ELECTRONIC COMMUNICATIONS SURVEILLANCE: WHAT JOURNALISTS AND MEDIA ORGANIZATIONS NEED TO KNOW, Jennifer R. Henrichsen and Hannah Bloch-Wehba
Download original document:
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
ELECTRONIC COMMUNICATIONS SURVEILLANCE: WHAT JOURNALISTS AND MEDIA ORGANIZATIONS NEED TO KNOW Jennifer R. Henrichsen and Hannah Bloch-Wehba* I. INTRODUCTION .............................................................................................................. 2 II. LEGAL AND REGULATORY PROTECTIONS FOR JOURNALISTS ......................... 4 A. Constitutional protection: The First and Fourth Amendments. .................................... 4 B. Statutory and common law protections: state shield laws, testimonial privileges, and the Privacy Protection Act. ........................................................................................... 6 C. Regulatory protection: The Department of Justice’s media subpoena and search warrant guidelines. ........................................................................................................ 7 III. ELECTRONIC COMMUNICATIONS SURVEILLANCE AUTHORITIES ................... 8 A. Electronic Surveillance Authorities: Criminal Investigations ...................................... 9 Stored Communications Act, codified at 18 U.S.C. §§ 2701–2712 ........................... 9 Pen Registers and Trap and Trace Devices, codified at 18 U.S.C. §§ 3121–3127 ... 12 Wiretap Act, codified at 18 U.S.C. §§ 2510–2522 ................................................... 12 B. National Security Letters ............................................................................................ 13 C. Electronic Surveillance Authorities: Foreign Intelligence .......................................... 15 IV. Foreign Intelligence Surveillance Act—Overview ................................................... 15 Traditional FISA: Electronic and Physical Searches, codified at 50 U.S.C. §§ 1801–1829 ............................................................................... 16 FISA PR/TT Orders, codified at 50 U.S.C. §§ 1841–1846 ...................................... 17 Section 702 of the FISA Amendments Act, codified at 50 U.S.C. § 1881a ............. 17 Section 215 of the PATRIOT Act, codified at 50 U.S.C. § 1861 ............................. 18 CONCLUSION ................................................................................................................. 20 APPENDIX A ............................................................................................................................... 21 APPENDIX B ............................................................................................................................... 24 * Henrichsen is a Ph.D. student at the University of Pennsylvania’s Annenberg School for Communication and a former First Look Media Technology Fellow at the Reporters Committee. Bloch-Wehba is Stanton First Amendment Fellow, Associate Research Scholar in Law and Clinical Lecturer in Law at Yale Law School and a former Stanton Foundation National Security Fellow at the Reporters Committee. With deep gratitude, the Reporters Committee thank First Look Media and the Stanton Foundation for their support for this project. The authors are indebted to Selina MacLaren for her careful and thorough assistance in getting this project to its final form. I. INTRODUCTION The practice of journalism has never been more global than it is today. Reporters use Skype, Google Hangout, and other video chat services to communicate with sources halfway around the world. Newsrooms rely on cloud storage to share documents among far-flung teams working on global stories. Individuals and organizations increasingly turn to cutting-edge technologies to break important news. At the same time, new applications and services can pose risks to the security and integrity of communications. Journalists and news media organizations have increasingly been the targets of hacking. Edward Snowden’s revelations brought to the fore the broad reach of U.S. surveillance programs both domestically and abroad. And while the Department of Justice has strengthened its internal guidelines governing the use of legal process to obtain information from, or records of, the news media, see 28 C.F.R. § 50.10, some details about the implementation of those reforms remain unclear, despite the urging of press advocates.1 Responding to the shift from the analog world to the world of electronic communications, national security apparatuses like the National Security Agency have developed programs to collect, analyze, and retain these communications. Sometimes these programs sweep up data from a large number of Americans in bulk, either purposefully or as a result of “incidental” acquisitions obtained while surveilling individual targets of an investigation. Bulk surveillance of communications—whether collected “incidentally” under Section 702 of the FISA Amendments Act of 2008,2 through the procedures set out in the amended Section 215 program,3 or under Executive Order 123334—implicates reporters’ rights in myriad ways. These programs may collect information that can reveal details of confidential communications between reporters and their sources. Because this information is not always gleaned directly from reporters, however, journalists are uncertain about the extent to which their communications are exposed. The inability to know whether and to what extent communications are being monitored creates fear and uncertainty concerning what the government considers lawful surveillance, chills speech, and impedes the exercise of First Amendment rights, including free association and free expression. Both journalists and sources have stated that bulk surveillance and increased leak investigations make them more reluctant to communicate with each other, even if the information at issue is not classified.5 The “chilling effect” of mass surveillance has been documented in several reports by organizations including PEN America, Human Rights Watch, and the American Civil Liberties Union, among others.6 1 For example, the guidelines’ application to administrative subpoenas remains ambiguous. 50 U.S.C. § 1881a. 3 50 U.S.C. § 1861. 4 Executive Order 12333. 5 Leonard Downie Jr., Leak investigations and surveillance in post 9-11 America, Committee to Protect Journalists (Oct. 10, 2013), available at https://cpj.org/reports/2013/10/obama-and-the-press-us-leaks-surveillance-post911.php. 6 PEN America, Global Chilling: The Impact of Mass Surveillance on International Writers (Jan. 5, 2014), available at http://www.pen.org/global-chill; see also, Human Rights Watch and ACLU, With Liberty To Monitor All: How Large-Scale US Surveillance is Harming Journalism, Law and American Democracy (2014), available at https://www.hrw.org/sites/default/files/reports/usnsa0714_ForUPload_0.pdf. 2 2 But bulk surveillance is not the only threat; other national security requests have also been directed at journalists without a warrant. Even apart from NSA surveillance, it has never been easier for governments to obtain information about private communications, including the emails, phone calls, messaging logs, and browsing histories of journalists and sources. The ability of governments, corporations, and other non-state actors to obtain information, target searches, and store vast amounts of data for indeterminate periods of time poses a threat to the traditional journalist-source relationship, especially when a source seeks to remain anonymous. Government agencies, other than the Justice Department, have not disclosed the policies and procedures, if any, they use to ensure that surveillance does not tread on the First Amendment rights of journalists and media organizations. Nonetheless, the potential use of national security surveillance to reveal reporters’ confidential sources and open the newsgathering process to government scrutiny poses a real threat to the freedom of the press. The behavior of journalists and sources adds to the challenge. Both communities are often unaware of the risks of communicating electronically, or if they are aware of the risks, they may not know how to determine what steps are necessary to protect their communications. Email encryption, secure messaging, and anonymous web-browsing can be helpful tools, but can also be difficult to implement. This guide has two aims. First, in light of the Justice Department’s revised news media guidelines, we attempt to clarify the scope of U.S. government authority to obtain information about journalists’ communications. The new guidelines were a welcome development, but the Justice Department did not hide the fact that they did not apply to all forms of legal process that could be used against the press. U.S. surveillance law is complex and wide-ranging, so this guide necessarily offers only an overview of the main statutes, including not only the laws underpinning some of the now well-known NSA surveillance programs, but also other statutes authorizing the government to conduct communications surveillance in the foreign intelligence, national security, and criminal justice settings. In some cases, the laws are covered by the guidelines; in other