At this week’s Senate Judiciary Committee hearing on the National Security Agency’s surveillance authorities, Sen. Patrick Leahy posed a crucial question to the government’s witnesses: Can §215 of the Patriot Act, the business records authority behind the NSA’s bulk telephony metadata program, be used to acquire the contents of any communication? Both James Cole of the Justice Department and Robert Litt of the Office of the Director of National Intelligence represented that they were unaware of any instance in which the authority had been so used—though they pledged to check and get back to Leahy. On the question of whether it could legally be so used, however, Cole would only note that he’d have to think about it, though he did observe that the authority was limited to the types of records that could be obtained via a grand jury subpoena.
It is, I have to say, a little hard to credit the notion that the deputy attorney general is considering this question for the first time in late 2013, more than 11 years after the passage of the Patriot Act—but it’s also a question that has received surprisingly little attention from civil liberties advocates. By the terms of 18 USC §2703, the contents of remotely stored files (like your Google Docs or Dropbox folder) as well as the contents of e-mails and other communications held for more than 180 days can, in fact, be obtained with a mere subpoena, though in the context of criminal investigations, notice to the user is required unless a full search warrant is obtained. In the recently released FISC opinion approving the telephony metadata program, Judge Eagan explicitly draws the analogy between §2703 and §215, suggesting that they are meant to cover the very same categories of records. If we bracket constitutional questions and only look at the statutory language, then, the answer is quite straightforward: Communications contents are obtainable under many circumstances under §215, though the contents of more recent e-mails would not be.
Fortunately, it is a bit more complicated than that, thanks to the Sixth Circuit’s 2010 ruling in United States v. Warshak, holding that e-mail contents, unlike transactional data, enjoy the protection of the Fourth Amendment. As a result, notwithstanding the plain language of §2703, major Internet companies like Google and Microsoft have publicly stated that they insist on a full probable cause search warrant before they will produce communications content. But not all companies have followed suit. In response to a query from Sen. Ed Markey, AT&T, the country’s second largest mobile carrier, revealed that they will hand over stored text message and voicemail content older than 180 days to law enforcement pursuant to a mere subpoena. The company received more than 4,200 requests for text and voicemail content last year—and possibly substantially more. Presumably most of these were search warrants, both because law enforcement is most likely to be interested in recent messages, and because traditionally carriers have not retained texts for more than a few days after delivery—though longer-term cloud storage may become increasingly common.
Whether or not it has happened to date, it is dismayingly easy to imagine an argument for bulk content collection that closely tracks the government’s justification of the bulk metadata program. Cloud stored content may not be retained indefinitely, and the government might only later learn which accounts or keywords are associated with activity relevant to a foreign intelligence investigation. The effective barrier to such collection wouldn’t be anything in the statute, but the constitutional qualms of the providers and the FISC. Barring substantive changes to the authority, we’ll have to hope that continues to be enough.