By Kim Zetter | Wired | Mar. 14, 2012
Sometime earlier this year, a provider of communication services in the United States – perhaps a phone company, perhaps Twitter – got a letter from the FBI demanding it turn over information on one, or possibly even hundreds, of its customers. The letter instructed the company to never disclose the existence of the demand to anyone – in particular, the target of the investigation.
This sort of letter is not uncommon post-9/11 and with the passage of the U.S. Patriot Act, which gave the FBI increased authority to issue so-called National Security Letters (NSLs). In 2010, the FBI sent more than 24,000 NSLs to ISPs and other companies, seeking information on more than 14,000 individuals in the U.S.
The public heard about none of these letters.
But this time, the company that received the request pushed back. It told the agency that it wanted to tell its customer that he or she was being targeted, which would give the customer a chance to fight the request in court, as a group of Twitter users did last year when the Justice Department sought their records under a different kind of request. The minor defiance in this latest case was enough to land the NSL request in a federal court docket last Friday, where the government filed a request for a court order to force the company to adhere to the gag order.
In its petition, the government asserted that disclosure of the fact or contents of its NSL “may endanger the national security of the United States” and urged the court to issue an order binding the company to the nondisclosure provision, or be in violation of federal law and face contempt charges.
Although documents in the case are redacted to hide the identity of the company and the target of the investigation, they shed a little light on how NSLs are working these days, after a few reforms.
National security letters are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more. NSLs have been used since the 1980s, but the Patriot Act expanded the kinds of records that could be obtained with them. They do not require court approval, and they come with a built-in gag order.
The public has become aware of only a handful of some 300,000 NSLs handed out over the last decade, and those became public only after the recipients launched legal battles opposing them. As a result of these battles, courts have chipped away at the gag order requirement as a violation of the First Amendment, and internal watchdogs have uncovered some abuses of the FBI’s NSL authority. But the letters are still one of the FBI’s most powerful tools; a tool that is rarely discussed inside or outside Congress these days.
According to documents filed in the U.S. District Court in Alexandria, Virginia, last Friday, the FBI appears to have served the unknown company with an NSL (.pdf) sometime around the end of January seeking information about a customer or customers.
The company, identified only as a corporation “with employees dispersed across the world” that offers electronic communication services to customers and account holders, was told to hand over “electronic communications transaction” records of an unidentified target or targets. The NSL specifically excluded the contents of the communications.
The NSL indicated that the company had 10 days to challenge the gag order if it intended to do so. The company did so via fax, and on March 9 the government filed a request for a court order enforcing the gag order. The legal dance is a new feature of NSLs that is the result of hard-fought battles. Before a federal appeals court struck down some of the gag provisions of NSLs, ISPs and other companies that wanted to challenge the orders had to file suit in secret in court – now companies can simply notify the FBI in writing that they oppose the gag order.
The FBI asked the court to uphold the gag order on grounds that disclosure of the NSL would harm national security. According to the government, the information it wants is relevant to an investigation involving “international terrorism or clandestine intelligence activities.” The government also asked that any documents filed in the case, other than its initial redacted request to the court, be sealed. On Tuesday, the court issued an order granting the motion to seal records (.pdf), and also issued another sealed order whose contents are unknown.
The FBI did not respond to a call seeking comment.
NSLs are a powerful tool because an FBI agent looking into a possible anti-terrorism case can essentially self-issue the NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation.
Number of NSLs Issued by the FBI
(Source: DoJ reports)
The gag orders raise the possibility for extensive abuse of NSLs, under the cover of secrecy. In fact, in 2007, a Justice Department Inspector General audit found that the FBI, which issued almost 200,000 NSLs between 2003 and 2006, had indeed abused its authority and misused NSLs.
The inspector general found that the FBI evaded limits on (and sometimes illegally issued) NSLs to obtain phone, e-mail and financial information on American citizens, and that it had also underreported the use of NSLs to Congress. In 2006 alone, the FBI issued more than 49,000 NSLs, but that number dropped dramatically to 16,804 in 2007 following the inspector general’s report. After the Justice Department claimed it instituted reforms to address the legal lapses, the number of NSLs issued increased to 24,744 in 2008. In 2010, the most recent year for which statistics are available, the FBI issued 24,287 NSLs.
Two cases helped shine a light on the real-world uses of NSLs. In 2007 the Internet Archive challenged an NSL it received seeking information about one of the online library’s registered users. The Electronic Frontier Foundation challenged the constitutionality of the NSL, which ultimately resulted in the FBI rescinding the NSL and agreeing to unseal the records in the court battle. It was the first extensive look the public got at the nature of the NSL process.
In 2010, Nicholas Merrill won a six-year battle to lift a gag order in relation to an NSL that he received in 2004 when he was owner of a small ISP called Calyx Internet Access. The NSL was very broad and listed 16 categories of records the FBI was seeking, including e-mail and billing records.
Merrill and the ACLU filed a legal challenge under the name “John Doe,” since they weren’t allowed to identify Merrill or the name of his ISP. The ACLU asserted that customer records were constitutionally protected information.
“Internet users do not give up their privacy rights when they log on, and the FBI should not have the power to secretly demand that ISPs turn over constitutionally protected information about their users without a court order,” Merrill told Wired.
In December 2008, the Second Circuit Court of Appeals ruled that some of the gag provisions in NSLs were unconstitutional — in part because they limited judicial review of the gag orders and forced courts to defer to the government’s assertions about the necessity of a gag order, and in part because they thwarted the ability of recipients to challenge the gag order. The case was sent back to the U.S. District Court for the Southern District of New York, forcing the government to justify the constitutionality of the gag order imposed on Merrill.
In June 2009, the government introduced secret evidence to the court to justify continuing the gag order, claiming that if information were revealed about the letter it would harm an ongoing investigation. Merrill and his attorneys were prevented from learning the specifics of the evidence in order to refute it. The government was then ordered by the court to produce an unclassified summary of its evidence.
The ACLU worked hard to negotiate a partial gag-lift with the government that allowed Merrill to finally identify himself in 2010, while still keeping the details of the NSL he had received secret. In return, Merrill and the ACLU agreed to drop their appeal of the case.
The case helped expose the secrecy around NSLs and resulted in some First Amendment progress for entities receiving such requests — Congress amended the law to allow recipients to challenge NSLs and gag orders, and the FBI must now also prove in court that disclosure of an NSL would harm a national security case.
But it’s unclear in practice if that process has led to fewer gag orders on U.S. citizens, and better protection of civil liberties, or if it has just led to more court filings.