cases, they are not. Second, we outline how some common journalism tools expose reporters and sources to risks in light of this framework. It is our hope that a better understanding of the legal architecture that facilitates government access to communications records will help journalists make informed decisions about the types of security tools they use. Finally, the annual reporting the Justice Department has undertaken under the new 50.10 guidelines7 means that the public has at least some information about the frequency of legal demands for press records. For example, the Justice Department reported in its “Annual Report: Calendar Year 2014” that the Attorney General authorized subpoenas, court orders, and search warrants for information from or records of the news media three times, including one 7 See Dep’t of Justice, Annual Report: Use of Certain Law Enforcement Tools to Obtain Information from, or Records of, Members of the News Media; and Questioning, Arresting, or Charging Members of the News Media, 1 (2015) (noting that a Feb. 21, 2014 Attorney General Memorandum committing the Attorney General to make public, on an annual basis, data regarding the Department’s use of certain law enforcement tools to obtain information from, or records of, members of the news media, and regarding questioning, arresting, or charging members of the news media, pursuant to 28 C.F.R. § 50.10); see also United States Attorneys’ Manual (USAM) 913.400(L)(4). 3 application for a search warrant in connection with a hacking investigation.8 The Justice Department reported one case in its “Annual Report: Calendar Year 2015” in which the Attorney General authorized such a search for information of the news media; two cases in which the Deputy Assistant Attorney General for the Criminal Division authorized such searches; and 22 cases in which Assistant Attorneys General or U.S. Attorneys authorized subpoenas and applications for court order for information from the news media.9 For the tools identified in this report to which the guidelines do not apply, we are aware of only this: the government has ways to conduct investigations without triggering the guidelines’ requirements of authorization and notice. II. LEGAL AND REGULATORY PROTECTIONS FOR JOURNALISTS In the United States, journalists have constitutional, statutory, common law, and regulatory protections that help ensure their ability to gather and report the news without government interference. Two of the most important legal protections available to U.S. journalists include the First Amendment and state shield laws. In the regulatory sphere, the aforementioned updated protections in Justice Department guidelines require the government to meet certain conditions before using common investigative tools to obtain records belonging to or relating to journalists.10 A. Constitutional protection: The First and Fourth Amendments. The First Amendment to the U.S. Constitution guarantees freedom of expression by, among other things, prohibiting any law that infringes the freedom of the press, or the rights of individuals to speak freely. The First Amendment affords broad protection to journalists and news organizations engaged in the gathering and dissemination of news, and a core purpose of the First Amendment is the fostering of robust and uninhibited debate on public issues.11 For example, in Bartnicki v. Vopper,12 the U.S. Supreme Court held that the First Amendment protected a news organization from liability for the publication of information of public interest that had been obtained unlawfully by a source. The use of subpoenas to compel journalists to identify sources also presents serious First Amendment concerns: Several federal circuits have recognized a qualified reporters’ privilege under the First Amendment in both civil and criminal cases to protect journalists from compelled disclosure of their sources.13 8 Dep’t of Justice, Annual Report: Use of Certain Law Enforcement Tools to Obtain Information from, or Records of, Members of the News Media; and Questioning, Arresting, or Charging Members of the News Media (2014) at 2, available at https://www.justice.gov/criminal/file/760981/download. 9 See generally Dep’t of Justice, Annual Report: Use of Certain Law Enforcement Tools to Obtain Information from, or Records of, Members of the News Media; and Questioning, Arresting, or Charging Members of the News Media (2015), available at https://www.justice.gov/criminal/file/888316/download. 10 See generally 28 C.F.R. § 50.10 (discussed infra at 7). 11 RCFP’s First Amendment Handbook provides a primer on how the First Amendment protects journalists in a range of contexts, including from libel and defamation charges, privacy torts, and prior restraints. See Reporters Committee for Freedom of the Press, First Amendment Handbook, available at https://www.rcfp.org/firstamendment-handbook; see also Reporters Committee for Freedom of the Press, Digital Journalists Legal Guide, available at https://www.rcfp.org/digital-journalists-legal-guide/sources-and-subpoenas-reporters-privilege. 12 532 U.S. 514 (2001). 13 See, e.g., von Bulow by Auersperg v. von Bulow, 811 F.2d 136, 142 (2d Cir. 1987) (reasoning that “the process of newsgathering is a protected right under the First Amendment, albeit a qualified one,” and that “[t]his qualified right . . . results in the journalist’s privilege”); Miller v. Transamerican Press, Inc., 621 F.2d 721, 725 (5th Cir. 1980) (recognizing a qualified privilege not to disclose confidential informants in civil cases); United States v. LaRouche 4 Along with First Amendment protections, Fourth Amendment protections are among the most crucial constitutional safeguards of newsgathering in the context of government investigations. The Fourth Amendment provides that “[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause.”14 The prohibition on unreasonable searches of “papers” and the use of “general warrants” arose from a long list of abusive colonial-era practices, many of which targeted printers and publishers of dissenting publications for seditious libel. Under the Fourth Amendment, a “search” occurs only when the person searched has a “reasonable expectation of privacy” in the place or thing to be searched.15 What a person “knowingly discloses” to a third party is not the subject of Fourth Amendment protections, and government requests for such information do not require a warrant or probable cause. As a result, because a telephone subscriber “knowingly discloses” dialed numbers to the telephone company, courts have held that the use of a subpoena or court order to obtain that information does not implicate the Fourth Amendment.16 In several pending challenges to the constitutionality of the government’s bulk collection of telephony metadata, discussed in more detail below, plaintiffs have challenged the application of this “third party doctrine” to largescale collection activity. The third party doctrine has significant ramifications for the protection of electronic communications. For example, electronic communications service providers necessarily have access to metadata such as telephone numbers, email to/from addresses, IP addresses of websites visited, and other addressing data that users are aware “is provided to and used by Internet service providers for the specific purpose of directing the routing of information.”17 This metadata can be obtained through many types of legal process. On the other hand, although the content of emails, instant messages, and text messages are often accessible by service providers as well, courts that have addressed the issue have found that individuals retain a reasonable expectation of privacy in the substance of their communications.18 As a result, the government may not obtain the content without a search warrant.19 But as a practical matter, many surveillance authorities permit the government to obtain information that law enforcement can use to identify sources without using formal process such as subpoenas or warrants, compelling testimony, or giving notice to a journalist whose communications may be secretly monitored or seized. Reporters whose records are obtained Campaign, 841 F. 2d 1176, 1181–83 (1st Cir. 1988). For more information, see Reporters Committee for Freedom of the Press, The Reporters Privilege, available at https://rcfp.org/reporters-privilege. 14 U.S. Const. Amend. IV. 15 Katz v. United States, 389 U.S. 347, 360 (1967) (Harlan, J., concurring). 16 See, e.g., Smith v. Maryland, 442 U.S. 735, 741–46 (1979). 17 United States v. Forrester, 512 F.3d 500, 510 (9th Cir. 2008). 18 See, e.g., United States v. Warshak, 631 F.3d 266, 288 (6th Cir. 2010); Forrester, 512 F.3d at 511; cf. United States v. Hambrick, 225 F.3d 656, 2000 WL 1062039, at *2 (4th Cir. 2000) (per curiam) (finding no reasonable expectation of privacy in non-content information provided to an ISP). See also Orin S. Kerr, The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373, 399–400 (2014) (noting that “several lower courts have ruled that the Fourth Amendment fully protects the contents of emails held by third party providers” and “Warshak has been adopted by every court that has squarely decided the question”). 