Published by The Lawfare Institute
in Cooperation With
Congressional authority to request user data from communications service providers is in the spotlight once again thanks to recent requests made by the House’s select committee on the Jan. 6 attack on the Capitol for providers to preserve the data of individuals believed to be connected to the attack. Requests for user data—ranging from basic subscriber information and metadata to location information and the contents of communications—have become standard congressional practice in recent years, as Congress has begun to use its Article I authorities to engage in what I have called “congressional surveillance.” These requests raise serious questions about the legal boundaries and normative implications of this congressional authority.
Congress has long enjoyed the authority to compel evidence from third parties using its Article I subpoena power. The Supreme Court reaffirmed that power in its Mazars decision last year. But only recently have congressional committees leveraged their subpoena authority to collect electronic evidence in ways that implicate the surveillance power of the digital world.
At first blush, it would seem that surveillance by government authorities has been studied and discussed at length. In reality, however, only executive surveillance authority has received any significant attention. Congressional surveillance—that is, Congress’s ability to use its broad subpoena authority as a form of electronic surveillance—remains largely unexplored, and the corresponding limits on that authority are not well understood.
This is unfortunate. Congressional surveillance exhibits hybrid features of both government surveillance and congressional political power, and as a result, challenges traditional thinking about government surveillance. This duality has several important implications, in terms of both what the limits on congressional surveillance are and what they should be.
The Limits on Congressional Surveillance
As I have argued elsewhere, congressional surveillance derives from Congress’s Article I subpoena authority, and it is therefore shaped by the interaction of three kinds of limits on congressional power: external limits, meaning sources of law that constrain otherwise valid exercises of congressional surveillance; internal limits, meaning the inherent boundaries of Congress’s surveillance authority; and process limits, meaning the procedural and political constraints on how Congress may choose to exercise its surveillance authority. Each of these limits varies from the limits on other, more common forms of government surveillance, and as a whole, they reflect an uneasy convergence of individual privacy with the separation of powers.
In the traditional world of government surveillance, compulsory demands for user data tend to adhere to certain constitutional and statutory rules: The government must get a warrant for content and other data with heightened privacy interests and a court order or subpoena for anything less. But the sources of these external limits—meaning legislative and constitutional constraints—on government surveillance apply to Congress in profoundly different ways than they do to the executive. As a result, congressional surveillance is treated in a starkly different manner under key provisions of the SCA; it is also not clear that Congress is subject to the Fourth Amendment’s warrant requirement, at least not in the categorical sense.
The Stored Communications Act
At a very general level, the SCA (a) prohibits voluntary disclosures of user data to third parties and (b) provides a mechanism through which a “governmental entity” can compel the production of that data, notwithstanding these prohibitions. It is well established that the SCA applies to requests from the executive branch. As to Congress, however, it is less clear: Is Congress’s subpoena power limited by the SCA’s prohibitions?
As to some categories of data, this should be an easy question. Specifically, the SCA provides that non-content information—that is, data that does not include the “substance, purport, or meaning” of a communication, such as basic subscriber information or other metadata, like session logs—may not be disclosed to any “governmental entity.” A “governmental entity” is defined as “any department or agency of the United States or political subdivision thereof.” But courts have held that this definition excludes Congress, including in the similarly worded Right to Financial Privacy Act, meaning that the SCA does not prohibit providers from voluntarily disclosing non-content information to Congress. Likewise, nothing in the SCA prohibits providers from responding to a congressional subpoena for that information.
Content data—such as the text of an email or a direct message—presents a thornier question. Some observers take the perspective that the prohibition on disclosure of content information is absolute, because the statute precludes disclosure to “any person or entity.” Is Congress an “entity”? Maybe so. But it may not be so straightforward.
This is because Congress treats itself differently when it legislates and avoids categorical limits on its own authority. It very rarely curtails its Article 1 subpoena power because that authority is so critical to its constitutional responsibilities. The Supreme Court recognized these principles as early as 1927 in McGrain v. Daugherty, saying that Congress “cannot legislate wisely or effectively” without access to relevant information held by others. The court held that “some means of compulsion are essential” because “mere requests for such information often are unavailing, and also that information which is volunteered is not always accurate or complete.” This sensibility has persisted over time: For example, the U.S. Court of Appeals for the D.C. Circuit has repeatedly held that the Federal Trade Commission could disclose confidential information in response to Congress’s investigative demands, including through subpoenas, even though it was statutorily prohibited from disclosing that same information to the public.
