[This is a guest post by Rudraksh Lakra.]
On 3rd September 2020, the United States Court of Appeals for the Ninth Circuit (9th Circuit) delivered its decision in a landmark criminal appeal case of United States v. Moalin. The Court ruled that the National Security Agency’s (NSA) collection of telephony metadata under the now discontinued mass surveillance Telephony Metadata Collection Program (TMCP) constituted a search under the Fourth Amendment of the American Constitution and was potentially unconstitutional. Moreover, TMCP was deemed unlawful for being violative of the Foreign Intelligence Surveillance Act of 1978 (FISA). FISA is a federal law that establishes the procedure for authorizing and carrying out foreign intelligence surveillance. It is the first case where a federal court has held that bulk collection of metadata by intelligence agencies would constitute a search under the Fourth Amendment, and the second federal court decision to hold the TMCP foul of FISA Subsection IV Section 1861.
The article examines the interpretation given by the 9th Circuit on the constitutionality of the warrantless bulk surveillance undertaken by intelligence agencies to understand the lessons Indian courts can imbibe in the post-Puttaswamy era. This becomes even more important in light of the petitions pending in the Supreme Court challenging the constitutionality and lawfulness of Section 5(2) of the Telegraph Act and Section 69 of the Information Technology Act (IT Act), along with the rules therein.
The facts and procedural history leading to the appeal are themselves quite remarkable. Moalin was charged for providing financial assistance to a terrorist organization in Somalia. The main evidence the District Court relied upon was a wiretap authorized under FISA Chapter I. Moalin had unsuccessfully sought to exclude the wiretap from evidence, contending that information filled to authorize the wiretap was collected through illegal surveillance which the government failed to include in evidence or provide the Moalin notice of.
A month after this decision, Edward Snowden revealed the existence and working of NSA’s mass surveillance programs, including the TMCP. Under TMCP, the NSA maintains a central database of telephone metadata of all communication within and from the US. Telephone metadata, in this case, referred to the phone number of a caller, the location, recipient, and duration of the call, identity of the mobile subscribers, and the mobile device ID.
Subsequently, amidst public outcry, government officials justified TMCP by citing the case of Moalin’s prosecution as a success of TMCP. The-then FBI deputy director admitted before the House Permanent Select Committee on Intelligence that the investigation into Moalin was reopened only after the NSA provided them information collected under the TMCP.
It was based on this information that Moalin was able to file a motion for a new trial at the District Court, and on that motion being denied, for an appeal to the 9th Circuit.
Moalin challenged the District Court’s decision on various grounds. The three grounds relevant for our discussion are: the TMCP was violative of the Fourth Amendment (1) and of the FISA subchapter IV (2). Additionally, he contended that the government’s failure to provide notice of the metadata surveillance to him was violative of the Fourth Amendment and FISA (3). Therefore, evidence collected through TMCP, and fruits obtained therein, ought to be inadmissible, including the wiretap.
The Fourth Amendment Argument
Moalin asserted that the TMCP was violative of his Fourth Amendment right against “unreasonable searches and seizures” without probable cause. Fourth Amendment protections apply where there the citizen has “an actual (subjective) expectation of privacy,” and “the expectation [is] one that society is prepared to recognize as ‘reasonable.’” (Katz v. United States). He contended that there is a reasonable expectation of privacy in telephone metadata.
The government and the district court in Maolin had relied upon Smith v. Maryland, in which the Supreme Court held that data voluntarily provided to third parties (third-party doctrine) was not protected by the Fourth Amendment. In Smith, the Supreme Court approved the collection by the government of call records spanning a few days, using a pen register. It observed that society would not have a reasonable expectation of privacy for a few days of call records, and for data that is voluntarily provided to communication service providers.
Smith was, to an extent, overruled by the US Supreme Court in 2018 in Carpenter v. United States, where it held that obtaining seven or more days’ worth of cell-site location information constituted a search under the Fourth Amendment. The court rejected the application of the third-party doctrine to certain novel technologies on the grounds that – due to technological advancements in digital technology – these technologies have become a necessary part of life, and the collection of data through them is different. However, the Court refused to extend their finding to surveillance carried for foreign affairs or national security.