19 To the extent the Stored Communications Act appears to permit warrantless acquisition of content data, it violates the Fourth Amendment. See, e.g., Warshak, 631 F.3d at 288. 5 pursuant to national security processes such as National Security Letters, directives or orders under the Foreign Intelligence Surveillance Act (FISA), or delayed-notice warrants or subpoenas would almost certainly not be notified or have an opportunity to try to quash the request. Indeed, reporters may not even be aware that national security processes have been used to obtain their records. This uncertainty has been an impediment to journalists wishing to challenge surveillance practices that impact their own newsgathering processes.20 In the national security context, the Fourth Amendment’s application is complex. The Fourth Amendment’s protections apply domestically, and to U.S. persons abroad, but do not apply to non-citizens abroad.21 There are no protections under the U.S. Constitution for noncitizens abroad who are affected by foreign intelligence investigations. As a result, surveillance of non-U.S. persons abroad is outside the scope of the Fourth Amendment. However, because some of the surveillance authorities used to collect the communications of non-U.S. persons abroad sweep up many communications belonging to U.S. persons as well, courts have considered whether those programs are “reasonable” under the Fourth Amendment.22 B. Statutory and common law protections: state shield laws, testimonial privileges, and the Privacy Protection Act. The majority of states recognize a reporter’s privilege based on state law.23 Thirty-nine states and the District of Columbia have shield laws, which give media varying degrees of protection for confidential source information.24 Some shield laws protect reporters from forced disclosure of their sources. Other shield laws provide qualified or absolute protection that varies depending on the type of legal proceeding (civil or criminal), the scope of the statute’s definition of “journalists,” whether material is confidential and/or published, and whether the journalist is a defendant or an independent third party. No federal shield law exists, despite several efforts to enact such statutory protections by legislators at the national level.25 In addition, some judges have argued that federal common law establishes a qualified reporter’s privilege in certain settings.26 20 See, e.g., ACLU v. NSA, 493 F. 3d 644, 662–65 (6th Cir. 2007) (noting that the journalists’ injury involved “purely speculative fears” and a “personal subjective chill” that was not sufficiently concrete, actual, or imminent to establish standing for a First Amendment cause of action). 21 See United States v. Verdugo-Urquidez, 494 U.S. 259, 274–75 (1990) (holding that Fourth Amendment did not apply to a citizen and resident of Mexico where the search occurred in Mexico). 22 See Mem. Op. and Order at *28–29, FISC (Oct. 3, 2011) (J. Bates), available at http://www.dni.gov/files/documents/0716/October-2011-Bates-Opinion-and%20Order-20140716.pdf. 23 See, e.g., O’Neill v. Oakgrove Construction Inc., 71 N.Y.2d 521, 524 (1988) (recognizing a reporter’s privilege under state constitution). 24 Alabama, Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Illinois, Indiana, Kansas, Kentucky, Louisiana, Maine, Maryland, Michigan, Minnesota, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, Tennessee, Texas, Washington, and Wisconsin all have shield statutes. In addition, certain courts recognize a common law privilege. Finally, New Mexico and Utah courts recognize a privilege through court rules. 25 See Reporters Committee for Freedom of the Press, Shield laws and protection of sources by state, available at https://www.rcfp.org/browse-media-law-resources/guides/reporters-privilege/shield-laws. 26 See, e.g., Riley v. City of Chester, 612 F.2d 708 (3d Cir. 1979) (concluding that “journalists have a federal common law privilege, albeit qualified, to refuse to divulge their sources” outside the grand jury setting); In re Grand Jury Subpoena Miller, 397 F.3d 964 (D.C. Cir. 2005) (J. Tatel, concurring), opinion superseded by 438 F.3d 1141 (D.C. Cir. 2006); New York Times Co. v. Gonzales, 459 F.3d 160 (2d Cir. 2006) (Sack, J., dissenting). 6 In recognition of the importance of safeguarding journalists and newsrooms from improper searches and seizures by law enforcement, federal law offers additional protections from searches and seizures beyond those afforded by the First and Fourth Amendments. The Privacy Protection Act of 1980 (“PPA”)27 prohibits searches for certain types of materials related to newsgathering and publishing activities, except under limited circumstances. Generally speaking, the PPA prevents the government from searching or seizing work product or documentary materials possessed by a person “in connection with a purpose to disseminate to the public a newspaper, book, broadcast, or other similar form of public communication” unless there is probable cause to believe that the person has committed or is committing a criminal offense related to the materials.28 The PPA’s coverage is limited, however, in part because the statute explicitly permits the government to search for work product or documentary materials when the possessor is suspected of violating the Espionage Act.29 Under the guidelines, this “suspect exception” can be invoked where the news media or member of the news media is the focus of the criminal investigation for conduct that goes beyond ordinary new-gathering activities.30 The PPA also permits the government to search for work product or documentary materials if there is reason to believe that the immediate seizure of the materials is necessary to prevent death or serious bodily injury to any human being, and further permits searches of documentary materials if there is reason to believe that issuing a subpoena would result in the destruction, alteration, or concealment of such materials.31 As such, the PPA goes a step beyond the Fourth Amendment in granting additional protections to journalists’ work product and documentary materials, but still provides considerable latitude to government investigators, particularly in the context of national security investigations. C. Regulatory protection: The Department of Justice’s media subpoena and search warrant guidelines. As mentioned earlier, the Department of Justice has issued guidelines governing the use of certain law enforcement tools to obtain records of or pertaining to the news media.32 Prior to 2014, the guidelines covered subpoenas; today, they cover search warrants, subpoenas, and court orders issued under the Stored Communications Act.33 The guidelines are not legally enforceable but might be considered a “social contract” between the news media and the government. Generally speaking, the guidelines require the Attorney General to authorize the Department to use a subpoena or warrant to obtain records, including communications records, 27 42 U.S.C. § 2000aa et seq. Id. at § 2000aa(a), (b). The suspected criminal offense must be something other than merely receiving, possessing, communicating, or withholding the materials, unless, however, the offense concerns national security or child pornography, in which case an offense of receipt or possession may be enough to permit a search. 29 Id. at § 2000aa(a)(1) (“[S]uch a search or seizure may be conducted under the provisions of this paragraph if the offense consists of the receipt, possession, or communication of information relating to the national defense, classified information, or restricted data . . .”). 30 See Department of Justice Report on Review of News Media Policies, 3 (Jul. 12, 2013), available at https://www.justice.gov/sites/default/files/ag/legacy/2013/07/15/news-media.pdf. 31 42 U.S.C. § 2000aa(a)(2); 2000aa(b)(2); 2000aa(b)(3). 32 28 C.F.R. § 50.10. 