Orin, on his own blog, points to this statute providing for civil liability and asks whether the good faith exception might not apply.

In an earlier post, Orin points to I8 U.S.C. § 2702. Voluntary disclosure of customer communications or records.

(3) a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications covered by paragraph (1) or (2)) to any governmental entity.

Then there are the exceptions. As Orin notes, the most likely one the phone companies will rely on is number 4 (2702©(4)), which provides the prohibition does not apply:

(4) to a governmental entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency[.]

The Patriot Act made some changes to this language in 2001, and again in 2006. Orin writes:

At the outset, it's worth noticing something very interesting about this language: It is almost brand spanking new. The language that passed as part of the Patriot Act in 2001 allowed disclosure only when "the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information." This was the language in place from October 2001 until March 2006.

As noted above, though, the Patriot Act renewal passed in March 2006 changed this language. And it did so in a way with potentially important implications for the legality of the NSA call records program. The new exception states that disclosure is permitted "if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of information relating to the emergency." Few people were paying attention to this change at the time, but I would guess that it was very important to the telephone companies: The change expanded the exception to allow disclosure when there is a good faith belief instead of a reasonable belief, and when there was a danger instead of an "immediate" danger. I wouldn't be surprised if the telephone companies were pushing the change in part out of concern for civil liability for their participation in the NSA call records program.

Did the phone companies have such a belief under the 2001-06 language? I gather they had a reasonable belief of danger, but I don't know of a reason to think that they had a reasonable belief of "immediate" danger. If this was a program ongoing for several years, then it's hard to say that there was a continuing reasonable belief of immediate danger over that entire time.

Cassandra at Orin's blog provides the legislative history containing the reason for the 2006 change. But the phone companies have to be held to the standard applicable when they engaged in the activity, not the 2006 standard, unless they are still providing the information in 2006.

Marty Lederman at Balkanization takes a thorough run through all the applicable statutes and says on further reflection, the program may be okay under the 4th Amendment.

Let me try to put this in plain English, or at least my English. The Patriot Act of 2001, which is the law that was in effect when the phone companies allegedly entered into contracts with the Government to provide phone records of customers, made the following changes to prior law:

• Section 209: Seizure of voice-mail messages pursuant to warrants.

Section 209 removes voicemail from the dictates of Title III and allows law enforcement to seize and listen to voicemail messages with a search warrant instead of a wiretap order. The requirements for a search warrant (probable cause) are far less stringent than those for a Title III intercept order.

• Sections 210 and 211: Scope of subpoenas for records of electronic communications and clarification of scope.

Section 210 amends 18 U.S.C. § 2703 ©(2) of the Electronic Communications Privacy Act to expand the types of records that may be obtained without a court order, among them, records of internet session times and durations, temporarily assigned network addresses, and means and sources of payments (including credit card and bank account numbers.)

• Section 212: Emergency disclosure of electronic communications to protect
  life and limb.

Section 212 amends 18 U.S.C. §2702 to authorize providers of electronic communications services to disclose the communications (or records of such communications) of their subscribers if the provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person requires the disclosure of the information without delay.

• Section 214: Pen register and trap and trace authority under FISA.

Section 214 amends 50 U.S.C. §§1842 and 1843 to allow law enforcement to obtain pen registers and trap and traces under FISA when they concern foreign intelligence and either (1) do not concern a United States person, or (2) concern a United States person and are for the purpose of protecting against international terrorism or clandestine intelligence activities, so long as such investigation is not conducted solely upon the basis of protected First Amendment activities.

All these legal provisions aside, for non-lawyers, here's what jumps out at me.

1. Interceptions of the contents of telephone communications under both Title III and FISA require a warrant. That's apparently not part of this program.

2. Installation of a pen register or trap and trace device, which require court orders but not warrants under Title III, involve physically attaching something to the phone line which then records the numbers dialed from and to the phone, respectively. The phone companies do this, but it doesn't seem like the Government did it in this program, even though the result is similar.

3. Subscriber information can be obtained by the feds with a subpoena and without prior judicial approval. It's done in federal drug cases every day. Typically, the agents get the subscriber information, then the pen register, then the wiretap order. As far as we know at this juncture, the phone companies provided only the call detail records, not even subscriber information. Although it would be a hop-skip for the NSA to get the subscriber info from sources other than the phone company once it had the call-detail records.

4. The real issue --and problem as I see it --is the indiscriminateness of the records requests and turnovers. There is no individualized suspicion that the tens of millions of persons whose phone records were turned over had engaged in criminal activity or had any interaction whatsoever with a foreign person or agent or power who might be connected to terrorist activity.

That's what makes it a wholesale violation of civil rights and one that must be stopped. We cannot allow the Government to collect records on millions of us in a fell swoop because it is searching for the proverbial needle in the terrorist haystack. If it has a reasonable belief (at a minimum) that a particular phone is being used in connection with terrorist activity, fine, get an individualized subpoena for that person's phone records or a court order for a pen register or trap and trace and if the belief evolves into probable cause, get a wiretap warrant.

The NSA - phone company program must be distinguished from listening to our calls. But it is also a slippery slope, and if we allow the Government to violate our privacy rights by obtaining the numbers dialed to and from our phone, it is a very short step to asking the phone companies to provide our names, addresses, bank and credit card information used to pay the phone bills, and then to even more intrusive snooping.

More on that here.