In Moalin, the Court – similar to Carpenter – distinguishes Smith in terms of the quantity of data stored by telecommunication service providers today, and how revealing it is vastly different from Smith, where a pen register was used to collect metadata for only a few days. Moreover, the Court concludes that similar protection is to be provided to bulk collection of metadata and content data.
The Court observes that massive shifts in technology have allowed for bulk surveillance for extended periods of time, with which, conventional expectations of privacy must also evolve. Therefore, the Court concludes that today, unlike Smith, bulk collection of telephone metadata falls within society’s recognized reasonable expectation of privacy, as demonstrated by the public outcry post-Snowden’s revelations. Consequently, the Court notes that the collection of metadata under TMCP constitutes a search under the Fourth Amendment, but stops short of declaring it unconstitutional.
This was because the Court found that the evidence the government presented at the trial was not a fruit of the metadata collected earlier, and was, therefore, not tainted by it. It was also bound by the 9th Circuit precedent US v. Ankeny, which held that it was not appropriate to adjudicate on Fourth Amendment questions where the exclusion of evidence was not warranted.
What is central to both Carpenter and Moalin is the idea that constitutional protection should be transformative and reflective of the realities of today. Thus, the decades-old precedents and understanding of constitutional protection should not be controlling today, especially concerning technological matters.
Another idea central to both Carpenter and Moalin is that state surveillance should not only be based on executive authorization but should also require probable cause. In cases of communication surveillance, the executive cannot be granted absolute discretion. Therefore, there is a need to have an independent body to regulate state surveillance activities. This need is reflected in international law standards (For instance See, Roman Zakharov v. Russia para 275 and United Nations High Commissioner 2018, Privacy Report para 39-40) and comparative practices (for instance, Germany, Canada, UK, New Zealand Australia, France, Belgium, Romania, and South Africa).
Authorisation and Oversight of Communications Surveillance in India
In India, surveillance under both the Telegraph Act and the IT Act is authorized by the executive, and the surveillance orders under the rules of both are to be reviewed by a review committee of executive members every two months.
The constitutionality of this practice is itself in question. Recent SC jurisprudence, similar to Moalin, has indicated the need for judicial authorization regarding state’s surveillance activities. Justice Nariman in Puttaswamy I, observed that “the ultimate analysis” of a measure’s proportionality “must be left to the training and expertise of the judicial mind.” (J Nariman Opinion, Para 86). This need was reiterated as a part of the Puttaswamy II case, wherein a provision of the Aadhar Act, which allowed for the disclosure of user information, was struck down, with the absence of judicial oversight or the scrutiny of the “judicial mind” being a critical factor in the court’s determination(Para 449(4)(f)).
This need was reiterated by the BN Srikrishna Data Protection Committee Report, which concluded that the lack of independent oversight over surveillance activities makes the Indian surveillance framework potentially unconstitutional post Puttaswamy I.
When the SC adjudicates on the challenge to the contentious sections of the Telegraph and IT Acts, it will have to revisit PUCL v. UOI (1996) a more than two decades old precedent which currently governs laws on surveillance, along with the Telegraph and IT Acts, where it upheld the constitutionality of section 5(2) of the Telegraph Act. It also refused to require judicial approval for surveillance and laid down limited procedural safeguards, such as the requirement of an executive review committee. Moalin shows how the law – especially with respect to technology – must reflect the realities of today. Therefore, PUCL’s approach must be overturned, as it was laid down before the surveillance capacity of the state had ballooned, information technology had become central to society, and bulk surveillance had become the norm.
TMCP and FISA, Subsection IV Section 1861
FISA Subsection IV Section 1861(a)(1) allows the state to carry out surveillance only after being authorized by the FISA Court to “protect against international terrorism or clandestine intelligence activities.” However, at the time of the case, for surveillance to be authorized, 50 U.S.C § 1861(b)(2)(A) required demonstration of a relevancy nexus between the target sought and “an authorized investigation.”