33 Id. 28 7 of a member of the news media.34 The guidelines’ coverage of subpoenas extends beyond grand jury and trial subpoenas to administrative subpoenas issued by the Department and its components, except for National Security Letters, discussed below.35 In addition, Department of Justice attorneys must “consult with the Criminal Division” before moving to enforce subpoenas, warrants, or court orders sought by other agencies.36 However, agencies other than the Department of Justice are not bound by the guidelines when they make any initial demands on the press. The guidelines generally require that the Department seek information from a member of the news media only when it is “essential,” after the Department has sought the information from alternative sources, and after the Department has undertaken negotiations with the affected member of the news media. When a member of the news media is the “subject or target of an investigation relating to an offense committed in the course of, or arising out of, newsgathering activities,” however, the Department need not seek the same information from alternative sources nor negotiate with the affected member of the news media. The guidelines also do not apply to information sought from journalists that is unrelated to newsgathering. Finally, as discussed below, the guidelines do not apply to communications or other records obtained through FISA court orders, bulk surveillance, or other national security processes.37 III. ELECTRONIC COMMUNICATIONS SURVEILLANCE AUTHORITIES Journalists in the U.S. face numerous challenges when striving to protect their sources. These challenges include, but are not limited to, collection and interception of communications by the U.S. government and prosecutors’ aggressive pursuit of sources for government leaks. Combined, these factors greatly challenge journalists’ ability to communicate securely with sources, assure sensitive sources that the communications will be confidential, and gather news vital to the public interest. There are a number of reasons reporters might be concerned about the scope of “surveillance authority”—our shorthand term for a variety of statutes that enable the government to request and obtain information about stored or real-time communications. Government agents may use surveillance authority to gain access to the content of reporters’ communications, as well as to obtain certain records related to those communications. For example, agents might use a trap and trace order to obtain a list of telephone numbers dialed by the reporter, or use a National Security Letter to obtain a user’s web browsing history or historical location information. While the Department of Justice’s media subpoena and search warrant guidelines and the Privacy Protection Act, discussed above, partially protect journalists’ records from search and 34 Id. at § 50.10(a)(3). See, e.g., P.L. 106-544, Section 7(a) Executive Branch Study on Administrative Subpoena Authority, Scope and Protections (2000) at I(A) (noting that “Agencies are limited in their exercise of administrative subpoena authority by: . . . agency promulgated guidelines limiting or directing subpoena issuance.”), available at https://www.justice.gov/archive/olp/rpt_to_congress.htm#2a1; id. at App’x B (listing administrative subpoena authorities held by the Justice Department), available at https://www.justice.gov/archive/olp/rpt_to_congress.htm#appd_b. 36 USAM 9-13.400(M)(1)(ix). 37 See Office of the Attorney General, Updated policy regarding obtaining information from, or records of, members of the news media; and regarding questioning, arresting, or charging members of the news media (Jan. 14, 2015), available at http://www.justice.gov/file/317831/download. 35 8 seizure by the Justice Department, national security investigations are largely outside the scope of these statutory and regulatory protections, as the chart at Appendix A indicates. Although many national security authorities permit the government to collect and use the same type of communications metadata that they may otherwise obtain using a standard subpoena, the regulatory limits on subpoenas do not apply to these national security authorities. Certain national security processes allow the government to request and obtain journalists’ records if the material is merely “relevant to an authorized investigation,” even if the target is not suspected of a crime. The wide array of legal mechanisms available to obtain information regarding communications can be overwhelming. Unfortunately, the overlapping and complex legal architecture for communications surveillance, coupled with widespread secrecy about government policies and capabilities, makes it difficult to understand how and under what circumstances the government can use its authority. Understanding the risks posed by communications surveillance requires knowledge of two key concepts. First, surveillance authorities tend to distinguish between communications content and metadata. Second, statutes providing surveillance authority tend to distinguish between stored data, or information at rest, and real-time surveillance of information in transit. As a result, different requirements apply to the acquisition of real-time content or metadata than to stored content or historical metadata, and different statutes, described in detail below, authorize the acquisition of each type of information. At rest Content In transit Search warrant (Fed. R. Crim. Proc. 41) Wiretap SCA search warrant (18 U.S.C. § 2703(a)) Section 702 directive SCA court order (18 U.S.C. § 2703(d)) Subpoena (grand jury, administrative, or trial) FISA search warrant Metadata SCA court order (18 U.S.C. § 2703(d)) Subpoena (grand jury, administrative, or trial) Pen Register/Trap and Trace (PR/TT) FISA PR/TT National Security Letter Section 215 order A. Electronic Surveillance Authorities: Criminal Investigations Journalists seeking to protect confidential sources need to be aware of the full range of legal authorities for surveillance in the context of criminal investigations as well as national security investigations. For example, government investigations of unauthorized leaks may use both criminal and national security investigative tools. Three of the most significant information-gathering authorities in the criminal context are the Stored Communications Act, the Pen Register Act, and the Wiretap Act. Stored Communications Act, codified at 18 U.S.C. §§ 2701–2712 9 The Stored Communications Act authorizes the government to require providers of electronic communications services to disclose both the substantive contents of stored communications as well as the metadata records associated with those communications (e.g., email dates, times, and header information, including “to” and “from” addresses). The Stored Communications Act does not always require a warrant based on probable cause. Under Section 2703(a) of the Act, if a communication has been in storage for 180 days or less, the government must get a warrant in order to obtain the communications. Under Section 2703(b), if a communication has been in storage for more than 180 days, the government may obtain communications using an administrative subpoena or a court order based on “specific and articulable facts” showing that the communications are relevant to a criminal investigation if the government provides notice to the subscriber. Alternatively, it always remains the case that the government may obtain communications without providing notice if it obtains a traditional search warrant based on probable cause.38 Proposed legislation would require law enforcement to obtain a search warrant when it seeks the contents of communications, regardless of how long the communications have been in storage.39 In addition, one federal appellate court has held that a warrant is required for the government to acquire communications content under the SCA,40 and it is the policy of some internet companies to disclose communications content only pursuant to a search warrant.41 One federal appellate court has also held that the SCA does not apply extraterritorially, which means that the government cannot get a warrant to seize email content stored exclusively on a foreign server.42 Under 18 U.S.C. § 2703(d), the government may obtain non-content subscriber records without notice using an administrative subpoena or a court order based on “specific and articulable facts” showing that the records are relevant to a criminal investigation.43 A circuit split exists regarding the constitutionality of this provision as applied to the government’s warrantless acquisition of historical cell site location information—information gleaned from cell towers that creates a record of an individual’s location over time—and one party is petitioning to have the Supreme Court address the issue.44 38 See also Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations, available at https://www.justice.gov/sites/default/files/criminal-ccips/legacy/2015/01/14/ssmanual2009.pdf. 39 Email Privacy Act, H.R. 699, 114th Cong. (2016). 40 Warshak, 631 F.3d at 288 (“[T]o the extent that the SCA purports to permit the government to obtain such emails [stored with a commercial ISP] warrantlessly, the SCA is unconstitutional.”). 41 See, e.g., Legal Process – Google Transparency Report, available at https://www.google.com/transparencyreport/userdatarequests/legalprocess/#whats_the_difference; see also Written Testimony of Richard Saldago, Director, Law Enforcement and Information Security at Google, Inc., Senate Judiciary Subcommittee on Privacy, Technology and the Law, Hearing on “The Surveillance Transparency Act of 2013” (Nov. 13, 2013), available at http://www.judiciary.senate.gov/imo/media/doc/11-1313SalgadoTestimony.pdf. 42 In Matter of Warrant to Search a Certain E-Mail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197, 216 (2d Cir. 2016). 43 The government may also obtain basic subscriber and session information using an administrative subpoena, trial subpoena, or grand jury subpoena. See 18 U.S.C. § 2703(c)(2). 