The Electronic Communications Privacy Act puts strict limits on when a telecommunications provider can hand over customer data to the government. Section 2702(A)(1) prohibits disclosure of the contents of a communication, and (A)(3) forbids the release of a "record or other information pertaining to a subscriber to or customer" other than the content covered by (A)(1). Thus, sections 2702(A)(1) and (A)(3) compliment one another, and together protect all records about a communication. Absent a specific statutory exception, it is flatly illegal for the telecoms to provide customer information to the government.
So the "community of interest" requests made as part of the "exigent letters" were doubly illegal. We need a new word for this -- what do you call an illegality piled on top of another illegality? Illegal squared?
And it doesn't stop there. Even if those "community of interest" requests had been part of a regular National Security Letter (NSL), they still would have been illegal. ECPA's NSL provision only authorizes the FBI to request "the name, address, length of service, and local and long distance toll billing records of a person" (emphasis added) under specific circumstances. To ask for information about a subject's community of interest, the FBI would have to issue a properly certified NSL for each person in the community. The NSL provision of ECPA (Section 2709) was just declared unconstitutional by a federal judge in a terrific case brought by the ACLU (with EFF amicus support), but even if the statute was still valid, it wouldn't have allowed this.
Most of the "community of interest" letters also formalistically recited that the requests would be followed by formal legal process, envisioning an after-the-fact papering over of the illegality. However, the IG report noted that this follow-up often never happened, and the "FBI was unable to determine whether [National Security Letters] or grand jury subpoenas were issued to cover the exigent letters."
For those keeping score, a grand jury subpoena would not validate the government's request for a "community of interest" either. Section 2703(c)(2) sets forth a detailed list of information the government can obtain from telecoms with a grand jury subpoena, such as the customer's name, address, and means of payment. This list does not include the customer's community of interest.
In short, there is no legal basis for these "community of interest" demands, whether issued as exigent letters, or through an NSL or grand jury subpoena.
This is a sensible rule. Anyone who's played "Six Degrees of Kevin Bacon" or looked over their relationships on a social networking service knows what a wide variety of people can be just a few degrees of separation away. For example, I know people who know Attorney General Gonzales -- but I'd hate to be caught up in an investigation of the soon to be former AG just because I'm two degrees away.
These revelations also underscore the need for substantive oversight that will prevent requests for information that go beyond that allowed by law. After detailing years of abuse in his March report, the Inspector General is continuing to investigate the misuse of exigent letters and National Security Letters. These revelations about the FBI echo those we've all heard about the NSA conducting warrantless wiretaps and dragnet records and content surveillance that went undiscovered for over five years.
The Administration still thinks it can convince the American public to let the FBI and NSA police themselves. In the wake of the Inspector General's report, the FBI has insisted that it can be trusted to fix its own habitual NSL misuse. Asked about "community of interest" letters yesterday, Fran Townsend, the President's homeland security advisor, pointed only to the bare existence of a "privacy and civil liberties officer" and a newly created "compliance unit" at the FBI -- conspicuously avoiding discussion of any outside oversight. The new Protect America Act similarly grants the Attorney General and Director of National Intelligence the right to "certify" broad surveillance techniques with no serious judicial oversight. While the Administration pushes "internal agency audits by the agencies using this authority," the American people can accept no substitutes for independent judgment when freedom is on the line.
External oversight by Congress and the courts is vital to protecting the privacy and security of Americans. The courts have recently started indicating that they are up to the task. The NSL provision was found unconstitutional in the ACLU case was in part because of the extraordinarily deferential review process that would require the Judicial Branch to treat certain Executive certifications "as conclusive unless the court finds that the certification was made in bad faith."
Now that the Executive's abuses of its surveillance and spying powers have come clearly to light, it is unconscionable to allow the watchmen to keep watching themselves. A "privacy and civil liberties officer" in the FBI was not enough to stop the illegal use of exigent circumstance letters to spy on a target's friends of friends, and the deferential review proposed by the Protect America Act will not be enough to prevent the abuse of the law's extraordinary powers.
It's time to Stop the Spying. Please join us.