The PATRIOT Act significantly broadened the authority of the Federal Bureau of Investigation (FBI) to obtain sensitive, private information about innocent Americans through national security letters (NSLs). This overbroad authority, combined with the FBI’s disrespect for legal boundaries and its seeming inability to self-police, has resulted in the issuance of hundreds of thousands of NSLs, often targeting people two or three times removed from the subjects of investigations. The demonstrated abuse of privacy rights and civil liberties—and the absence of convincing evidence that NSLs are “indispensable tools” in the FBI’s national security investigations—demand serious reconsideration of this authority.8
NSLs are secret demand letters issued without court approval or independent oversight to financial institutions, telecommunications and Internet service providers, and credit agencies to obtain sensitive personal information such as financial records, credit reports, the phone numbers and e-mail addresses with which a person has communicated, and possibly the websites a person visited.9 The PATRIOT Act did not create NSLs, but before that act, only senior FBI officials could authorize their use, and the law required the FBI to certify that there were “specific and articulable facts giving reason to believe” the target of the NSL was an “agent of a foreign power.” Section 505 of the PATRIOT Act removed both of these critical protections. First, and most problematically, it lowered the standard so that the FBI and other government agencies could obtain this sensitive data on the assertion that the information was merely “relevant” to an investigation, even if the person whose records were sought was not suspected of doing anything wrong. Second, it permitted NSLs to be issued by FBI field offices without review by high-level FBI officials.
Three Department of Justice Inspector General (DOJ/OIG) reports later confirmed pervasive FBI mismanagement and misuse and abuse of these PATRIOT Act–expanded authorities. And documents released pursuant to an American Civil Liberties Union (ACLU) Freedom of Information Act (FOIA) request revealed that the FBI also helped the Department of Defense (DOD) circumvent the restrictions Congress placed on its use of NSLs by issuing FBI NSLs for DOD investigations.
In 2007, the IG told the House Judiciary Committee that the FBI may have violated the law or government policies through the issuance of NSLs as many as 3,000 times since 2003, including as many as 600 “cases of serious misconduct.”10 An internal FBI NSL review conducted after the 2007 IG audit identified violations of law or intelligence policy that should have been reported to the President’s Intelligence Oversight Board in 9.43 percent of the NSL files examined, but the 2008 IG audit reexamined these files and found three times as many violations as the FBI did.11
The IG audits also confirmed that 40,000 to 50,000 NSLs were issued every year during the mid-2000s, and, in 2006, a majority of them were directed against U.S. persons.12 This type of broad, suspicionless collection of private data about innocent Americans is the logical result of destroying the requirement of a factual nexus between an NSL and terrorist activity. And permitting the NSLs to be issued at the field office level removed the opportunity for centralized administrative oversight, making abuse more likely to occur, and less likely to be discovered by FBI managers.
With no internal controls and with complete disregard for the law, FBI agents soon ignored the minimal process involved in issuing NSLs and instead issued so-called “exigent letters,” falsely claiming emergencies to obtain records without legal process.13 These illegal requests—sometimes just a phone number written on a Post-it® note—were often given to the telecommunications companies with the promise that an NSL or grand jury subpoena would follow, but more often than not these promises went unfulfilled. Some agents found even Post-it notes too burdensome and instead asked company employees to just pull up a person’s phone records so they could look over their shoulder to see whether a formal request such as an NSL was worthwhile.
There are also demonstrated problems with how the FBI handles data it receives in response to an NSL. Rather than using NSLs as investigative tools, as Congress clearly intended by only allowing them to be used when the information sought was relevant to an ongoing investigation, the FBI was using NSLs for mass data collection. The IG found FBI agents often carelessly uploaded information produced in response to NSLs into FBI databases without reviewing it to evaluate its importance to the investigation or even to ensure the proper data was received. As a result, information received in error was improperly retained and illegally shared throughout the Intelligence Community.