The appellants argued that the TMCP violates the relevancy requirement, as the government collected metadata in bulk without any nexus to an already authorized investigation. They argued that the term “relevant” was inserted by Congress as a limiting principle.
The Court sides with the appellants, basing its reasoning and building upon American Civil Liberties Union v. Clapper – a 2015 Second Circuit Appeals Decision – which had held that bulk metadata surveillance contravened the FISA. In Clapper, the government had argued that the relevancy requirement should be read widely, as the Congress did not intend it to be a limiting principle. The court rejected this interpretation as being “unprecedented and unwarranted” and reading the “‘authorized investigation’ language out of the statute.” The Court’s interpretation was correct, as the government’s interpretation would have defeated the object of the section – to place a check on the executive’s discretion – and would have destroyed the essence of the right at stake.
The government argued that the collected metadata indicates that Moalin was associated with foreign terrorists, and therefore, the surveillance was relevant to a counterterrorism investigation. However, as the Court correctly points out, 50 U.S.C § 1861(b)(2)(A) requires the government to demonstrate a nexus between the target sought and “an authorized investigation” before any surveillance is authorized by the FISA Court. Moreover, the relevance nexus requirement cannot be satisfied after authorization by analyzing the collected surveillance data.
Consequently, the Court in Moalin concludes: “that the telephony metadata collection program […] violated that section  of FISA.” However, the Court refuses to exclude the evidence presented in the district court, because FISA subchapter IV did not allow for suppression of evidence even if unlawfully gathered. Additionally, the Court concludes that the collected metadata did not taint the other evidence including the wiretap.
The approach of both Clapper and Moalin was to interpret the section allowing for state surveillance in a way to at least to narrowly restrict it. The approach of the SC in PUCL (1996) was similar, where it laid down procedural safeguards for surveillance under the Telegraph Act, limiting and narrowly tailoring the scope of authorization and the collection of data.
It is important to remember that the TMCP was based on a series of FISA Court orders. Therefore, even a separate supervisory body can become nothing more than a rubber stamp, if it does not have the institutional capacity to render objective rulings and exercise effective, and oversight over authorized surveillance activities, continuous (see Roman Zakharov v. Russia para 257-267).
Review Committees under the Telegraph and IT Acts
As observed above, executive review committees that have been established under the 2009 IT Rules and Rule 419 A – similar to the FISA Court – are nothing more than a rubber stamp. The BN Srikrishna Data Protection Committee Report highlighted that a review committee that meets once in over two months has the unrealistic task of extensively reviewing more than 18000 judgments. Clearly, the review committees cannot apply their judicial acumen well enough in every case and are merely meaningless stamps of approval.
This should amplify the concerns regarding executive authorization and review of communication surveillance. The SC, in the upcoming challenge to the Indian surveillance framework, must overturn PUCL (1996), and require an independent body with adequate institutional capacity to authorize and oversee surveillance activities.
The Fourth Amendment – in the case of a wiretap – requires notice to be provided once the surveillance operation is complete, (Dalia v. United States), and FISA Section 1806(c) require the government to provide a notice to the defendant to and to the District Court of the collected information “when the prosecution intends to enter into evidence or otherwise use or disclose information” obtained pursuant to the government’s foreign intelligence authorities.
The Government argued and sought to justify the failure to provide notice by distinguishing Dalia, relying upon US v. Cavanagh, which held that FISA satisfies the Fourth Amendment requirements and stated that Fourth Amendment standards apply differently to intelligence gathered for national security.
The Court, while concurring with the government that different standards apply in the context of foreign intelligence, observes that the rule does still apply here nonetheless. Therefore, the requirement of providing notice has to be complied with, even if it is circumscribed. The Court concludes that, at a minimum, the Fourth Amendment requires notice for surveillance conducted under FISA to a criminal defendant and to the Court in the required circumstances under Section 1806(c).
However, the Court refuses to declare if the government’s failure to provide adequate notice was unlawful. This because the lack of notice did not prejudice the appellant and the metadata did not taint other evidence.