So it cannot simply be assumed that congressional surveillance fares the same under the traditional external statutory limits that apply to government surveillance when it involves the executive branch. Because Congress’s authorities come from a different source, the possibility that they may be constrained in different ways must be taken seriously.
The Fourth Amendment
Several cases in recent years have brought seeming clarity to whether the Fourth Amendment’s warrant requirement applies to the government’s constructive searches of digital information. In Carpenter v. United States, the Supreme Court confirmed that compelled production of some provider-held location information may constitute a search for the purposes of the Fourth Amendment. And it held that law enforcement officers must obtain a warrant to compel the production of that data. In Warshak v. United States, the U.S. Court of Appeals for the Sixth Circuit held similarly as to the contents of emails.
But both cases (like much of the Fourth Amendment case law on digital searches) were limited to law enforcement requests, and the implications for congressional subpoenas are less clear. Traditionally, the Supreme Court has held that the Fourth Amendment requires that congressional subpoenas meet only a reasonableness standard. Under this approach, there is no categorical warrant requirement for Congress. That is, law enforcement must generally have a probable cause warrant, issued by a magistrate judge, before engaging in a search—constructive or otherwise—to satisfy the Fourth Amendment. But a congressional subpoena need only be relevant to an authorized investigation and reasonably specify the materials to be produced; no magistrate judge, no probable cause, no suppression remedy.
It is certainly possible that a constructive search of digital information would merit heightened judicial scrutiny because of increased privacy interests. But this would require the recipient (or subject) of a subpoena to challenge the subpoena in court—a possibility I discuss below—because there is no legal requirement for a congressional committee to seek authorization from a judge in advance.
It is also possible that, as a practical matter, the recipient of a congressional subpoena would negotiate restrictions on, say, segregating nonpertinent information or how long Congress can retain information in its records. But all these adjustments—heightened judicial scrutiny in the event of a court challenge, or negotiated protocols—would supplement, not replace, the current regime, which is a permissive and highly context-dependent inquiry, and not an area of hard and fast rules.
In the absence of external limits, Congress is free to exercise its surveillance authority as far as its internal limits—that is, the inherent boundaries of congressional power—permit. And there are few internal limits here. Based on McGrain’s rule that Congress’s investigative authority is co-extensive with its expressed Article I powers, Congress’s surveillance capacity extends in theory as far as its authority to legislate, conduct oversight, appropriate or impeach.
Indeed, courts have historically granted significant deference to Congress’s legislative and investigative decisions. For example, the Supreme Court has generally avoided a requirement that Congress—at the outset of an investigation—identify a legislative topic of interest, or even indicate that it intends to legislate. Instead, the court has tended to indulge a presumption that Congress’s investigative demands are in pursuit of a legitimate purpose. Article I’s Speech or Debate Clause—which has been held to provide absolute immunity to members of Congress and their staff for legislative acts—serves as a further cloak for Congress’s investigative decisions, limiting a court’s ability to peek behind the curtain of Congress’s stated purpose. As a result, courts may not examine Congress’s underlying motives.
There are also few limits on Congress’s ability to disclose the information it obtains through its investigations. In fact, certain aspects of Congress’s work necessitate the freedom to share information with the public. The “informing function” plays a valuable role in Congress’s core legislative and oversight duties, among others. To fulfill those responsibilities, committees and members of Congress regularly publish investigative reports and legislative findings, issue press releases, engage with the media, and communicate with constituents. And under the Speech or Debate Clause, a court may not block disclosure to the public of information that is part of the legislative process.
Despite these surprisingly weak constraints on Congress’s ability to direct its investigative powers toward surveillance, Congress has not (as an empirical matter) exercised its surveillance tools until recently. And when it has, Congress has generally (though perhaps not always) restrained the number and scope of its requests. This self-restraint arises from procedural rules that govern the issuance and enforcement of congressional subpoenas and political checks, or process limits. These process limits can offer meaningful, even if imperfect, constraints on congressional surveillance, compensating for the otherwise weak internal limits and supplementing the external limits discussed above.
Process limits on congressional surveillance derive in large part from the subpoena enforcement mechanism. In the world of government surveillance, voluntary disclosures are the exception rather than the rule, leading many providers to insist on a subpoena even if they intend to comply with a committee’s demand. But issuing and enforcing subpoenas against service providers creates significant transaction costs for committees, especially when requests push the envelope. These costs can arise in several ways.
