Update June 22, 2016: The Senate failed to pass an amendment to expand the FBI's National Security Letter powers and to make the "lone wolf" provision of the Patriot Act permanent; however, the amendment will probably be voted on again soon. Senate Majority Leader Mitch McConnell switched his vote to "No" at the last minute so that he may be able to bring up the amendment during future debate. The amendment was included as part of the Commerce, Justice, Science and Related Agencies Appropriations Act, which will have a final vote on the Senate floor later this week. Tell your Senators to Vote NO on the amendment.
The controversial National Security Letter (NSL) statute could be significantly expanded under two separate bills currently being debated by the Senate. Every year, the FBI issues thousands of NSLs to telephone and Internet companies, demanding records about their customers and gagging the companies from informing the public about these requests. NSLs are inherently dangerous to civil liberties because their use is rarely subject to judicial review. But NSLs are not magic, and they don’t require recipients to do whatever the FBI says. Above all, the type of information available to the FBI with an NSL is quite limited, reflecting the need to tightly control the extrajudicial nature of this controversial power.
The Senate’s proposed changes would allow the FBI to get a much larger range of Internet records, such as email to/from headers, Internet browsing history, and more, all of which it could not previously get with an NSL. Particularly given the FBI’s well-documented history of abusing NSLs, EFF opposes expanding the scope of this unconstitutional surveillance power to include even more revealing records. Yesterday we joined with a broad coalition of organizations and companies to urge the Senate not to pass these proposals.
Does Congress Need an NSL Autocorrect?
Amending a surveillance law to let the FBI issue warrantless demands for new types of Internet users’ records—without even needing to go before a judge—is a significant expansion of that law. But to hear FBI Director James Comey explain it, the bills amount to a mere “typo fix.” That’s because the FBI thinks it was already entitled to get these records using NSLs, and Congress simply messed up when it drafted the law. The problem with this theory? The Justice Department’s Office of Legal Counsel, which issues definitive interpretations of the law for the rest of the executive branch, looked at the issue in 2008 and concluded the FBI was flat wrong [.pdf].
As currently written, the NSL statute describes the types of companies who can be issued NSLs—“wire or electronic communication service providers”—and the limited types of records that the FBI can request from those companies about their customers—“name, address, length of service, and local and long distance toll billing records.” We don’t think about toll billing records much in these days of vanishing landlines and unlimited talk and text, but they are simply records kept by telephone companies of their customers’ calls for billing purposes. The law also says that companies must “comply with a request for” something called “electronic communication transactional records” (ECTRs). Unhelpfully, the law doesn’t say what ECTRs are, though the legislative history suggests it was not intended as an expansion of NSLs. (In case you were wondering, it’s common to pronounce ECTR to rhyme with “nectar.”)
A History of Abuse, in Secret
Because nearly all NSLs are accompanied by self-certified gag orders signed by the FBI, it’s supremely hard for the public to get clear information about them. The ECTR question is no different. Despite the hundreds of thousands of NSLs issued since 2001, the public has seen only a handful.
One exception is the NSL issued in 2004 to Nicholas Merrill, who ran a small ISP called Calyx. There, the FBI interpreted the law to allow it to request a lot more than the basic info about Calyx’s subscriber; it asked for assigned IP addresses and an essentially unbounded amount of “other information else you consider to be an” ECTR. Merrill fought this NSL for over a decade, before it was finally unsealed in full last year. The judge in that case noted [.pdf] that one key piece of evidence in this unsealing was a Justice Department manual claiming that the FBI could get even more information, including URL browsing history, email headers and even cell phone location data.
It should go without saying that the information that the FBI thought it could request is extremely revealing—it’s not “just metadata.” For example, URLs may reveal the content of a website that users have visited, their location, and so on.
What is also clear is that the FBI viewed the statute’s list of information available using NSLs as more of a loose guideline than an exhaustive list. This was a boom time for the FBI’s use of NSLs—the Bureau sent out 56,507 in 2004 alone, and we know that many of these NSLs were issued improperly. It’s no stretch to guess that these tens of thousands of NSLs included requests for revealing ECTRs under the FBI’s expansive and erroneous definition, as well as other information not named in the law, all without any prior judicial oversight.
A Huge Expansion, Not a Typo
In 2008, however, the Office of Legal Counsel finally weighed in and seemingly put a stop to this particular form of NSL abuse. According to the OLC’s memo [.pdf], the limited list of information in the statute is truly exhaustive, and the stray reference to ECTRs simply allowed the FBI to issue NSLs to entities other than telephone companies and request only “information parallel to subscriber information and toll billing records for ordinary telephone service.”
But the FBI wasn’t happy with this decision. According to testimony by a Justice Department official from 2011, other sections of DOJ concluded the FBI could request IP addresses and “other non-content information” considered ECTRs. We also know that the FBI continued to demand ECTR information from Internet companies, like an unnamed client of EFF’s [.pdf] and Yahoo, which last week published an NSL it received in 2013. Some Internet companies refused, but ubiquitous NSL gags prevented them from talking about their responses to specific NSLs.
Since the FBI was caught misusing NSLs to collect revealing ECTR information, it has been pushing to rewrite the statute and expand its authority under the guise of fixing a so-called typo. The Senate is considering two proposals that would give the FBI what it wants. The first [.pdf] was proposed by Senator Cornyn as an amendment to the Email Privacy Act, and along with several other controversial amendments, it threatens to hold up the Senate’s consideration of a bill that passed unanimously out of the House. If that weren’t bad enough, the second ECTR change was included as part of a secret Intelligence Committee Authorization bill already passed out of committee. The public wouldn’t even know about this proposal if it not for a press release by the tireless Senator Ron Wyden.
Meanwhile, EFF is fighting on in its lawsuit on behalf of two unnamed NSL recipients, arguing that the NSL gag orders are unconstitutional. After a disappointing ruling in the district court, we’re headed back to the Ninth Circuit Court of Appeals later this summer. Even when they're used as the law specifies, NSLs allow the FBI to operate in secret, obtaining information and gagging recipients without any court oversight in the overwhelming majority of cases.
In light of the FBI’s ability to use NSLs out of the public view and without a judge to evaluate its interpretation of the law, the information that the agency can obtain with an NSL must be very tightly controlled. Far from a simple “fix,” the Senate proposals to include of a wide variety of electronic records under the NSLs represent a very worrying expansion of the FBI's surveillance authority.
National Security Letters are a dangerous and unconstitutional power as is. This expansion must be rejected.