While it is understandable why the Court sets a lower threshold of providing notice in the context of foreign intelligence, its standard is woefully inadequate. A more robust and stricter standard should be used in cases with a higher probability of abuse by the executive, which includes mass surveillance programs. Providing notice is essential to the right to an effective remedy (ubi jus ibi remedium) and the right to a fair trial. More fundamentally, it leads to greater transparency in the case of state surveillance programs, enabling stakeholders to meaningfully scrutinize their workings.
The Court’s standard limits the challenge to data collected by intelligence agencies only at the trial stage. It does not provide a remedy to those individuals whose data is stored by intelligence agencies even if it is completely extraneous to the investigation and was obtained unlawfully.
In the Indian context, there is no requirement of notice or of disclosure (even a limited one like Moalin) to the subject of surveillance. The only way a subject would potentially receive knowledge of the surveillance is at trial, where even illegally obtained evidence is admissible (State v. Navjot Sandhu). While the Bombay HC, last year, had refused to admit evidence in contravention of the right to privacy (read more here). There is also a contrary Delhi HC judgment on the point (read more here). The SC is yet to rule on this point of law (post Puttaswamy, the SC should side with the Bombay HC). This, in any event, will still not exclude all illegally obtained surveillance, but only that which can be demonstrated as unconstitutionally obtained.
Currently, lack of notice, coupled with the fact that illegally obtained evidence is admissible in court, means that an individual may not be able to seek effective remedy for the potential violation of their fundamental rights (such as quashing surveillance orders or excluding evidence). This raises constitutional concerns following the SC’s observation inAK Gopalanthat the exclusion of an individual’s access to effective remedies under the Constitution’s Articles 32 and 226 is unconstitutional.
Again, when the SC adjudicates upon the challenge to the Indian surveillance framework, it must mandate the requirement of a notice to the subject. While the concerns Moalin raises ought to be taken into account, the limited model it proposes should only serve as a cautionary tale.
On a concluding note, we must remember that Moalin’s case was an exception. He could only challenge the clandestine surveillance because the government itself admitted it, which does not happen in most similar cases.
Information asymmetry between the state and accused is a hallmark in such cases. Evidence presented at trial is often only collected based on the information gained from clandestine surveillance, which – due to both the classified nature of the program and the lack of notice – the accused is oblivious to. Even if the accused were to challenge surveillance programs, it is tough to prove the case as direct evidence is rarely available, and the design of the program is classified or unknown.
The judgment by the 9th Circuit is to be rightly commended for many reasons. First, the Court did not have to explore the question of the legality of TMCP, given that the collected metadata, according to the Court, did not taint the evidence presented against Moalin at the District Court. Second, the Court could have abdicated its responsibility or exercised juridical deference, since it was faced with a complex technological problem, and a sensitive case linked to national security and counter-terrorism operations.
Yet, the Court does not abdicate its responsibility even under such circumstances. Instead, it directly engages, rather than sidestepping, important constitutional and rule of law issues, forcing the state to adequately justify its surveillance program against the touchstone of the Fourth Amendment and FISA.
Second, the Court invests time in understanding and engaging with the technological design of the surveillance program and its effectiveness, instead of believing the state prima facie or avoiding engagement with questions about the technology.
Finally, the Court builds upon the foundation of Clapper, applying it to the situation of communication surveillance for national security, an area where the Court in Clapper had refused to delve into. The judgments expected from a constitutional court are not only to be based on correct precedents but must build upon those to forward constitutional aspirations and protect civil liberties.
The Indian SC will potentially face its biggest challenge on privacy when it adjudicates upon the constitutionality of the legislative surveillance framework. It would have the opportunity to forward its transformative right to privacy jurisprudence and apply it to a concrete case to reform India’s surveillance landscape. Moalin offers the Indian SC valuable lessons on how this can be achieved. However, the SC’s contemporary approach to key constitutional issues (recently, on privacy, see the mandatory voice sample case, here and here) and gradual shift in its role to that of an executive court will require a re-orientation if this is to happen.