44 See Graham v. United States, Petition for Writ of Certiorari to the United States Court of Appeal for the Fourth Circuit, Case No. 16-6308 (2016) (set for conference on May 11, 2017), available at https://static1.squarespace.com/static/53e92769e4b07d7503ae637a/t/57eebe2cb3db2bd7ce270926/1475264044963/ 10 In 2010, the United States Attorney for the District of Columbia sought and obtained a search warrant under 18 U.S.C. § 2703(a) for the personal email account of James Rosen, a Fox News reporter, in connection with an investigation of unauthorized disclosure of classified information that Rosen had published in a 2009 article. In that case, the government obtained a warrant for the disclosure of “any and all communications” between Rosen’s email address and three specified email addresses, in addition to “any and all communications” to or from Rosen’s email address on the two days following the publication of Rosen’s article. In the probable cause affidavit in support of its warrant application, the government argued that Rosen had conspired with his source to violate the Espionage Act and that the search was therefore permissible under the “suspect exception” to the Privacy Protection Act.45 In addition, the Justice Department took the position that email search warrants obtained under the Stored Communications Act did not require notice to customers and subscribers whose accounts were searched.46 According to press accounts, Rosen did not learn of the search until nearly three years later.47 At the time of the Rosen search, the Attorney General’s policy on obtaining records of members of the news media did not specifically apply to search warrants, although news reports indicate that then-Attorney General Eric Holder nonetheless personally approved the warrant.48 Today, the Department of Justice media subpoena guidelines apply to search warrants as well as to court orders issued under Section 2703(a)–(d) of the Stored Communications Act, requiring the government to pursue notice and negotiation with a member of the news media and to meet substantive tests before seeking a journalist’s communications or records using these tools. However, if a search warrant, subpoena, or court order is approved in a matter where the reporter is a subject or target, as opposed to a witness, the Department is not required to pursue notice and negotiation with the journalist. To protect journalists from being targeted in investigations directed at their sources, however, the revised guidelines also indicate that a search warrant for a journalist’s records should not be approved if its “sole purpose” is in support of an investigation of a different person.49 This seemed to be the case in the Rosen matter, and Holder has stated that he regretted identifying Rosen as a “co-conspirator” in the probable case affidavit.50 Notwithstanding these protections, as indicated earlier, the guidelines explicitly state that they do not create any enforceable rights.51 Last year, Microsoft initiated a legal challenge to Section 2705 of the SCA, which permits the government to apply for a gag order when they are executing warrants pursuant to 2016-09-30+Graham+cert+petition+CORRECTED.pdf. See also Am. Civ. Lib. Union, Cell Phone Location Tracking Laws By State, available at https://www.aclu.org/map/cell-phone-location-tracking-laws-state. 45 See Dep’t of Justice Report on Review of News Media Policies, supra, at 3. 46 See Ryan Lizza, How Prosecutors Fought to Keep Rosen’s Warrant Secret, The New Yorker (May 24, 2013) available at http://www.newyorker.com/news/news-desk/how-prosecutors-fought-to-keep-rosens-warrant-secret. 47 Id. 48 Id. 49 28 C.F.R. § 50.10(d)(5). 50 See Holder says ‘subpoena’ to Fox News reporter is his one regret, Fox News (Oct. 30, 2014), available at http://www.foxnews.com/politics/2014/10/29/holder-says-subpoena-to-fox-news-reporter-is-his-one-regret.html; see also Charlie Savage, Holder Hints Reporters May Be Spared Jail in Leak, N.Y. Times (May 27, 2014) (Holder stating, “As long as I’m attorney general, no reporter who is doing his job is going to go to jail. As long as I’m attorney general, someone who is doing their job is not going to get prosecuted.”), available at http://www.nytimes.com/2014/05/28/us/holder-hints-reporter-may-be-spared-jail-in-leak.html. 51 Id. at (j). 11 Section 2703.52 The Section 2705 gag order prevents companies like Microsoft from telling their customers that their records were searched. Microsoft argued in federal district court in Seattle that these gag orders violated both the First and Fourth Amendments. In February of this year, the judge in that case allowed the case denied the government’s motion to dismiss Microsoft’s First Amendment claims, but granted the motion as to the Fourth Amendment claims, concluding that Microsoft lacked standing to assert its customers’ Fourth Amendment rights. The case is ongoing. Pen Registers and Trap and Trace Devices, codified at 18 U.S.C. §§ 3121–3127 The so-called “Pen/Trap” statute regulates the collection of non-content information related to electronic communications in real time. Pen registers and trap and trace (“PR/TT”) orders authorize the government to obtain communications metadata, such as the phone numbers associated with incoming and outgoing calls, or the email addresses of a sender and recipient.53 The Pen Register Act requires a federal court to “enter an ex parte order authorizing the installation and use of a pen register or trap and trace device” on a facility or other service belonging to a wire or electronic communication service provider.54 In order to obtain the order, the government must certify that “the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation.”55 Pen register/trap and trace orders are sealed and accompanied by a gag order directing the communication service provider not to disclose the existence of the order. The Attorney General’s policy on obtaining records of members of the news media applies to PR/TT orders. Wiretap Act, codified at 18 U.S.C. §§ 2510–2522 The Wiretap Act authorizes the government to make an application to a federal judge for an order—often referred to as a “Title III” order given the placement of the Wiretap Act in the 1968 omnibus crime legislation—authorizing the real-time interception of wire, oral, or electronic communications. The Act requires the government to demonstrate probable cause to believe that an individual is committing a criminal offense, and that the places where the interception is to occur—e.g., the phone line or online account––“are being used, or are about to be used, in connection with the commission” of that offense.56 The Department of Justice media subpoena guidelines do not apply to applications under the Wiretap Act, but the Act does require advance departmental review and approval before applications for certain types of electronic surveillance may be submitted to a court. Specifically, 18 U.S.C. § 2516(1) requires that the Attorney General review and approve such applications, but the Attorney General may delegate this authority to certain enumerated high-level Justice Department officials, such as the Deputy Assistant Attorneys General for the Criminal Division. Moreover, the government must minimize the interception of communications not otherwise subject to interception under the order, and minimize the duration of the interception by terminating the surveillance once the 52 Microsoft v. Dept. of Justice, Case No. 2:16-cv-00538-JLR (W.D. Wash. Jun. 17, 2016). 18 U.S.C. § 3127. 54 18 U.S.C. § 3123(a). 55 Id. 56 18 U.S.C. § 2518. 53 12 conversation sought is seized.57 Interception periods must be no longer than thirty days, but the court may extend this period under certain circumstances.58 B. National Security Letters NSLs are warrantless requests issued by high-ranking FBI officials and directed at third parties for non-content records. The FBI may issue an NSL compelling disclosure of subscriber records— i.e., metadata—if it certifies that the records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. Unless the recipient challenges the NSL, the request is not subject to judicial review. Four statutes authorize the use of NSLs to obtain subscriber information from third parties, such as telephone companies, internet service providers, financial service providers, and credit institutions.59 By far the most commonly used NSL authority is a provision in the Electronic Communications Privacy Act (ECPA), which enables the FBI to request the “local and long distance toll billing records” of any person from a “wire or electronic communication service provider.”60 Over ninety percent of NSLs are issued with gag orders prohibiting the third party from informing the subscriber that the government requested the subscriber’s information.61 The FBI may accompany an NSL with a gag order if “otherwise there may result a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.…” The gag orders typically have no expiration date. In 2014, the Reporters Committee filed an amicus brief in a constitutional challenge to ECPA’s NSL provision arguing that the gag orders are unconstitutional prior restraints, and that the atmosphere of secrecy surrounding NSLs obscures surveillance efforts by the government and chills reporter-source communications.62 That case was remanded to the lower court in light of 2015 reforms to the NSL statute pursuant to the 2015 USA FREEDOM Act. These reforms required the Attorney General to adopt new procedures for NSL gag orders that require “review at appropriate intervals” and termination of nondisclosure obligations if they are no longer necessary.63 Under these NSL procedures, when an investigation ends, the gag order must be lifted unless the FBI makes a determination that one of a number of statutory standards for 57 See 18 U.S.C. § 2518(5); see also Nixon v. Administrator of General Services, 433 U.S. 425, 463 (1977); Berger v. New York, 388 U.S. 41, 55 (1967). 