It's heartening to see widespread outrage—both online and from members of Congress—about the news that Justice Department vacuumed up phone records spanning two months from 20 phone lines belonging to the Associated Press or its employees. This may not be a return to the bad old days of J. Edgar Hoover, who kept files of derogatory information about hostile journalists, but surveillance of the press—even in the course of otherwise legitimate investigations—always threatens to impede the vital check on government the Fourth Estate provides. A subpoena covering so many of a major news organization's phone lines, including shared switchboard and fax numbers used by scores of reporters, for such an extended period, seems especially troubling in the context of this administration's unprecedented war on whistleblowers. It's effectively a warning that nobody who speaks to the press without White House approval—whether they're leaking classified secrets or just saying things the bosses wouldn't like—can count on anonymity. I'll have plenty more to say about this soon, but a few key questions reporters and legislators ought to be asking:
- DOJ regulations are supposed to require a careful balancing of investigative needs against First Amendment values before reporter records are sought, with advance notice to the press whenever possible. The AP is fairly certain its records were seized as part of a leak investigation aimed at uncovering the source of a story about a foiled terrorist plot—a story the AP itself sat on until they were convinced publication posed no national security risk. The administration itself was on the verge of announcing the same facts. Given that anonymous sources discussing classified matters with press are a routine and indispensable part of journalism, what made this investigation so urgent that it was necessary to use methods experts agree were far more broad and intrusive than the norm?
- Read hyper-literally, those same DOJ regulations refer only to "subpoenas" directed at journalists themselves or seeking "telephone toll records." And the DOJ's own operational guidelines make quite clear that they do read the rules hyper-literally: They apparently are not held to apply to the myriad tools other than grand jury subpoenas at the government's disposal, such as National Security Letters or administrative subpoenas. Does DOJ employ a similarly literal reading of "telephone toll records," such that they're not required to observe these rules when they obtain other electronic records, such as e-mail transactional data? The DOJ, recall, says they often don't need warrants to read e-mail or Facebook chats, let alone review transactional metadata concerning such communications. So it seems odd that they would pull out all the stops when it comes to phone records, yet ignore the channels by which modern reporters probably conduct the bulk of their correspondence. Even if it would have been infeasible to access logs of AP's e-mail transactional data without tipping them off (my understanding is they maintain their own e-mail servers), nearly every journalist has potentially revealing Facebook friend lists, personal Gmail accounts, Twitter direct message headers, and so on—some of which would be more targeted than records from phone lines shared by dozens of journalists. Was other data that DOJ believes to be outside the scope of their reporting obligations—either because it wasn't obtained by "subpoena" or because it wasn't "telephone toll records"—obtained in this case? More broadly, how much press data is obtained without notification because it falls outside these categories?
- Thanks to a 2010 Inspector General report, we know a bit about the FBI's use of "community of interest" data requests that sweep up call log data not just on a single target, but all the phones their target is in regular contact with—and maybe even the numbers those phones are calling too. After using this technique for years—sometimes literally by accident—FBI sought an Office of Legal Counsel opinion about whether the press notification rules applied when such requests were likely to indirectly pull in press records. In January 2009, OLC concluded they did—but since they ended up not getting the records in that instance, and the agent making the request apparently hadn't understood quite what he was requesting, the FBI decided it didn't need to tell anyone at the time. What, then, is the Justice Department's current policy when it comes to information about press communications obtained indirectly through "community of interest" requests? Is any attempt made to ascertain when such requests have acquired reporters' phone records, whether or not that was either intended or foreseen when the request was made? Since records in the FBI database are retained indefinitely for potential future data mining, even records the FBI doesn't currently know belong to reporters could easily end up revealing patterns of press activity as a result of future analysis. Does DOJ think it must inform reporters when this happens, or is it only at the acquisition stage that the notice obligation applies? Has any broad effort been made to determine how many reporter records are in FBI databases, especially as a result of requests made before 2009?
Of course, whatever the answers to these questions, the Electronic Frontier Foundation is right to point out that the broader problem is that communications metadata isn't entitled to much protection under either current Fourth Amendment jurisprudence or federal statute. This means the government can typically access metadata with little or no judicial oversight—and if you're not a reporter there are no special rules requiring the government to ever notify you that your records have been swept up in some investigation. As technological change makes such metadata increasingly revealing—because nearly everything you do online leaves some digital trace, from which ever more detailed inferences can be drawn using sophisticated analytic tools—the problem is not just for press freedom: it's a privacy problem for all of us.