NSA Phone Data Grab Raises Frightening Retail Questions. Can Complying With A Lawful Warrant Still Violate A Chain's Privacy Policy?

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today is a lawyer in Bethesda, Md., specializing in privacy and security law.

The recent revelations that Verizon and most likely others shared the entire contents of their customer databases with the U.S. National Security Agency raises a question for retailers and payment processors. How much data should I share with the government, particularly when it has a subpoena, and how much effort should I expend fighting government demands for information?

Any time you create "big data," you run the risk of big headaches. Remember, the government has something called "sovereign immunity," meaning that, for the most part, it cannot be sued. That leaves the data collector, retailer or payment processor with the responsibilities. If a retailer provides information to a government agency – even in the face of a demand or subpoena – the retailer, and not the government, can face liability if it is later determined that the demand or subpoena was not "lawful."

Here’s the problem. Most retailers have privacy policies that say they will turn over data (or even databases) in response to "lawful" government demands or requests. But if it turns out that the demand or request is overbroad, unreasonable, not supported by probable cause, done for an improper purpose, or simply that the government did not follow the proper procedure in obtaining the subpoena or warrant, or in otherwise requesting the information, the demand may not be lawful.

And voila! The retailer will have violated its own privacy policies. What’s worse, it will have opened itself up for liability not only to its customers, but also to the government that demanded the information in the first place. Finally, even statutes that appear to provide the entity with immunity for complying may not protect the chain.

The NSA "PRISM" program was actually only part of the NSA’s data-gathering efforts. PRISM was the NSA’s effort to collect "content" information over the Internet – that is to read people’s e-mails, snoop on their Skype calls, capture video conferencing information, and read private SMS messages, tweets and Facebook postings. In addition, the NSA had a program, codenamed NUCLEON, to capture so-called "metadata" from the Internet; the header information from emails (whom customers are writing to, when they are writing, from where they are writing), which websites people are visiting and from where, and other theoretically "non-content" information. For telephone companies, the NSA has similar programs; codename MARINA for content information (listening in on phone calls) and codename MAINWAY for telephone metadata.

We know little about these programs except that they were theoretically approved by a super-secret court called the Foreign Intelligence Surveillance Court (FISC) and that they were targeting the communications of "non-U.S. persons." Other revelations in the past about programs like ESCHELON indicate that the U.S. government had an understanding with other friendly governments. Since we couldn’t spy on U.S. citizens in the U.S. (without a warrant), they would spy on our citizens for us, and we would spy on theirs for them. All perfectly legal. Well, not perfectly.

The Internet and telephone databases are only a few of the many databases created by commercial entities as a consequence of providing services to their customers. Retailers and payment processors create databases of their own. Every time a payment card is used, a record is created of the exact date, time and location of the card use – down to the tenth of a second. This database, and the dicing and slicing of this database, is useful to retailers and card brands themselves to determine patterns of usage and to prevent or detect fraud, and particularly when linked to things like loyalty cards, which allows the retailer to determine the purchasing behavior of specific individuals over time. Databases are a powerful tool for retailers, processors and, of course, governments.

It has been reported over many years that the NSA has also infiltrated myriad other databases. This includes the credit card processing and clearing databases, financial systems’ databases, funds transfer network databases, and many more. Although the details remain few, the database access may run from the mundane (the government issues a subpoena to a party for a specific set of records for a specific individual or small number or individuals) to the sublime (the government gets a pipe into the entire database and searches for and retrieves what it wants.)

Here’s where retailers and database managers can get into legal hot water. What do you do when the government requests or demands information in, or access to a database you have or control? Multiple choice…

(A) Turn over the documents without question – hey, they have a warrant or court order, right? (B) Turn over the documents, but tell your customer that you are doing so and let them fight the government. (C) Force the government to get a motion to compel production, and then comply. (D) Fight the demand to the death no matter how much it costs! You are the defender of your customers’ privacy. (E) It depends on who asks for it, what kind of information it is, why the government wants it, how much it will cost to comply, and whether you can practically inform your customer. (F) All of the above.

I have taken enough multiple-choice exams to know that the answer is always all of the above (unless it is none of the above). Deciding whether or how to comply with government demands for information is a complicated issue. Remember though, YOU are the custodian of your customer’s data. They gave it to you for you to fulfill an order or provide goods or services. Not for you to be the agent of some government to use that data to spy on your customers. Your first duty and loyalty is to your customers. No matter how patriotic you are, remember that, but for your express or implied promises of privacy, the data you are being asked to reveal would not exist if the consumer knew that it was invariably going to be shared with the government.