58 See 18 U.S.C. § 2518(5). 59 These statutes are the Electronic Communications Privacy Act (18 U.S.C. § 2709), the National Security Act (50 U.S.C. § 3162), the Right to Financial Privacy Act (12 U.S.C. § 3414), and the Fair Credit Reporting Act (15 U.S.C. §§ 1681u, v.). 60 18 U.S.C. § 2709. 61 Office of the Inspector General, A Review of the Federal Bureau of Investigation’s Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006 124 (Mar. 2008) (“Of the 375 NSLs we examined in our random sample, 365, or 97 percent imposed the non-disclosure and confidentiality obligation established in the Patriot Reauthorization Act. Based on that result, we projected that of the 15,187 NSLs the FBI issued from March 10, 2006, through December 31, 2006, 14,782 NSLs imposed the non-disclosure and confidentiality obligations.”), available at https://oig.justice.gov/reports/2014/s1410a.pdf. 62 Amicus Br. in Support of Petitioner-Appellant, Under Seal v. Holder et al., Nos. 13-15957, 13-16731 (9th Cir. filed Apr. 9, 2014), available at https://rcfp.org/sites/default/files/2014-06-10-in-re-national-security-letter.pdf. 63 Termination Procedures for National Security Letter Nondisclosure Requirement, available at https://www.fbi.gov/file-repository/nsl-ndp-procedures.pdf/view. 13 nondisclosure is satisfied.64 The FBI is also required to review the gag order three years after the investigation begins to determine whether one of the statutory exceptions applies.65 The FBI has used NSLs to compel electronic communications service providers to disclose data including web browsing history and online purchases.66 Because of the pervasive secrecy surrounding NSL procedures, it remains unconfirmed whether the FBI has obtained communications records of journalists using NSLs. However, several incidents of abuse implicating reporters’ rights have come to light in recent years regarding similar instruments. These incidents involved processes that, like NSLs, were not subject to judicial review. In 2007, during the first review of NSL usage by the Office of the Inspector General for the Department of Justice (“OIG”), the OIG found that the FBI had frequently sought telephone toll billing records or subscriber information by using an “exigent letter,” an informal request, rather than NSLs or grand jury subpoenas.67 The OIG identified three leak investigations in which journalists’ records had been requested using methods that did not comply with the Department of Justice guidelines.68 Under the version of the guidelines then in place, the Attorney General was required to approve the issuance of subpoenas for reporters’ records. The OIG found that by using an “exigent letter,” the FBI was functionally circumventing the guidelines’ requirement to seek Attorney General approval. In one instance, the FBI obtained phone records for Washington Post reporters Ellen Nakashima and Alan Sipress, Washington Post researcher Natasha Tampubolon, and New York Times reporters Raymond Bonner and Jane Perlez using an exigent letter that claimed a grand jury subpoena was forthcoming; none was. In response to the exigent letter, the phone provider produced 22 months of records for Ellen Nakashima, and 22 months of records for the Washington Post bureau in Jakarta.69 The OIG report called this production of materials “a complete breakdown in the required Department [of Justice] procedures for approving the issuance of grand jury subpoenas for reporters’ toll billing records.”70 While the OIG did not address the availability of NSL practice in this instance or the others involving journalists, its concerns about the abuse of exigent letters could not have been more clear or emphatic. The Department of Justice and the FBI have taken the position that the guidelines do not apply to NSLs.71 64 Id. at 2. Id. 66 Dustin Volz, U.S. government reveals breadth of requests for Internet records, Reuters (Dec. 1, 2015), available at www.reuters.com/article/us-usa-cybersecurity-nsl-idUSKBN0TJ2PJ20151201. 67 See Office of the Inspector General, A Review of the Federal Bureau of Investigation’s Use of National Security Letters 86–97 (Mar. 2007), available at https://oig.justice.gov/special/s0703b/final.pdf. 68 See Office of the Inspector General, A Review of the Federal Bureau of Investigation’s Use of Exigent Letters and Other Informal Requests for Telephone Records 89–121 (Jan. 2010), available at https://oig.justice.gov/special/s1001r.pdf. 69 Id. at 95–97. 70 Id. at 103. 71 See DIOG App. § G.12 (“The [28 C.F.R. § 50.10] regulation concerns only grand jury subpoenas, not National Security Letters (NSLs) or administrative subpoenas.”); Amicus Brief at 7–8, Freedom of the Press Foundation v. Dep’t of Justice, No. 15-cv-3503-HSG (N.D. Cal. Jun. 10, 2016), ECF No. 36 (available at https://rcfp.org/browsemedia-law-resources/briefs-comments/freedom-press-foundation-v-dept-justice). 65 14 FBI NSL Policy (DIOG App’x G)72 DOJ Media Guidelines (28 C.F.R. § 50.10) Information sought must be “essential to a successful investigation, prosecution, or litigation.” 28 C.F.R. § 50.10(a)(3). Information sought must be “relevant” to a national security investigation. DIOG § 188.8.131.52.3. The requester must make “reasonable alternative attempts . . . to obtain the information from alternative sources.” 28 C.F.R. § 50.10(a)(3). No requirement to use alternative methods to obtain information. The requester must notify and negotiate with the member of the news media before the search, unless the Attorney General determines there is a clear and substantial threat to the integrity of the investigation, grave harm to national security, or imminent risk of death or bodily harm. 28 C.F.R. § 50.10(a)(3), (4). The requester must obtain a request for authorization personally endorsed by the United States Attorney or Assistant Attorney General (28 C.F.R. § 50.10(c)(2)), and authorization by the Attorney General (28 C.F.R. § 50.10(c)(1)). There is no requirement to notify news media, and the NSL is usually accompanied by a gag order preventing the third party from notifying the subscriber or news media.73 In investigations of unauthorized disclosures of national defense or classified information, the requester must obtain an additional certification from the Director of National Intelligence before requesting Attorney General authorization. 28 C.F.R. § 50.10(c)(4)(vi). To issue an NSL seeking news media’s confidential sources, the requester must also consult with the Assistant Attorney General for the Justice Department’s National Security Division. DIOG App’x § G.12 Approval requirements. To issue an NSL for news media records, the requester must obtain authorization by the FBI General Counsel and the Executive Assistant Director of the FBI’s National Security Branch. DIOG App’x § G.12 Approval requirements. C. Electronic Surveillance Authorities: Foreign Intelligence In foreign intelligence and national security investigations, the government has additional statutory authorities that enable it to conduct electronic communications surveillance. While the government may use ordinary wiretaps and pen registers in investigations touching on national security, it also possesses expanded authority under provisions of the Foreign Intelligence Surveillance Act (FISA) as well as the USA PATRIOT Act. The scope and secrecy of FISArelated surveillance has raised particular concerns that digital newsrooms could be searched using a FISA court order. Foreign Intelligence Surveillance Act—Overview The Foreign Intelligence Surveillance Act authorizes electronic and physical surveillance of foreign powers and agents of foreign powers for the purpose of collecting “foreign intelligence information.” FISA was originally enacted in 1978 to regulate the collection of foreign intelligence information within the United States. Until 2001, FISA permitted electronic and physical surveillance of “foreign powers” and “agents of foreign powers” if foreign 72 Available at https://www.documentcloud.org/documents/2934087-DIOG-Appendix-Media-NSLs.html. Office of the Inspector General, A Review of the Federal Bureau of Investigation’s Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, supra, 124. 