ANNEX 15: THE LAW OF THE FIVE EYES
withhold that information at an ex parte hearing.96 I was told, during my trip to the
United States, that disclosure to the subject ordinarily occurs in the context of a criminal
procedure. Those individuals who receive notification that they have had their
communications intercepted but are not party to any criminal trial, rarely bring
proceedings seeking damages. Such damages are capped in any event.
85.
US Code Chapter 21 of Title 18, commonly referred to as the SCA, provides access for
law enforcement to both contents and metadata that are stored on a Remote
Computing Service. This provides computer storage or processing services to the
public by means of an electronic communications system,97 such as cloud storage.
Access to the content of stored communications, without notice, is granted on the basis
of a search warrant.98 Access to stored material that does not include the content of
communications may be granted on a similar basis.99
86.
However, and importantly, a specified subset of non-content may be accessed by
administrative subpoena without the scrutiny or authorisation of a court. Those data
are: name, address, call records, length of service, types of service used, number used
including temporarily assigned IP address, means and source of payment.100 As a
result, much of the most important metadata may be obtained without the permission
of a court.
87.
Furthermore, the SCA provides for access to metadata records, without judicial
authorisation, where the Director of the FBI (or his designee) certifies that they are
relevant to an authorised investigation to protect against international terrorism or
clandestine intelligence activities. Those requests are known as “National Security
Letters”. The Director of the FBI may request, and a telecoms provider is required to
provide, name, address, length of service and local and long distance toll billing records
on that basis.101
88.
An important distinction between US and UK law (as it currently stands) is that there is
no requirement for service providers in the United States to store data beyond their
own business needs. I was informed during my trip to the US that it was highly unlikely
that Congress would consider legislation requiring service providers to retain or create
data that they did not themselves need for business purposes (such as billing).
However, telecommunications providers are required to retain data that they already
produce and create such as: name, address, telephone number of the caller, telephone
number called, date, time and length of a call.102 If law enforcement agencies want
access to material beyond that, or want access to other metadata, they are empowered
to request that material is preserved, pending an application for access to that data.103
96
Ibid. at (8)(d).
18 U.S.C. § 2711(2).
If the data owner is put on notice, it may also be accessed via a court order, administrative subpoena or
grand jury or trial subpoena 18 U.S.C. § 2703.
Search warrant, telemarketing fraud request or court order. It is important to note that for non-content
subscriber records, no notice has to be given to the subscriber.
18 U.S.C. § 2703 (2).
18 U.S.C. § 2709 (b).
17 C.F.R. § 42.6.
E.g. 18 U.S.C. § 2704.
97
98
99
100
101
102
103
365