DID AT&T VIOLATE CALEA?
Service providers should carefully validate government requests for surveillance to avoid liability from both the courts and the FCC. A pending FCC proceeding sheds light on the subject.
The story begins with a look at the Communications Assistance for Law Enforcement Act (CALEA). Communication service providers subject to CALEA must activate their CALEA-mandated electronic surveillance capabilities only in response to a court order “or other lawful authorization.” But who decides what is a “lawful authorization”?
Service Providers Should Have Surveillance Requests Reviewed by Specialists
Service providers subject to CALEA may face two stages of liability from two different sources. First, when you implement surveillance on a customer there is always a risk the customer may sue you for violating his or her privacy rights under FISA or another statute governing surveillance due process. Next, if the court rules in the customer’s favor he or she may file an FCC complaint claiming you violated CALEA by implementing an invalid surveillance request. To avoid this one-two punch of liability service providers should have all surveillance requests reviewed by trained specialists.
A Pending CALEA Allegation
On March 4th a group called the Minority Cellular Partners Coalition filed comments with the FCC accusing AT&T, Inc. of “blatant violations of CALEA.” MCPC argued that after the September 11, 2001 terrorist attack AT&T conducted surveillance for the National Security Agency without lawful authorization, contravening CALEA Section 105. The NSA surveillance evolved into the bulk metadata collection program exposed by NSA contractor Ed Snowden in 2013.
The NSA used novel legal instruments called “request for assistance” letters to elicit AT&T’s post-9/11 surveillance help. These RFA letters were not court orders or other instruments of due process contained in the Foreign Intelligence Surveillance Act (FISA). Instead, the letters reflected a presidential authorization that cited to the commander-in-chief powers of the U.S. Constitution and labeled the 9/11 attack an extraordinary national security emergency. In addition, the attorney general delivered an opinion letter telling AT&T and other participating carriers the RFA letters were lawful.
MCPC said the RFA letters were unlawful and then asked the FCC to open a CALEA investigation against AT&T. Only the first part of MCPC’s reasoning was strong.
The RFA Letters May Have Been Unlawful
MCPC argued that whenever the government asks service providers to implement surveillance for national security investigations the agency must use instruments of due process contained in FISA. The RFA letters were not rooted in FISA. Therefore, MCPC concludes, the letters were unlawful.
This is a strong argument that is widely accepted by legal experts. The point is a shot across the bow to service providers. Just because a government agency presents a service provider with a request for surveillance assistance that does not mean the request is valid. The provider must retain the expertise to validate these requests, either through in-house counsel, an outside firm, or a CALEA trusted third party. Defective requests should be rejected. Otherwise, the interception of the targeted customer’s communication would violate the person’s privacy rights.
On the other hand, no court ever ruled on the validity of the RFA letters. Congress mooted the issue by enacting the FISA Amendments Act of 2008, which permitted the type of NSA surveillance that AT&T conducted and granted retroactive immunity to all carrier participants in the NSA program.
The FCC Cannot Review the RFA Letters
Despite the lack of judicial scrutiny into the RFA letters, MCPC insists the letters were unlawful and that therefore AT&T violated the CALEA Section 105 requirement to activate surveillance capabilities only in response to “a court order or other lawful authorization.” MCPC then urges the FCC to investigate the alleged CALEA violation. This logic fails.
The FCC lacks jurisdiction to decide whether the RFA letters were lawful. Only the FISA court or other federal courts could make that judgment. Without a judicial ruling on the subject the FCC has no basis to launch a CALEA investigation.
MCPC believes the 2008 grant of immunity “attests to the fact that” the RFA letters were illegal. Not true. The immunity only shielded the RFA letters from litigation.
This situation illustrates an important distinction between CALEA and other statutes. The purpose of CALEA is not to determine the validity of the due process used for lawful surveillance. CALEA governs the technical surveillance capabilities that service providers must activate when served with valid due process. Yes, the statute also requires providers to ensure the surveillance requests are valid. However, the law does not let the FCC or private parties decide whether a given validation decision is right.
Even if a provider’s validation decision is wrong, FISA and other surveillance statutes forgive innocent mistakes. In fact, the laws offer industry two levels of protection. One is statutory immunity. The other is the “good faith defense.” For example, in this case AT&T may have relied in good faith on the RFA letters, the attorney general’s blessing, and the need to protect public safety during a national security emergency.
These legal protections help balance the compulsive nature of the surveillance laws. A refusal to implement a surveillance request that is ultimately deemed valid could subject a carrier to severe liability.
Whether the FCC Will Take Enforcement Action
We will never know whether the RFA letters served on AT&T constituted valid due process. Therefore MCPC may be unable to persuade the FCC to impose any CALEA enforcement on the company. Nevertheless, the case provides a healthy warning to service providers. Every government request for surveillance impacts a customer’s privacy, so the requests should be carefully reviewed.