73 15 intelligence collection was the “primary purpose” of the activity. In 2001, the USA PATRIOT Act amended FISA to allow searches if foreign intelligence collection was a “significant purpose.” “Foreign intelligence information” is a broad term, and includes information that pertains to a variety of dangers related to “foreign powers” as well as “information with respect to a foreign power or foreign territory that relates to, and if concerning a United States person is necessary to--(A) the national defense or the security of the United States; or (B) the conduct of the foreign affairs of the United States.”74 In addition, the PATRIOT Act relaxed the standards for acquiring metadata through PR/TT orders and for orders compelling production of business records or “tangible things” relevant to an investigation to obtain foreign intelligence information. This authority, known as Section 215, was the statutory authority for the bulk telephony metadata collection program disclosed by former NSA contractor Edward Snowden in 2013. As discussed below, Section 215 expired on June 1, 2015, and the USA FREEDOM Act ended the government’s bulk collection of telephone records in November 2015.75 Beginning in 2007, Congress enacted a series of amendments to FISA intended to broaden its scope to authorize electronic surveillance of foreigners abroad.76 In 2007 and 2008, Congress enacted further amendments to FISA that created statutory authority to conduct programmatic surveillance on non-United States persons outside the United States. This provision, commonly known as Section 702, is the statutory authority for some of the other activities disclosed by Snowden, including bulk collection of the contents of electronic communications outside the United States.77 Traditional FISA: Electronic and Physical Searches, codified at 50 U.S.C. §§ 1801–1829 “Traditional” FISA orders authorize electronic and physical surveillance within the United States of targets who are foreign powers or agents of foreign powers.78 Electronic surveillance includes the acquisition of communications content. (Acquisition of communications metadata, under the FISA definition, is not “electronic surveillance”; rather, domestic metadata collection is governed by Section 215, discussed below.) Traditional FISA orders require the government to identify a specific target for surveillance and to demonstrate probable cause to believe that the target of surveillance is a foreign power or an agent of a foreign power.79 In addition, FISA’s electronic surveillance provision requires the Attorney General to adopt “minimization procedures” that are designed “to minimize the acquisition and retention, and prohibit the dissemination, of nonpublicly 74 50 U.S.C. § 1801. USA FREEDOM Act of 2015, Pub. L. 114-23, Sec. 107 (2015). 76 See Protect America Act of 2007, Pub. L. 110-55 (2007); FISA Amendments Act of 2008, Pub. L. 110-261 (2008). 77 See NSA Slides Explain the PRISM Data-Collection Program, Wash. Post (Jun. 6, 2013), available at http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/. 78 50 U.S.C. § 1801 (defining “foreign power,” “agent of a foreign power,” and “electronic surveillance”). 79 50 U.S.C. § 1805 (requiring probable cause for electronic surveillance); 50 U.S.C. § 1824 (requiring probable cause for physical surveillance). 75 16 available information concerning unconsenting United States persons.”80 Each application is reviewed by a judge on the Foreign Intelligence Surveillance Court (FISC). FISA PR/TT Orders, codified at 50 U.S.C. §§ 1841–1846 The government may obtain a FISA PR/TT order in an “investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.”81 FISA PR/TTs may be used to monitor telephone calls and electronic communications. FISA PR/TT requests do not require the government to demonstrate probable cause that the target is a foreign power or an agent of a foreign power. Rather, the government must certify that the information at issue is “relevant” to an authorized investigation.82 However, under the USA FREEDOM Act of 2015, the government is required to use a “specific selection term” (SST) to identify a person, account, device, or other personal identifier as the basis for use of the PR/TT device and to ensure that the PR/TT provision is not used for impermissible bulk collection.83 Section 702 of the FISA Amendments Act, codified at 50 U.S.C. § 1881a Like FISA’s traditional electronic surveillance provision, Section 702 of the FISA Amendments Act of 2008 authorizes the collection of communications content, but the provision’s procedures and safeguards differ dramatically from traditional FISA. Section 702 is intended to permit electronic foreign intelligence surveillance of non-U.S. persons located abroad, regardless of whether there is probable cause to believe that those persons are foreign powers or agents of foreign powers. In contrast, traditional FISA electronic surveillance occurs on U.S. soil. Accordingly, Section 702 grants authority for the government to obtain directives compelling electronic communication service providers to enable surveillance of communications of non-United States persons located abroad, without mandating that the government identify a specific target. Section 702 requires the government to annually provide to the FISC a written, sworn certification attesting that there are “targeting procedures” in place that are “reasonably designed” to ensure that surveillance is “limited to targeting persons reasonably believed to be located outside the United States” and to avoid “intentional acquisition” of communications when the sender and all recipients are known to be located in the United States.84 Because Section 702 authorizes “electronic surveillance,” it also requires the Attorney General and the Director of National Intelligence to adopt minimization procedures. The minimization and targeting procedures required by Section 702 are subject to judicial review and approval by the FISC. It is unclear, however, whether the minimization procedures comport with the Privacy Protection Act’s statutory ban on newsroom searches.85 Section 702 is the legal 80 Id. at (a)(3), (c)(2)(A); 50 U.S.C. § 1801(h) (defining minimization procedures). 50 U.S.C. § 1842(a)(1). 82 Id. at (c)(2). 83 USA FREEDOM Act of 2015, Pub. L. 114-23, Sec. 201. 84 50 U.S.C. § 1881a(d). 85 See supra Part II.B at 6. 81 17 authority supporting “upstream” collection as well as the PRISM program, both of which facilitate collection of the contents of communications in bulk and without suspicion.86 Organizations have repeatedly challenged the constitutional and statutory basis of bulk surveillance. In 2008, the Electronic Frontier Foundation filed a lawsuit, Jewel v. National Security Agency, challenging “upstream” surveillance (as well as other bulk collection activities) on behalf of AT&T customers whose communications and telephone records were collected by the NSA. 87 Last year, the district court rejected the plaintiffs’ Fourth Amendment arguments, but has not issued a ruling on their First Amendment claims, and the case is currently in discovery.88 In addition, Wikimedia, PEN American Center, and The Nation Magazine, among other organizations, filed a lawsuit challenging “upstream” surveillance of online communications, raising both First Amendment and Fourth Amendment arguments.89 The Wikimedia plaintiffs claim that upstream surveillance impedes their journalism, advocacy, and publishing activities. The district court ruled against Wikimedia in 2015, and an appeal is pending before the Fourth Circuit.90 (The Reporters Committee filed an amicus brief in that case on behalf of itself and 17 news media organizations, arguing that upstream surveillance chills newsgathering and violates the First and Fourth Amendments.91) Section 215 of the PATRIOT Act, codified at 50 U.S.C. § 1861 Section 215 provided authority for the government to obtain “tangible things” relevant to an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.92 Orders for the production of tangible things, or “business records” orders, authorized the government to request the business records of third parties, such as customer transactional records. Section 215 was the authority under which the government maintained the bulk telephony metadata program, which had collected all domestic calling records without suspicion on an ongoing basis.93 Section 215 expired on June 1, 2015, and the USA FREEDOM Act ended the government’s bulk collection of telephone records at the end of November 2015.94 Under the revised statute, the government must use a “specific selection term” (SST) to identify a person, account, device, or other personal identifier as the basis for production of call detail records. In 86 See James Ball, NSA’s Prism surveillance program: how it works and what it can do, The Guardian (Jun. 8, 2013), available at www.theguardian.com/world/2013/jun/08/nsa-prism-server-collection-facebook-google. 87 Jewel v. NSA, No. C 08-04373 (N.D. Cal. 2018). 88 Id.; see also Jamie Williams, Jewel v. NSA Moves Forward—Time for NSA to Answer Basic Questions About Mass Surveillance, Electronic Frontier Foundation (Jun. 21, 2016), available at https://www.eff.org/deeplinks/2016/06/jewel-v-nsa-moves-forward-time-nsa-answer-basic-questions-about-masssurveillance. 89 Wikimedia Foundation v. NSA, No. 15CV00662 (D. Md. 2015). 90 See Order Granting Defendants’ Motion to Dismiss, Wikimedia Foundation v. NSA, No. 15CV00662, Dkt. 95 (filed Oct. 23, 2015); Wikimedia Foundation v. NSA, No. 15-2560 (4th Cir. 2016). 91 Amicus Br. in Support of Plaintiffs-Appellants, Wikimedia v. NSA, No. 15-2560 (4th Cir. filed Feb. 24, 2016), available at https://www.rcfp.org/sites/default/files/2016-02-24-wikimedia-v-nsa.pdf. 92 50 U.S.C. § 1861(a)(1). 93 See, e.g., Glenn Greenwald, NSA collecting phone records of millions of Verizon customers daily, The Guardian (Jun. 6, 2013), available at https://www.theguardian.com/world/2013/jun/06/nsa-phone-records-verizon-court-order. 94 USA FREEDOM Act of 2015, Pub. L. 114-23, Sec. 107. 