The Law Allowing Senators to Sue Over Phone Searches is Worse Than You Thought

On Oct. 6, Sen. Chuck Grassley (R-Iowa) announced that the FBI had sought and obtained nine lawmakers’ cell phone data in 2023, during an early stage of what would become Special Counsel Jack Smith’s investigation into 2020 election interference. “If heads don’t roll in this town, nothing changes,” fumed the senator, while intimating that FBI personnel should be fired over the incident. Sen. Bill Hagerty (R-Tenn.) echoed Grassley’s ire and called for Smith’s imprisonment, while their colleague Sen. Tommy Tuberville (R-Ark.), making liberal use of his keyboard’s all caps function, expressed similar sentiments. Sen. Lindsey Graham (R-S.C.) responded to questions about the matter by  threatening a civil suit—seeking damages of over $1,000,000—and noting, “I want to make it so painful, no one ever does this again.”

Some of the outrage was undoubtedly genuine and some, inevitably, merely performative. Regardless, the chamber soon took legislative action, albeit in an unheralded—or, depending on one’s point of view, underhanded—manner. As congressional members negotiated a funding bill to reopen the government, Republican senators quietly added a self-serving provision to a separate statute called the Legislative Branch Appropriations Act. The bill would allow any of them to sue the government for damages over the records’ seizures. The House duly passed the legislation, which had become politically mandatory in order to end the longest-ever government shutdown. But the lower chamber was angry about the law, which does not apply to the House of Representatives. Speaker Mike Johnson (R-La.) immediately promised to repeal it—a promise he delivered on last night with a rare bipartisan bill, proving that, at least on occasion, the House can transcend partisan divisions in order to stick it to the Senate.

In the meantime, the Senate’s provision, which Trump signed into law on Nov. 12, remains on the books while the House’s bill to repeal it awaits Senate action.

The topline effect of the Senate’s controversial new revisions to the Legislative Branch Appropriations Act legislation is to create a civil cause of action—that is, the ability to sue in court—if a senator is not notified when providers receive a subpoena for his or her data, or that of his or her staff. Media reports, not inaccurately, have focused largely on the possibility that it paves the way to a significant payday for the eight senators whose data was obtained in 2023. The legislation, which provides that this new cause of action is retroactive to January 2022, appears to allow those senators to recover a minimum of $500,000 merely because their data proved relevant to a criminal investigation. 

But these media reports actually undersell the potential magnitude of the new law.

The first issue is that the already-staggering price tag of failing to notify a senator would, on closer inspection, likely be much higher in practice. That’s because the $500,000 remedy is available for each “instance,” which means that a typical subpoena seeking data from a senator’s cell phone and email account could cost $1 million. Or, as would also be typical investigative practice, collecting that same data from a Senate office’s senior staff—say, five individuals plus the senator—could conservatively expect $6 million in damages. Or, as would yet again be typical investigative practice—particularly in matters involving public corruption schemes or counterintelligence risks—refreshing the collected data by issuing new subpoenas as the investigation progresses could double or triple the amount of damages. Because the law provides that the new cause of action is against the United States, that money will come from the U.S. Treasury. Apparently, the senators who had originally demanded that heads roll settled instead for a payout from American taxpayers.

Another issue is the law’s retroactivity to 2022. The legislation does not reference any supposed malfeasance in the government’s collection of the eight senators’ data in connection with its election interference. In fact, the senators’ announcement, in all its outrage, acknowledged that the subpoenas were authorized by a grand jury, meaning that both a panel of regular Americans and a judge signed off on the plan. Rather, the new law renders unlawful what had been a perfectly legal—and thoroughly common—investigative practice, which exists primarily to protect the integrity of ongoing investigations and keep the identities of their subjects secret. 

Yet another issue is that the term “instance” is defined very broadly. It includes not just collection of data from a “device” like a cell phone or an “account” like an email account, but also “each individual . . . record” or “communication channel.” It also includes “each individual . . . search conducted.” And most remarkably, it included “each individual . . . nondisclosure order or judicial sealing order sought, maintained, or obtained.” This definition calls for a bit of exegesis: It is not entirely clear if even the drafters of the legislation understood just how expansive this language is, and that it could very well thwart uncontroversial law enforcement investigations.

For example, imagine that Congress has been the target of a massive cyberattack that took down all electronic systems. One of the most basic, preliminary steps in an investigation into cybersecurity incidents is to request the relevant security logs. That category encompasses quite a few different types of data, but at least some of them—event logs or endpoint logs, for example—could very well count as the sort of data whose collection would constitute a violation of this provision.

Or imagine that the U.S. Capitol suffers a terrorist attack. As with any serious crime that occurs in a crowded area, investigators might seek to determine if a suspect was in the vicinity by executing a geofence warrant. These warrants instruct corporate entities—almost invariably internet service providers or telecommunications companies—to provide data listing all of its users or clients who were in a particular area during a specific duration of time. The results of these warrants allow law enforcement agencies to create a subject pool of potential offenders, or verify that a previously identified subject was in the vicinity of the crime.