This is where it gets legally dicey.

Most entities have some sort of privacy policy – sometimes express, sometimes implied. These can relate to online activities only (browsing, surfing and online purchases) or to offline activities as well. Some data is gathered (and used) without any express privacy policy – e.g. surveillance videos. These privacy policies typically say things like "while we will not share your data with anyone, we will respond to lawful demands or subpoenas." I know. I write these policies. But what exactly does that mean? How far does an entity have to go to determine whether a demand or subpoena is "lawful?" Does it simply have to be on an official letterhead? Does it just need a raised seal of a court?

Also, does the retailer or other entity have a duty to notify a customer that it received the demand or request? If I were writing a privacy policy, I would say yes. Why not tell your customer that someone has demanded information about them? The problem is that, under the law, much of the information held by retailers belongs to the retailer, NOT the consumer. What the consumer buys or doesn’t, how they pay, what time of day they shop and in which location are all the retailer’s information. The retailer may have no good way of contacting the consumer to let them know about the demand or request. The demand or request may involve dozens, hundreds, thousands or millions of records, making the costs of notification astronomical. Moreover, the retailer itself may be the subject or target of an investigation – and may not want to commit to informing its customers that the investigation is ongoing.

If the cost of compliance with a subpoena or demand by the government is very high, the government may offer to pay for such compliance – particularly where, as in PRISM, the government may pay to install a pipe into your data stream. Retrieving records about your customers may become a profit center for you. This would be dangerous from a privacy perspective.

If a consumer learns that you have been giving out data about them (particularly without them knowing about it, and without a fight) they may (A) shrug their shoulders and say "Hey, I’m not doing anything wrong, what do I have to worry about?" (B) take their business elsewhere, assuming that there is another entity that has a more consumer-friendly privacy policy; (C) grumble and complain, but ultimately do nothing; or (D) file a multimillion-dollar class-action lawsuit.

For most people, the answer will be (C). But for a few, it may be the litigation route. When Verizon turned over its entire database to the government (albeit with a court order) one could reasonably ask whether this was a "reasonable" and "narrow" warrant. Ditto for banking, credit and merchant records. If you want to know whether a search or demand for records is reasonable, ask a simple question – if this demand was made by the Staasi, or the North Korean regime, you might have a different answer.

So ask yourself the question – do your customers REALLY know what you are doing with their data? I mean your data. I mean your data about them. Probably not. If you get a subpoena or demand for their data, I mean your data, do you tell your customers about it and give them an opportunity to challenge the demand? Do you resist the demand yourself to protect your customers’ privacy? Or do you just give the documents to any shyster with a subpoena?

If you don’t know the answer to these questions, then you don’t have a strategy for both litigation and customer service. You also don’t really have an effective privacy policy. And the time to write one is not when the NSA is at your doorstep with a FISA court order.

But I Have Immunity, Right? I Was Only Following Orders

So your privacy policy says that you will turn over data in response to court orders or subpoenas. Or maybe in response to "lawful" court orders. Whatever. Years ago, when a previous administration demanded that AT&T provide access to customer data without a warrant (for national security purposes), or when the government made the same demands of airlines for their records, the customers whose privacy was impinged sued. But not the government – they couldn’t sue the government because the government – like the King – has sovereign immunity. So they sued the merchants. Which brings up the next thing. If you ARE going to comply with a subpoena or demand, especially from the government, you want the person demanding the documents to indemnify and hold you harmless for compliance. The reason merchants get sued is both that they have the relationship with the customer, and they don’t have immunity.

In response to the lawsuits, Congress passed a law that gives companies immunity for making "good faith" disclosures of information to the NSA under a warrant. That’s fine if the government demands a small number of records. But where, as in the case of Verizon, the government gets a court order for a database (and not just a record) it’s not clear whether, in good faith, you can or should comply. If the warrant is overbroad or calls for constitutionally protected information (say what customers are reading – Amazon) the warrant may be facially invalid, and you can’t rely on the fact that someone with a robe who is appointed for life by the president signed it. In other words, it’s complicated.

What’s A Merchant To Do?

If the government has a search warrant, and cops with guns, well then step back, get out of the way, and call your lawyers. If they serve a merchant with a court order, demand, subpoena, whatever, well then, step back, get out of the way, and call your lawyers. Just remember that the data sought is YOUR data AND your customers’ data. You are a fiduciary of their interests as much as you are of your own. The essence of privacy is that you collect data for a particular purpose and USE it for that purpose. Once the data is used for another purpose, you break your promise (express or implied) with the data subject. And breaking promises can lead to litigation, and not in a good way.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.