Can Customers Sue Over NSA Surveillance?

Getty Images
Last week's twin national security revelations -- that the NSA has a top-secret court order requiring Verizon to turn over data on millions of users daily, and also runs a classified program called PRISM mining data from major Internet companies -- continue to set the news agenda. The impact on the companies themselves, however, has so far been limited. Verizon's stock actually rose after the first bombshell, and none of the tech firms connected to PRISM saw their share prices suffer the following day.

But even if Wall Street shrugged off companies' collaboration with widespread government surveillance, Americans in general are not so untroubled. According to a new Pew study, "a substantial minority -- 41% -- say it is unacceptable" for the government to investigate terrorism through mass collection of telephone records; 56 percent approve. When it comes to the Internet, Americans are even more wary of snooping: "45% say the government should be able to 'monitor everyone's email and other online activities if officials say this might prevent future terrorist attacks,' " while 52 percent are opposed. That equals a lot of disgruntled users of Gmail, Facebook, Skype, etc.

One lawmaker has announced an intention to challenge the surveillance in court. Kentucky Senator Rand Paul told Fox News that the government's sweeping collection of data is akin to the general warrants the country's founders considered so objectionable and should be taken up at "the Supreme Court level." The NSA is not targeting suspected terrorists and those they communicate with, Paul said, but rather "trolling through billions of phone records." He plans to appeal to consumers to fight back:
I'm going to be asking all the Internet providers and all of the phone companies, ask your customers to join me in a class action lawsuit. If we get 10 million Americans saying we don't want our phone records looked at then somebody will wake up and say things will change in Washington.Such an effort would be broadly supported by Americans, he asserted, adding, "if you talk to young people who use computers on a daily basis, they're absolutely with me."

In fact, there's already at least one class-action lawsuit related to the latest NSA disclosures. Larry Klayman, a Reagan-era federal prosecutor and founder of the groups Freedom Watch and Judicial Watch, has filed suit against the president, the NSA, Eric Holder and Verizon, according to TorrentFreak. (Interestingly, given his current suit over telephone surveillance, Klayman was one of the government trial lawyers who brought the case to break up AT&T.) Joining Klayman are Charles and Mary Ann Strange, the parents of a Navy SEAL Team 6 member killed in Afghanistan. The plaintiffs are suing over violations of privacy and constitutional rights, but their action has an obvious political context: Klayman is a longtime critic of Obama, having previously empaneled a "citizens grand jury" seeking indictments against the president, and the Stranges have vocally objected to administration policy since the death of their son.

A critical question is whether companies will even be vulnerable to civil actions brought by customers caught up in dragnets. After the last NSA surveillance scandal -- the warrantless wiretapping carried out under President George W. Bush -- the relevant telecom firms were retroactively immunized from lawsuits. During presidential primary season, candidate Barack Obama more than once said he would filibuster such legislation, but wound up voting for it in July 2008. In October 2012, the Supreme Court declined to consider a challenge to that law, in the case of Hepting v. AT&T, a class-action lawsuit brought by the American Civil Liberties Union and the Electronic Frontier Foundation on behalf of telecom customers. The suit, filed in 2006, at first sought billions of dollars in damages for violations of users' privacy and federal law, but became about immunity after Verizon (VZ), Sprint (S), AT&T (T) and others were shielded from all criminal and civil liability for their involvement in the illegal eavesdropping. EFF is still involved in another class-action suit, Jewel v. NSA, filed on behalf of AT&T customers, which the NSA is trying to have dismissed under the state secrets privilege.

The legal blogger Marcy Wheeler points out that several of the companies now connected to PRISM previously opposed retroactive immunity for telecoms: A February 2008 letter signed by Microsoft, Google, Yahoo, Oracle and others called for "clear rules" governing access to user data and distinguished between "blanket retroactive immunity for violations of law, and prospective immunity, the latter of which we strongly support." We don't yet know exactly what the government's arrangement with the PRISM companies was, but The Washington Post report that broke the news of the program's existence explained, "In exchange for immunity from lawsuits, companies such as Yahoo and AOL are obliged to accept a 'directive' from the attorney general and the director of national intelligence to open their servers to the FBI's Data Intercept Technology Unit, which handles liaison to U.S. companies from the NSA." [Editor's note: AOL is the parent company of DailyFinance.] The question, it seems, is not just do customers have a right to be outraged, but whether the constitutionality of such provisions can be successfully challenged in court, given the government's efforts to cloak its counterterrorism policies in secret.

Aside from lawsuits, there aren't obvious options for those looking to register their displeasure. As Silicon Valley Business Journal asks, "What alternative do consumers spooked by privacy intrusions have?" And it is in fact difficult to imagine boycotting all the implicated services and staying online. But for those who want to try, the publication provides a list of relatively easy-to-use encrypted options with colorful names like DuckDuckGo, Hushmail and Cryptocat.

You Thought You Were Safe? The Myths and Realities of Your Online Security
See Gallery
Can Customers Sue Over NSA Surveillance?
For years, security professionals have emphasized the importance of shredding your personal documents before you throw them out. But Holland notes that shredding isn't as much of a priority as it used to be. "There aren't nearly as many documents with personal information out there as there were even just two years ago," he explains. "These days, it's much easier to get your information off your computer."

Passwords are your first line of defense against intruders. But, as Holland points out, even the most careful people sometimes have password breaches. "I've helped chief privacy officers from health care and security firms," he notes. "If they're getting hit, then anyone is vulnerable." While Holland notes the importance of having a good password, he emphasizes that the most important thing is paying attention to password breach notifications. If you hear that one of your passwords may have been breached, he counsels, change it immediately. And, because many of your accounts may be linked, he notes, it's not a bad idea to change the rest of your passwords as well.

One piece of advice that you don't often hear is to keep on top of software updates. But, Holland argues, updating your operating system, your software, and your security programs is one of the easiest and most important ways to ensure your security. Software companies spend a lot of time and money trying to stay ahead of online intruders -- it only makes sense to take advantage of their work.
Even if you are convinced that your security is state-of-the-art and your password is unbreakable, it never hurts to double-check your most sensitive accounts. Holland suggests regularly checking your bank and credit card statements to ensure that there aren't any inappropriate charges on your accounts. As a side benefit, this is also a great way to catch any unexpected fees that your bank may try to spring on you.
When a breach happens, a fast response can mean the difference between a minor annoyance and a major pain in the neck. With that in mind, Holland suggests talking to your bank about having transaction alerts placed on your account. Every time your account is credited with a transaction over a particular amount -- $50, for example -- your bank will send you an e-mail or text notification. If it's an expected transaction, you can discard the message; if not, you'll be able to respond immediately.
Every year, you are entitled to a free credit report from each of the reporting bureaus. Holland suggests taking advantage of this free service, noting that your credit report is a great way to track your outstanding debts and ensure that nobody is trying to open false accounts in your name. He emphasizes, however, that the best way to get your free report is by going to, not "That site's a scam," he laughs.
Read Full Story