FBI Replaced Legal Process with Post-It Notes to Obtain Phone Records
Today, the DOJ's Office of the Inspector General issued a long awaited report on the FBI's use of 'exigent letters' to obtain phone records. While the report has many interesting and shocking revelations, three issues jumped out at us: Post-it note process; a secret new legal theory; and the need for accountability for the telecoms.
Post-it notes. Seriously.
While we had known since 2007 that the FBI improperly sought phone records by falsely asserting emergency circumstances, the report shows the situation inside the FBI's Communications Analysis Unit (CAU) degenerated even further, sometimes replacing legal process with sticky notes.
Employees of three telecoms worked directly out of the CAU office, right next to their FBI colleagues. According to the report, even exigent letters became too much work: an FBI analyst explained that "it's not practical to give the [exigent letter] for every number that comes in." Instead, the telecoms would provide phone records pursuant to verbal requests and even post-it notes with a phone number stuck on the carrier reps' workstations.
At the time, the Electronic Communications Privacy Act allowed a telecom to provide records based on an actual emergency, where the carrier had a "reasonable belief" that "an emergency involving danger of death or serious physical injury to any person requires disclosure without delay." The bare assertion of exigent circumstances in the FBI's letters is not enough to provide the basis for a reasonable belief, let alone a telephone number on a yellow slip of paper.
In March 2006, the relevant ECPA provision was changed from "reasonable belief" to "good faith belief." It appears that the telecoms were worried that the bare assertions in exigent letters were not enough, because they "expressed concern to [Congress] that the [reasonably believes] standard was too difficult for them to meet." However, even after the change, there is no way the telecoms could have formed a good faith belief, when they were never provided any basis to do so.
New Legal Theory to Allow Phone Record Disclosure
The OIG report discusses, in heavily redacted form, discusses a new legal theory that the FBI now asserts allows telecoms to divulge phone records without legal process. Despite the Obama Administration's alleged commitment to openness and transparency, the OIG report redacts the basis for this legal theory, even redacting the statutory section number on which the FBI says it can rely.
According to the report, the DOJ's Office of Legal Counsel issued an opinion agreeing with this theory on January 8, 2010. The DOJ's “Principles to Guide the Office of Legal Counsel” states that “OLC should publicly disclose its written legal opinions in a timely manner, absent strong reasons for delay or nondisclosure.” Nevertheless, the opinion is not publicly available. We urge the Obama Administration to release this memo.
We Need Accountability for AT&T and Verizon
The ECPA is one of the cornerstones of our protection against government overreaching, providing a critical check on the power of government officials. However, since government investigations are typically secret, it only works if the telecoms hold up their end of the bargain, and refuse to violate the law when asked. Instead, one embedded telecom employee opined "it wasn't my place to police the police." This is the opposite of what the law requires.
So how can we have accountability? Rather then call out the telecoms who failed to fulfill their roles as a check on government power, the report is cagey about which telecoms were involved, cryptically referring to Companies A, B and C.
However, it is not hard to figure out the telecoms' identities. In sworn testimony to Congress, right after the initial March 2007 OIG report, FBI General Counsel Valerie Caproni testified that the three companies were AT&T, Verizon and MCI. Verizon later acquired MCI. Caproni confirmed that these were the only companies under contract to provide phone record information to the FBI.
We also know that Company A was AT&T. In 2007, Verizon and AT&T wrote to Congress to explain their role in unlawful spying, including exigent letter. Verizon said it did not have 'community of interest' information. The OIG report says that Companies B and C did not have 'community of interest' information, meaning that B and C were Verizon and its subsidiary MCI, and thus Company A is AT&T.
We urge Congress to investigate both the FBI and telecoms, including asking the hard questions to AT&T and Verizon about their complicity in an illegal program to obtain phone records with post-it notes.
Recent DeepLinks Posts
May 22, 2015
May 22, 2015
May 22, 2015
May 22, 2015
May 22, 2015
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Bloggers' Rights
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Defending Digital Voices
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Encrypting the Web
- Export Controls
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2015 Copyright Review Process
- Genetic Information Privacy
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student and Community Organizing
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games