First, there are procedural checks within Congress. Perhaps most importantly, there are significant transaction costs to pursuing a subpoena enforcement action, even before it ever reaches court. To enforce a subpoena in the Senate, a committee must approve and send a resolution to the floor, at which point it must secure a majority vote of the full chamber to authorize civil enforcement. The proof is in the pudding: Since 1979, the Senate has authorized civil enforcement only six times. In the House, the full chamber can authorize its committees to pursue enforcement actions even in the absence of an explicit enforcement statute, but until 2008, there had been some uncertainty as to whether federal courts would have jurisdiction to hear such a case.
Second, there are political checks on the periphery of the enforcement process. Views on government access to private data tend not to follow strict partisan lines, meaning that party control may not translate to party support. In addition, each party risks a tit-for-tat escalation when the chamber changes hands. Further, even once Congress authorizes a suit, it can still take months or years to resolve a case once it arrives in court, not to mention an extensive appeals process if the case has precedential value. Given time-sensitive political pressures and the real possibility that a chamber will change hands every two years, a committee may not be willing to tolerate this kind of delay. This suggests that procedural checks on congressional surveillance, especially with enforcement, are a crucial supplement to the traditional external limits.
Third, some process limits exist beyond the chamber and enforcement process. Congressional surveillance involves seeking information from a legally sophisticated entity that can create significant checks on government demands for data through a variety of actions, including public transparency, litigation, lobbying and technological mechanisms such as encryption. In addition, congressional subpoenas are not issued in secret, and Congress does not have the legal authority to gag providers from disclosing such requests, no matter how sensitive they may appear. By comparison, such nondisclosure orders are standard in the law enforcement context. As a result, providers are able to disclose a potentially overbroad or abusive request to the public, as well as the subject of the request. In theory, then, public opinion may have an effect on enforcement and create push back on overbroad or abusive demands.
The Duality of Congressional Surveillance
Congressional surveillance stands at the intersection of two areas of law: government surveillance and separation of powers. As to the first, congressional surveillance raises issues relating to how individual privacy interests should be balanced against Congress’s interest in accessing information. As it stands, congressional surveillance is constrained by a balance of limits that differs from other areas of government surveillance, with a less prominent role played by the privacy-protecting SCA and Fourth Amendment and a more prominent role played by internal politics and procedure. Some observers might see this as a reason to impose new constraints.
Yet as to the separation of powers, congressional access to information depends instead on the relative interests and rights of two co-equal branches. From this second perspective, congressional surveillance represents an important way for Congress to compete for authority within the separation of powers, meaning that the usual approach under external limits shouldn’t apply. That is, congressional surveillance can serve as a potent component of checks and balances, necessary to counter executive authority and maintain Congress’s position as a co-equal branch. Some might see this as a reason to preserve congressional authority, not constrain it.
The framing matters, as illustrated by the Supreme Court’s most recent and most robust evaluation of these issues in Mazars. There, confronted with congressional subpoenas to financial institutions for the president’s financial information, the court embraced a separation of powers model. That is, it weighed the committee’s interest in third-party data not against an individual privacy interest but, rather, against the competing interests of the executive. The Supreme Court cautioned that, absent new limits, “Congress could declare open season on the President’s information held by schools, archives, internet service providers, email clients, and financial institutions.” The court then imposed a new balancing test—not one based on privacy considerations but, rather, one that reflects the “weighty concerns regarding the separation of powers” when congressional surveillance targets the president.
As a consequence, the Supreme Court rendered a decision that is ultimately indifferent to privacy considerations. The reasoning in Mazars protects only the president’s information. And the decision does not distinguish at all between differing levels of privacy interests in different categories of information.
How then to approach the limits on congressional surveillance? There are, to be sure, different ways (and institutions) to balance the many competing interests, from both privacy and separation of powers perspectives. Congress could regulate itself on these matters and take steps to mitigate potential abuses of its own surveillance authority, creating new rules at the chamber or committee level or perhaps passing clarifying legislation. Or, if providers choose to dispute Congress’s authority in this area, the fate and scope of congressional authority could be decided (and potentially limited) by the judiciary. There could be a renewed emphasis on external limits with a more significant role for courts, or a refining of the process limits within each chamber or committee. Either way, this is likely just the start of a broader conversation about an important issue, with implications for both government surveillance and the separation of powers.