18 the current framework, rather than collecting the call detail records itself, the government requests records pertaining to a specific selector from a telephone carrier. It remains unclear how the end of bulk collection of telephony metadata under Section 215 will impact the several ongoing challenges to the constitutionality of that provision. In early 2015, shortly before the passage of USA FREEDOM, the Second Circuit ruled in ACLU v. Clapper that the bulk collection of telephony metadata was not authorized by Section 215.95 In November 2015, the District Court for the District of Columbia granted a preliminary injunction barring the government from collecting plaintiffs’ telephony metadata under the bulk collection program, and the injunction was stayed pending appeal.96 In January 2016, the government filed a motion to vacate the preliminary injunction as moot in light of the change in law and government policy, stating that “bulk collection of telephony metadata under Section 215 has ceased, analytic queries of such previously-collected metadata has likewise ended, and the government has transitioned to a new intelligence program based on targeted rather than bulk collection of telephony metadata.”97 Similarly, a Ninth Circuit challenge to the bulk telephony metadata program on Fourth Amendment grounds, Smith v. Obama, was partially dismissed as moot in early 2016.98 Executive Order 12333 In addition to the other authorities discussed above, the Intelligence Community also conducts communications surveillance activities abroad under Executive Order 12333 (“EO 12333”),99 a 1981 presidential order setting out general contours and guidelines for intelligencegathering. EO 12333 places constraints on the use of these surveillance programs to target communications of United States persons.100 However, some have argued that collection activities are so broad and sweeping that any constraints are relatively trivial.101 EO 12333 appears to permit the collection of actual communications content — not just metadata — of U.S. citizens so long as the communications are collected “incidentally” to authorized activities. Moreover, many of the minimization procedures102 that constrain government use of information collected pursuant to EO 12333 remain classified, and the limited information that is publicly available only gives vague guidance as to protections in place for First Amendment activity. Likewise, many of the programs conducted under EO 12333 are secret as well. 95 ACLU v. Clapper, 785 F.3d 787, 818–19, 826 (2d Cir. 2015). Klayman v. Obama, 142 F. Supp. 3d 172, 198 (D.D.C. 2015). 97 See Motion to Vacate Preliminary Injunction and Dismiss Appeal on Grounds of Mootness, Klayman v. Obama, No. 15-5307, 2 (D.C. Cir. filed Jan. 4, 2016); see also Order, Klayman v. Obama, No. 15-5307 (D.C. Cir. filed Apr. 4, 2016) (dismissing appeal as moot). 98 Smith v. Obama, 816 F.3d 1239, 1241 (9th Cir. 2016), available at https://www.eff.org/cases/smith-v-obama; see also Amicus Br. in Support of Plaintiff-Appellant, Smith v. Obama, No. 14-35555 (9th Cir. filed Sept. 9, 2014), available at https://www.rcfp.org/sites/default/files/2014-09-09-smith-v-obama.pdf (arguing that mass call tracking impedes confidentiality, chills reporters and sources, and is overbroad). 99 Exec. Order No. 12333, United States Intelligence Activities, 46 Fed. Reg. 59941 (Dec. 4, 1981) (as amended at 73 Fed. Reg. 45325 (2008)), available at https://www.archives.gov/federal-register/codification/executiveorder/12333.html. 100 Id. at 59950. 101 See, e.g., John Napier Tye, Meet Executive Order 12333: The Reagan rule that lets the NSA spy on Americans, Wash. Post (Jul. 18, 2014), available at https://www.washingtonpost.com/opinions/meet-executive-order-12333-thereagan-rule-that-lets-the-nsa-spy-on-americans/2014/07/18/93d2ac22-0b93-11e4-b8e5-d0de80767fc2_story.html. 102 Attorney General Approved U.S. Person Procedures Under E.O. 12333, Civil Liberties and Privacy Office of the Office of the Director of National Intelligence (Feb. 10, 2015), available at https://www.pclob.gov/library/EO12333-AG-Guidelines-February-10-2015.pdf. 96 19 IV. CONCLUSION Understanding the variety of legal authorities and mechanisms that the government relies upon in conducting surveillance is crucial to assessing the relative risks to journalists and sources who use these electronic communications technologies. The chart in Appendix A summarizes key aspects of legal and policy protections in the context of these authorities. Journalists concerned about securing their communications, or interested in adopting technical measures to enhance privacy or confidentiality, may be interested in exploring how their newsgathering practices might implicate information at rest and in transit, as well as how they might protect their content and metadata. Appendix B offers a number of resources for journalists and reporters interested in experimenting with and implementing secure communications protocols themselves. 20 APPENDIX A Type of process Standard Type of information sought Issued by Covered by Guidelines Covered by PPA Subpoena (administrative, grand jury, or trial) Relevance to a lawful purpose Communications content (opened, sent, or older than 180 days) (only with notice); basic subscriber and session information Agency (administrative subpoena) or with court oversight (grand jury or trial subpoena) Yes Yes (if content); no (if subscriber/session information) Search Warrant Probable cause Communications content, metadata, and/or basic subscriber and session information Court Yes Yes 2703(d) Order “Specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation” Communications content (opened, sent, or older than 180 days) (only with notice); basic subscriber and session information; communications metadata Court Yes Yes (if content); no (if metadata or subscriber/session information) PR/TT Government certification “that the information likely to be obtained by such installation and use is relevant to an ongoing criminal investigation” Dialing, routing, addressing, or signaling information Court Yes No Wiretap (Title III) Probable cause that an individual is committing or has committed an enumerated offense; probable cause “that particular communications concerning that offense will be obtained through such interception; normal investigative procedures have been Communications content Court No Yes 21 tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous; the facilities from which, or the place where, the wire, oral, or electronic communications are to be intercepted are being used, or are about to be used, in connection with the commission of such offense” FISA warrant Probable cause to believe that the target “is a foreign power or an agent of a foreign power, except that no United States person may be considered an agent of a foreign power solely upon the basis of activities protected by the first amendment to the Constitution of the United States,” and the place or thing to be searched “is being used, or is about to be used, by a foreign power or an agent of a foreign power” Communications content and metadata FISA Court No Yes FISA PR/TT Relevance to “any investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon” the basis of First Amendment activities Dialing, routing, addressing, or signaling information FISA Court No No FISA Section 215 Relevance to “an investigation to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not Tangible things (including books, records, papers, documents, and other items) FISA Court No No 22 conducted solely upon” the basis of First Amendment activities FISA Section 702 Targeting persons reasonably believed to be located outside the United States to acquire foreign intelligence information while employing approved minimization procedures Communications content and metadata FISA Court No No NSL Relevance to an “open, predicated national security investigation,” provided that “such an investigation of a United States person is not conducted solely upon the basis of” First Amendment activities Communications metadata; subscriber information FBI No No 23 APPENDIX B Digital security resources 1. Committee to Protect Journalists, “Journalist Security Guide” https://cpj.org/security/guide.pdf 2. Digital Defenders Project, “The Digital First Aid Kit” https://www.digitaldefenders.org/digitalfirstaid/ 3. Electronic Frontier Foundation, “Surveillance Self-Defense” https://ssd.eff.org/ 4. Free Software Campaign, “Email Self-Defense Guide” https://emailselfdefense.fsf.org/en/ 5. Reporters Without Borders, “Online Survival Kit” https://rsf.org/en/online-survival-kit 6. Tactical Technology Collective, “The Holistic Security Manual” https://holistic-security.tacticaltech.org/ 7. Tactical Technology Collective and Front Line Defenders, “Security In-A-Box” https://tacticaltech.org/projects/security-box Legal Reports 1. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (July 2, 2014), available at https://pclob.gov/library/702-Report-2.pdf. 2. Privacy and Civil Liberties Oversight Board, Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act and on the Operations of the Foreign Intelligence Surveillance Court (Jan. 23, 2014), available at https://pclob.gov/library/215Report_on_the_Telephone_Records_Program.pdf. 24