Published by The Lawfare Institute
in Cooperation With
One of the foundational questions in surveillance law is how to distinguish between the contents of communications and non-content metadata. Contents generally receive very high privacy protection, while metadata generally receive very low protection. Identifying the line between the two is critical. Earlier this week, the ODNI declassified an April 2016 FISCR decision on post-cut-through digits that adopts an approach to the distinction in some tension with a recent Third Circuit case. This post will explain the problem and the apparent disagreement.
First, some background. Communications networks are ways of sending messages from one party to another. For every message sent, there will be the substance of the message (the contents) and information about the message (metadata). At first blush, the distinction looks simple. In the case of a postal letter, the contents are the letter itself; the metadata are the information on the outside of the envelope. In the case of a phone call, the contents are the actual sound on the call; the metadata are the numbers dialed and times of the call.
But matters aren't so simple in part because messages are often passed on among parties. A might send a letter to B with instructions to contact C. D might call E and ask E to connect his call to F. The ability to pass on messages raises an important question: If a party receives a message directing the party to send on another communication or take some act, is that message contents or is it metadata?
There are two ways to look at it, which I will label the relative approach and the absolute approach. Under the relative approach, messages don't have an abstract status as contents or metadata. To classify a particular message, you look to the specific context in which the message was obtained and you ask whether the message was contents with respect to a communication between those two parties. Imagine A sends a message to B directing B to contact C and that B does so. Under the relative approach, the message was the contents of the communication between A and B but metadata of the communication between B and C. That is, A communicated the message to B, so it was the content of that message, while B then acted on the message and contacted C, which was metadata for the contact from B to C. Under the absolute approach, by contrast, you would devise a single answer. You might say that because the message was for B to contact C, and the fact of contacting C is metadata, then the message should be classified as metadata and contains no contents.
In a recent decision, In re Google Cookie Placement Litigation, the Third Circuit adopted the relative approach. The case involved a Wiretap Act claim about tracking cookies that could be used to determine the Internet addresses visited by a person surfing the web. The plaintiffs claimed that by collecting the URLs that the users visited, Google and advertising companies had intercepted the contents of user communications in violation of the Wiretap Act. The defendants argued that URLs were merely non-content addressing information not covered by the Wiretap Act.
The Third Circuit rejected the defendant's categorical approach, quoting a treatise:
The line between content and non-content information is inherently relative. If A sends a letter to B, asking him to deliver a package to C at a particular address, the contents of that letter are contents from A to B but mere non-content addressing information with respect to the delivery of the package to C.
[Full disclosure: I'm a co-author of that treatise, and I wrote that section.] The court continued:
In essence, addresses, phone numbers, and URLs may be dialing, routing, addressing, or signaling information, but only when they are performing such a function. If an address, phone number, or URL is instead part of the substantive information conveyed to the recipient, then by definition it is “content.”
The different ways that an address can be used means . . . that the line between contents and metadata is not abstract but contextual with respect to each communication. Thus, there is no general answer to the question of whether locational information is content. Rather, a “content” inquiry is a case-specific one turning on the role the location identifier played in the “intercepted” communication.
Under the Third Circuit's approach, you break down each leg of the communication and consider who were the parties at that particular leg. A single URL can contain addressing information in one part and content information in another part because it is addressing information with two different audiences in mind:
[D]ifferent portions of a queried URL may serve to convey different messages to different audiences. For instance, the domain name portion of the URL—everything before the “.com” -- instructs a centralized web server to direct the user to a particular website, but post-domain name portions of the URL are designed to communicate to the visited website which webpage content to send the user.
The FISCR seems to have taken a different approach in its recently-declassified decision on collection of post-cut-through digits (PCTD). PCTD are the numbers you might press to communicate with a destination computer after placing a call to it. In his his certification on behalf of the FISC, Judge Hogan wanted to know whether the Pen Register statute allows the incidental collection of PCTD when they are contents. If the government can't tell ex ante which PCTD will be content and which will be metadata, he wanted to know, can the government collect all PCTD and later sort through it and access the PCTD that constitute metadata under the statute that does not allow for the targeting of contents?
There's a lot of interesting stuff in the case, but I'm chiefly interesting in how the FISC and FISCR figure out what constitutes contents and what constitutes metadata. In his certification, Judge Hogan took the view that PCTD are metadata when they only contain information about the call but are contents when they contain information unrelated to the call. According to Judge Hogan, if you are using a calling card and first call the number of the service, only then to enter in the number you ultimately want to call, the number you ultimately want to call is non-content metadata. On the other hand, if you call a bank and enter in that you want to transfer funds, that entering in is contents. Based on that assumption about the content/metadata line, Judge Hogan certified to the Court of Review whether the Pen Register Statute and Fourth Amendment allow the collection of all PCTD.
In answering "yes" to both questions, the FISCR appears to have adopted the absolute approach to the content/metadata line under the Pen Register statute (which uses the same definition of "contents" as the Wiretap Act, see 18 U.S.C. 3127(1)). The key part comes in Footnote 6, in a response to amicus arguments made by Marc Zwilinger.
If I’m reading this correctly, the FISCR is taking the absolute approach to the content/metadata line. Dialing information is dialing information, period. It doesn't matter who uses that information or which perspective is adopted. Instead of drawing the content/metadata line based on "different messages to different audiences," as the Third Circuit did, the FISCR seems to be classifying information based on its inherent message to the end audience.
How much does all of this matter? It depends on the case, I think. At the very least, applying the relative approach for PCTD in the case of calling cards would call for a different analysis. You would want to know the details of how the service works and how calls are placed, technological details that are irrelevant under the absolute approach. In other cases, the differences could be quite significant. I'd be particularly interested to know how the FISC or FISCR deals with URLs, the specific problem addressed by the Third Circuit.
Finally, two caveats. It's possible that you could reconcile the Third Circuit and FISCR approaches by saying that a relative approach should be applied to some data and an absolute approach applied to other data. Although the two approaches are conceptually distinct, a court could conceivably pick and choose which applies in different settings.
Second, the approach taken for statutes need not be the same as the approach taken for the Fourth Amendment. The content/metadata line has been used by many courts to interpret the Fourth Amendment, but there are good reasons why the constitutional approach could be different than the statutory one. Although I happen to think the relative approach is correct for interpreting the Wiretap Act, for example, I think there are some good reasons (rooted in equilibrium-adjustment) for adopting an absolute approach for the Fourth Amendment.
Either way, this is a big lurking issue in surveillance law. It's a subtle but important question. If you're interested in more, you can see my case for the relative approach here and my analysis of the Third Circuit case here. Also, Steven Bellovin, Matt Blaze, Susan Landau, and Stephanie Pell have a forthcoming paper on the content/metadata line and why they think it should be replaced. Also check out this 2013 blog post from Julian Sanchez applying the relative approach to the Fourth Amendment.