The IG detailed several incidents where the FBI collected private information regarding innocent people not relevant to any authorized investigation, entered it into FBI case files, and/or uploaded it into FBI databases simply because the FBI agents requested records for the wrong phone numbers or for the wrong time periods. In two other incidents, information for individuals not relevant to FBI investigations was uploaded into FBI databases, even though the FBI case agent had written on the face of the documents: “Individual account records not relevant to this matter. New subscriber not related to subject. Don’t upload.”14 Similarly, agents consistently failed to report or recognize when they received information from NSL recipients that was beyond the scope of the NSL request.15 Agents self-reported the overproduction of unauthorized information in only four of the 557 instances the IG identified.
Congress foresaw some of these information-sharing and accuracy problems. In 2006, Congress voted to reauthorize other portions of the PATRIOT Act that were scheduled to expire. That legislation required the Attorney General and Director of National Intelligence to study whether minimization requirements were feasible in the context of NSLs. The report was due in February of 2007, and to date there is still no public information confirming that this report was ever sent to Congress, or even written. However, during the PATRIOT reauthorization efforts of 2009–2011, members of Congress did state that some type of internal minimization procedures were voluntarily adopted. Without public oversight, the effectiveness of these internal procedures in protecting the rights of innocent Americans remains in doubt. As the NSL saga reveals, internal controls unchecked by independent oversight are insufficient to prevent abuse.
In addition to the overbroad scope of NSLs, there are constitutional problems with the non-disclosure or “gag orders” that accompany the overwhelming majority of NSLs. NSLs generally contain language prohibiting recipients from telling anyone besides a lawyer or the people necessary to comply with the NSL that they received it, much less what it requested. Because the letters go to the service provider, bank, or other third-party record holder, the target of the NSL—the individual whose records are sought or obtained—is never notified of the NSL or told that sensitive, personal information was disclosed.
The ACLU successfully challenged the constitutionality of the PATRIOT Act’s original gag provisions, which imposed a categorical non-disclosure order on every NSL recipient.16 In response, in 2006, Congress limited these gag orders to situations in which an FBI special agent in charge certifies that disclosure of the NSL request might result in danger to the national security, interference with an FBI investigation, or danger to any person.17 Despite these revisions, the 2008 IG audit revealed that 97 percent of the NSLs issued by the FBI for the remainder of 2006 incorporated gag orders18 The ACLU challenged the gag order as rewritten and won again. The Second Circuit in Doe v. Holder held the gag unconstitutional because it put the burden on the recipient to prove that lifting the gag would not harm national security.19 To be consistent with the First Amendment, the court shifted the onus to the government to demonstrate to a court a risk to national security whenever an NSL recipient notified the government that he or she wanted to challenge the gag. While the Obama administration testified before Congress that it was implementing its gag orders consistent with this opinion, there is no public information to support this claim. The ACLU filed a Freedom of Information Act (FOIA) request to obtain more information.
The administration and Congress are not done with NSLs. In 2010, the Obama administration secretly requested that Congress expand its authority to collect a broad, undefined category of information called “electronic communication transactional records,” which would allow the FBI to collect sensitive data, such as Internet use records, with NSLs. Despite debating the reauthorization of the PATRIOT Act off and on for two years from 2009 to 2011, the administration never once asked for this authority publicly, thereby preventing any meaningful debate about such a substantial expansion of authority.
Expanding the scope of NSLs is the last thing Congress should be considering as the executive branch’s unilateral judgment of when and whether to gather this type of First Amendment–sensitive information is already suspect. The IG’s 2008 audit included an episode in which the FBI applied to the Foreign Intelligence Surveillance Act (FISA) court for a Section 215 order,20 only to be denied on First Amendment grounds. Section 215 orders are sought to obtain any tangible things relevant to a foreign intelligence investigation, including the records that can be obtained using an NSL. However, Section 215 orders require judicial approval and NSLs do not. In the cited example, the FISA court denied the FBI’s request for this order twice, finding that “the facts were too ‘thin’ and [the] request implicated the target’s First Amendment rights.”21 Rather than reevaluating the underlying investigation based on the court’s constitutional concerns, the FBI circumvented the court’s authority and continued the investigation anyway, using the broader unchecked authority provided in the NSL statutes in issuing three NSLs that were predicated on the same information contained in the unconstitutional Section 215 application.22 We also know from one of the few unmasked NSL recipients that NSLs have been used to collect sensitive First Amendment activity in the past. Our client Doe—now publicly identified as Nick Merrill, the former operator of a small Internet service provider— believes that his NSL targeted someone because of his or her political speech on the Internet.
