Today, a federal appeals court ruled that the bulk phone metadata collection program run by the National Security Agency that was brought to light thanks to the leaks of former contractor Edward Snowden was illegal, and not covered by Section 215 of the Patriot Act. But the ruling went further than that; it said, essentially, that anyone whose data was collected as part of the program, called PRISM, may be allowed to sue the NSA for harvesting their data.
One of the questions the appeals court addressed was whether the plaintiff in the case, the American Civil Liberties Union, had standing to take the NSA to court over the PRISM program. The ACLU claimed that because it was a Verizon customer — and because, as the Snowden documents revealed, the NSA ordered Verizon to hand over all of its call data — it qualified for standing. The court agreed.
"The Verizon order showed that all Verizon customers had their data collected, and ACLU was a Verizon customer; therefore, ACLU had its data collected," Lee Tien, senior staff attorney at the Electronic Frontier Foundation, wrote to Fusion in an email.
The upshot of the court's ruling, Tien added, is that, "any Verizon customer has standing" in the Second Circuit Court of Appeals, where the ruling was made. A close reading of the opinion agrees: "Appellants challenge the telephone metadata program as a whole, alleging injury from the very collection of their telephone metadata… The Fourth Amendment protects against unreasonable searches and seizures… We think such collection is more appropriately challenged, at least from a standing perspective, as a seizure rather than as a search."
However, it doesn't end with Verizon. Customers of other major wireless providers, such as AT&T and T-Mobile, may also qualify for standing in the appeals court. The court's opinion reads:
"The government does not suggest that Verizon is the only telephone service provider subject to such an order; indeed, it does not seriously dispute appellants’ contention that all significant service providers in the United States are subject to similar order."
It's not clear exactly which providers were forced to share their data with the NSA. "Insignificant service providers," the EFF's Tien said, might not have qualified for inclusion in PRISM and related efforts. But if today's ruling holds, it could open the door for huge numbers of lawsuits from individual plaintiffs, each of which had their metadata collected.
The government disputes that the scale of the data-collection program is as big as the ACLU maintains it was, but it "declines to elaborate on the scope of the program or specify how the program falls short of that description," reads the opinion.
There's no question that the NSA is collecting data in bulk. The government didn't even dispute that. Instead, it argued that any alleged injuries that would warrant a lawsuit would have to prove that the government has reviewed the information it collected.
The court didn't buy that argument:
"[T]he government admits that, when it queries its database, its computers search all of the material stored in the database in order to identify records that match the search term," states today's opinion. "In doing so, it necessarily searches appellants’ records electronically, even if such a search does not return appellants’ records for close review by a human agent.That the search is conducted by a machine might lessen the intrusion, but does not deprive appellants of standing to object to the collection and review of their data."
Before you call your lawyer, bear in mind that simply having standing before a court doesn't mean you're likely to win a case or receive any damages. But it does mean that there could be a pile of lawsuits on the horizon for the NSA.
The government knew this danger existed. In its case it argued that the PRISM program was meant not to be subject to judicial review because "lawsuits could be filed by a vast number of potential plaintiffs," thus "severely disrupting… the sensitive field of intelligence gathering for counter-terrorism efforts."
To that argument, the court had a pointed response: "The risk of massive numbers of lawsuits … occurs only in connection with the existence of orders authorizing the collection of data from millions of people.”
In other words, the court said: if you didn't want a flood of lawsuits, you shouldn't have collected millions of people's data.
Daniel Rivero is a producer/reporter for Fusion who focuses on police and justice issues. He also skateboards, does a bunch of arts related things on his off time, and likes Cuban coffee.