This new law would give everyone who is swept up in a geofence warrant—that is, everyone present in the vicinity of the Capitol—a cause of action. In other words, if Congress were in session, the collection of data from 100 Senators plus all of their staff, encompassing hundreds more people, could lead to lawsuits claiming billions of dollars in damages. It’s worth noting that geofencing is not without controversy; there is actually a split between the Fourth and Fifth Circuits over whether the technique passes constitutional muster. But whether or not Congress believes it should regulate the practice, no one can pretend that this legislation is an effort to do that—nor that it would be an effective means of doing so.

A fourth issue is that the law’s definition of a violation extends far beyond failure to notify for investigative practices like collecting data pursuant to a subpoena. It covers “seeking, maintaining, or obtaining” a judicial order preventing notification. It covers acquiring, searching, accessing, or disclosing data “pursuant to a search, seizure, or demand for information.” It is common practice to use non-disclosure orders to protect the integrity of ongoing investigations, and obtaining a warrant without being able to acquire, search, access, or disclose the relevant information would be an exercise in pointlessness. It should be obvious why Justice Department policy insists on protecting the confidentiality of investigations, even to the point of forbidding personnel from confirming the mere existence of criminal investigations until charges are publicly filed. But since this is a concept apparently lost on current Justice Department leadership, it bears articulating. Announcing that law enforcement is poking around risks alerting potential suspects who might destroy evidence or flee the country. It might reveal incomplete and uncontextualized information that unfairly damages the reputations of innocent people. It might put witnesses’ or officers’ safety in jeopardy. It very well might sabotage the ultimate goal of prosecuting and convicting criminals by giving future defendants fodder for a motion to dismiss their case, or be acquitted, on the grounds that their due process rights had been violated.   

These dangers are not hypothetical. When FBI Director Kash Patel tweeted about the first in a planned series of counterterrorism arrests before the entirety of the operations were complete, two persons of interest were apparently able to abscond from the country. When the FBI, in the aftermath of 9/11, failed to protect a suspect’s identity, the individual—who was innocent—saw his professional and personal life destroyed. Keeping investigations secret not only preserves the ability to apprehend guilty subjects, but also protects the reputation of those whom the government realizes should not be charged.

The law does create a carve-out for one narrow circumstance in which notifications are not required: when the senator is the target of a criminal investigation—that is, the individual whom law enforcement believes may have committed the crime(s) being investigated. This seems utterly reasonable; anyone can understand why the Justice Department wouldn’t want to tell potential criminals that it’s seeking evidence to build a case against them. Under the new law, the government can in such cases seek a court’s permission to delay notification for a 60-day period. But the provision is quite limited and thus relatively weak. By its terms, it applies only to senators who are targets, not to their staff. That means that a senator would have to be notified if someone in his or her office is suspected of a crime. Given that political blowback on politicians whose staff are accused of crimes has been severe in the past, this may create a troubling incentive for the Senator to take action to preempt the fallout, which could compromise the investigation in any number of ways. Or notice to the senator could make its way around the office, tipping off the investigation’s target or subjects in a manner that could cause them to change behaviors, destroy evidence, become unwilling to speak with investigators, or even flee the country.

In addition, the carve-out for targets is styled as an affirmative defense. That means that news of a subpoena—or a sealing order, or the mere effort to seek one—could become public in court documents before the investigation is complete, as would the fact that a senator was the target. Again, this would almost definitionally compromise the investigation.

All of that said, the core focus of the new legislation—notifying senators when law enforcement seeks or accesses their data—is not a new concept, and it is deserving of attention. The folly of this current law should not detract from careful consideration of the equities at stake. For example, Sen. Ron Wyden (D-Ore.) has argued that law enforcement’s ability to secretly obtain such data “can chill critical oversight activities, undermine confidential communications essential for legislative deliberations, and ultimately erode the legislative branch’s co-equal status.” His concerns are not speculative: The Justice Department has abused these powers in the past when investigating members of Congress. This kind of overreach raises disturbing concerns for the constitutional prerogatives of the legislature—as even the Justice Department’s inspector general has found.  

Still, these legitimate concerns do not legitimize this expansive new law. Even setting aside the ostentatious amount of damages to which senators entitled themselves, and even setting aside the distasteful manner in which this legislation was passed, this law comes in the wake of prominent criminal cases against members of Congress that may have gone uncharged had this been the law of the land. The timing risks the appearance that the Senate is protecting its own, even against legitimate and important law enforcement operations. 

Perhaps more to the point, the new law is an unreasonable answer to a reasonable question. The previous version of this law, which Congress originally passed in 2020, had provided that communications providers and the Senate Sergeant at Arms “shall not be barred, through operation of any court order or any statutory provision, from notifying the Senate office of any legal process seeking disclosure of Senate data.” To the extent Congress has determined that the old provision provides inadequate protection, there are plenty of options to amend it without such blatant disregard for investigators’ well-founded concerns. Congress could, for example, require the department to promulgate rules that would require notifying lawmakers except where investigators could document specific reasons not to—perhaps reasons similar to the current law’s enumerations of findings judges must make to permit a 60-day delay. Even this relatively straightforward change would be a better balancing of the legitimate equities from each branch of government.

But, as the House seems to have intimated, it’s unlikely that senators who might be eligible for a major payday gave all of this a lot of thought before slipping it into the shutdown deal. Now the House’s repeal bill will force them to reconsider.