Ultimately, the NSL statute must be amended. While some of the management issues uncovered by Inspector General audits in the late 2000s may have been addressed, the fundamental problem remains the FBI’s overbroad authority to obtain sensitive information relating to innocent people unilaterally without court review and without demonstrating any nexus to terrorism. This imprudently low standard remains an open door to abuse.
8. DEP’T OF JUSTICE, OFFICE OF INSPECTOR GENERAL, A REVIEW OF THE FBI’S USE OF NATIONAL SECURITY LETTERS: ASSESSMENT OF CORRECTIVE ACTIONS AND EXAMINATION OF NSL USAGE IN 2006, at 114 (Mar. 2008), available at http://www.usdoj.gov/oig/special/s0803b/final.pdf [hereinafter 2008 NSL Report].
9. The four NSL authorizing statutes are the Electronic Communications Privacy Act, 18 U.S.C. § 2709 (2010); Right to Financial Privacy Act, 12 U.S.C. §3405 (2010); Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (2010); and National Security Act of 1947, 50 U.S.C. § 436(a)(1) (2010).
10. R. Jeffrey Smith, FBI Violations May Number 3,000, Official Says, WASH. POST, Mar. 21, 2007, available at http://www.washingtonpost.com/wp-dyn/content/article/2007/03/20/AR2007032000921.html.
12. Between 2003 and 2006, the FBI issued a total of 192,499 NSLs. In 2003, the FBI issued 39,346 NSLs; in 2004, it issued 56,507 NSLs; in 2005, it issued 47,221 NSLs; and in 2006, it issued 49,425 NSLs. 2008 NSL Report, supra note 1, at 110. In 2006, the last year for which complete NSL numbers are available, 57% of NSLs were issued to collect information on U.S. persons. Id. at 111.
13. 2008 NSL Report, supra note 1, at 86–97 (Mar. 2008).
14. Id. at 97 n.76.
15. Id. at 99 n. 1.
16. See Doe v. Gonzales, 500 F. Supp. 2d 379 (S.D.N.Y. 2007); Doe v. Gonzales, 386 F. Supp. 2d 66 (D. Conn. 2005); Doe v. Ashcroft, 334 F. Supp. 2d471 (S.D.N.Y. 2004); PIRA, Pub. L. No. 109-177, 120 Stat. 195 (2006); USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006 (ARAA), Pub. L. No. 109-178, 120 Stat. 278 (2006).
17. Electronic Communications Privacy Act, 18 U.S.C. § 2709 (2006).
18. 2008 NSL Report, supra note 1, at 127.
19. John Doe, Inc. v. Mukasey, 549 F.3d 861, 884 (2d Cir. 2008).
20. Section 215 of the PATRIOT Act allows the FBI to order any person or entity to turn over “any tangible things,” so long as the FBI “specif[ies] that the order is ‘for an authorized investigation . . . to protect against international terrorism or clandestine intelligence activities.’” Section 215 does not require the FBI to show probable cause or reasonable grounds to believe that the person whose records it seeks is engaged in criminal activity, or that the target is a foreign power or an agent of a foreign power.
21. DEP’T OF JUSTICE, OFFICE OF INSPECTOR GENERAL, A REVIEW OF THE FBI’S USE
OF SECTION 215 ORDERS FOR BUSINESS RECORDS IN 2006, at 68 (March 2008), available
22. Id. at 72.