When the U.S. government conducts electronic surveillance, there are a variety of legal authorities on which it relies. The Wiretap Act, for example, authorizes the government to conduct live telephone wiretaps in certain criminal investigations; for electronic data, the Act also permits the government to acquire electronic communications in real time. The Stored Communications Act (“SCA”) authorizes the government to obtain stored electronic data, including the content of email messages hosted online for criminal investigations.
There is an important distinction among these legal authorities that is often missed by commentators and in the media: the difference between coercive surveillance authorities and non-coercive surveillance authorities. The Wiretap Act and the SCA are both coercive surveillance authorities—they authorize the government to compel private technology companies to disclose customer data when the government is investigating criminal activity. The Wiretap Act, for example, directs companies to provide “all information, facilities, and technical assistance necessary to accomplish the interception unobtrusively and with a minimum of interference….” 18 U.S.C. § 2518(4)(e). The Stored Communications Act likewise requires “the disclosure by [certain] provider[s] … of the contents of a wire or electronic communication,” under certain circumstances. 18 U.S.C. § 2703(a). These authorities do not just authorize surveillance, in other words, they also authorize the government to coerce action on the part of private parties.
Contrast these authorities with Executive Order 12333, which governs certain United States intelligence activities. EO 12333 authorizes elements of the U.S. Intelligence Community to collect foreign intelligence information and regulates intelligence collection techniques, including electronic surveillance. Commentators have sometimes suggested that EO 12333, like the Wiretap Act and SCA, can be used to obtain customer data from technology companies for intelligence-gathering purposes. But there is a fundamental difference between EO 12333 and these statutes: EO 12333 by its terms does not authorize the government to coerce private parties to disclose customer data. Thus, while EO 12333 may authorize the government to conduct surveillance, it is non-coercive in the sense that private parties cannot be forced to assist.
To be sure, there are authorities that permit the U.S. government to coerce technology companies to disclose customer data in national security investigations. Specifically, the Foreign Intelligence Act of 1978 (“FISA”), like the Wiretap Act, requires providers to “furnish … all information, facilities, or technical assistance necessary to accomplish the electronic surveillance in such a manner as will protect its secrecy and produce a minimum of interference with the services….” 50 U.S.C. § 1805(c)(2)(B). The government cannot exercise this coercive power, however, without satisfying statutory safeguards, including by obtaining an order from the Foreign Intelligence Surveillance Court (“FISC”)—an Article III court composed of independent judges—based on probable cause that the target of the surveillance is a foreign power or agent of a foreign power. Id. § 1805(a)(2). To the extent a provider believes that its coerced assistance exceeds the statutory requirements—e.g., because it produces more than a minimum of interference with its services—the provider may also seek relief from the FISC. EO 12333 does not contain any equivalent safeguards.
As commentators, technology companies, and prospective cloud customers grapple with the variety of authorities that authorize the U.S. government to engage in electronic surveillance, the difference between coercive and non-coercive authorities may be a useful distinction to bear in mind.