 952 n.5. Google and Yahoo could cite intrusion on their leased lines as trespass, and the NSA was plainly seeking information.
Leaked materials provide a sufficient evidentiary basis for standing.
To challenge a government surveillance program,1 a plaintiff has to establish that its communications have been intercepted, have been targeted, or are about to be targeted. Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013). Foreign organizations and individuals would have difficulty meeting the threshold. For Google and Yahoo, the front page of the Washington Post should suffice.
Data center intercepts were objectively unreasonable.
Having cleared the various Fourth Amendment prerequisites, Google and Yahoo would finally have to establish that the NSA’s data center surveillance was unreasonable. I think they have a strong argument: Congress expressly fashioned a convenient, subpoena-like method for the NSA to obtain user data. It need only serve Google or Yahoo with an FAA 702 order. No judicial preclearance. No probable cause. And yet, the agency sidestepped this statutory authority and captured data center traffic. While the NSA may have had lawful access to the underlying user data (ambiguous), the agency also unnecessarily snagged associated Google and Yahoo data. The Fourth Amendment does not require the government to use the least intrusive means for executing a search. See Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 629 n.9 (1989). But when a substantially less intrusive means is readily available, and that alternative has been crafted by Congress in near-total capitulation to agency requests,2 an end run sure seems excessive.
On Sunday, Eric Schmidt told the Wall Street Journal that NSA data center tapping was “outrageous” and that Google had complained to the executive and legislative branches. Maybe that’s the most response we’ll see—maybe Google and Yahoo will not invoke the judicial branch. Even so, from a legal perspective, the data center revelation is a game changer. First, we now know an instance of unambiguously unconstitutional NSA conduct that apparently went undetected until media coverage. That’s yet another blow for claims of rigorous agency oversight. Second, we now know an instance of unambiguously unconstitutional conduct under Executive Order 12333. Until recently, the focus of scrutiny was domestically conducted surveillance under FISA. Revelations about spying on data centers and foreign leaders have turned the spotlight towards EO 1333, the largely unregulated set of intelligence activities abroad. Effective intelligence reform efforts will necessarily have to go beyond FISA and address EO 12333.
Disclaimer: I am not (yet!) a laywer. None of the above should be construed as legal advice.
1. Just because a plaintiff lacks standing, by the way, does not mean the plaintiff’s constitutional rights have been respected. I mention standing because, in the area of foreign intelligence surveillance, it is a particularly substantial obstacle to litigation.
2. As explained in a leaked NSA Inspector General report, FAA 702 was a direct response to NSA requests for new warrantless surveillance authority.