Just what kind of information can the government get with a so-called “national security letter” – the tool that allows investigators to seek financial, phone and Internet data without a judge’s approval?
It’s a secret.
The letters let the Federal Bureau of Investigation get information without going before a judge or grand jury if it’s relevant to a national security investigation. The letters have been around since the 1980s, but their use grew after the Sept. 11, 2001 terrorist attacks and passage of the USA Patriot Act. Tens of thousands of the requests are sent each year, but they are generally subject to strict secrecy orders.
In response to a Freedom of Information Act request by the American Civil Liberties Union, the Justice Department has revealed for the first time templates for each of the types of national security letters it sends – nine in all. Among other things, the letters show that the FBI is now informing people who receive the letters how they can challenge the documents in court.
But some key elements of the letters remain blocked from view – including lists of material the FBI says companies can send in response to the letter.
The most basic requests outlined in the templates are for name, address and length of service for either phone or Internet accounts. The broadest requests seek things such as entire credit reports, Internet activity logs, phone “billing records,” “financial records” or “electronic communications transactional records.”
What exactly do those terms mean? Well, there’s the rub.
A 2008 opinion from the Justice Department’s legal counsel found that the letters could request “only those categories of information parallel to subscriber information and toll billing records for ordinary telephone service.” What exactly counts as “parallel” could be debated.
In several of the templates, the FBI includes a list of specific items that “may be considered” by the companies to be responsive to the requests. The list for phone billing records includes 15 bullet points; there are 13 points on the list for electronic data. The items associated with financial records appear to stretch on for two pages. But we can’t know for sure what is there because it has been redacted.
Some broad outlines are available: Financial records include “any record held by a financial institution pertaining to a customer’s relationship with the financial institution.”
Electronic records involve “transaction/activity logs” and email “header information,” which includes things such as the “to” and “from” lines of a message.
The letters point out that companies aren’t supposed to tell investigators about the content of their customers’ messages; courts have long held that phone conversations and the texts of recent emails are available only with search warrants. The template to get electronic records specifically warns companies not to provide the subject lines of emails for this reason.
Beyond that, it’s unclear.
“There is a growing divide between the government’s and the public’s understanding of the government’s surveillance authority,” said Alexander Abdo, a staff attorney with the ACLU. “To this day, the government refuses to specify what certain surveillance laws—including ‘national security letters’—allow it to collect.”
The government says it seeks only the information it’s allowed to get and must maintain the secrecy of national security letters to avoid tipping off potential terrorists.
“NSLs are integral to determining whether, how, and by whom our nation is being put at risk,” then Acting Assistant Attorney General for National Security Todd Hinnen told a House Judiciary subcommittee last year in written remarks.
The templates disclosed in the ACLU files show how the FBI has changed the letters in response to court rulings and new laws. The gag order that accompanies most of the letters is no longer an “automatic feature,” the FBI says in instructions to agents. To get a secrecy order, the agent must certify that disclosure “may endanger the national security of the United States, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life of physical safety of a person.”
In all of the letters, the FBI tells the recipient that it can challenge the letter “if compliance would be unreasonable, oppressive, or otherwise unlawful.” It also outlines a process for fighting the nondisclosure order: The company has 10 days to tell the FBI it wants to challenge the gag order, and the FBI says it will then “initiate judicial proceedings” to get a court order to enforce the gag.
In the first two years after the FBI began including this notice in its letters, only a handful of companies challenged the gag orders, the FBI has said.
Many major technology companies have guidelines for handling national security letters, although they cannot confirm or deny ever having received the letters, under the strict secrecy order that accompanies most of the requests. Mr. Hinnen told the subcommittee last year that a “small number of providers” had concluded that the FBI wasn’t entitled to electronic communications transactional records, because the law wasn’t clear.
Companies are reluctant to disclose their specific policies, though. In responses to questions from The Wall Street Journal, Facebook was the only company to say specifically what data it would give out.
“We interpret the national security letter provision as applied to Facebook to require the production of only two categories of information: name and length of service,” said Fred Wolens, a public policy spokesman for the social networking giant.
Other companies were more vague. Google and Twitter both said their companies comply with “valid legal process” and seek to notify users of requests whenever possible. Verizon and AT&T both said they do not comment on national security matters.