We must disclose information, when requested, to comply with court orders or subpoenas. We will also share information when necessary to prevent unlawful use of communications services, when necessary to repair network outages, and when a customer dials 911 and information regarding their location is transmitted to a public safety agency.
Notice that second sentence that says "We will also share" ... the key word there is will. This continues as "information when necessary to prevent unlawful use of communications services." This is at AT&T's discretion. It could be easily argued that sharing this data is necessary to prevent unlawful use of communications services. What does this mean? This means that as a customer of AT&T, according to this policy, you have -*given*- AT&T permission to share the data. It says they will share information.
And if that's not enough, read the ruling in Smith v. Maryland 1979, US Supreme Court:
The installation and use of the pen register was not a "search" within the meaning of the Fourth Amendment, and hence no warrant was required. Pp. 739-746.
(a) Application of the Fourth Amendment depends on whether the person invoking its protection can claim a "legitimate expectation of privacy" that has been invaded by government action. This inquiry normally embraces two questions: first, whether the individual has exhibited an actual (subjective) expectation of privacy; and second, whether his expectation is one that society is prepared to recognize as "reasonable." Katz v. United States, 389 U.S. 347 . Pp. 739-741.
(b) Petitioner in all probability entertained no actual expectation of privacy in the phone numbers he dialed, and even if he did, his expectation was not "legitimate." First, it is doubtful that telephone users in general have any expectation of privacy regarding the numbers they dial, since they typically know that they must convey phone numbers to the telephone company and that the company has facilities for recording this information and does in fact record it for various legitimate business purposes. And petitioner did not demonstrate an expectation of privacy merely by using his home phone rather than some other phone, since his conduct, although perhaps calculated to keep the contents of his conversation private, was not calculated to preserve the privacy of the number he dialed. Second, even if petitioner did harbor some subjective expectation of privacy, this expectation was not one that society is prepared to recognize as "reasonable." When petitioner voluntarily conveyed numerical information to the phone company and "exposed" that information to its equipment in the normal course of business, he assumed the risk that the company would reveal the information [442 U.S. 735, 736] to the police, cf. United States v. Miller, 425 U.S. 435 . Pp. 741-746.
Given the fact that the details of the NSA program leaked thus far contain -*less*- data than gathered in the case above, I don't see an argument against it's legality prevailing in a court of law.
Am I missing something here? This seems way too simple.