ECPA: National Security Letters &
Congress authorized the FBI to gain individual's transactional records and subscriber records from communications service providers pursuant to 18 USC § 2709, known as National Security Letters. The information sought may include subscriber information, toll billing records information, or transactional records. The information sought must be "relevant" to an authorized investigation. "to protect against international terrorism or clandestine intelligence activities."
Similar NSL provisions can be found in the Right to Financial Privacy Act, the National Securities Act (whistle blowers) and the Fair Credit Reporting Act.
Pursuant to Patriot Act amendments, the information in question need not pertain to a foreign power or agent of a foreign power - but the NSL request must "be relevant to an investigation to protect against international terrorism or foreign spying." [CRS p. 4 2009]
During the period covered by our review, the ECPA and Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSI Guidelines) authorized the use of national security letters (NSL) only during investigations of international terrorism or espionage upon the written request of a Special Agent in Charge or other specially delegated senior FBI official. In order to open such investigations, the FBI must satisfy certain evidentiary thresholds, which are documented in FBI case files and approved by supervisors. If case agents want to issue NSLs. FBI policies require a 4-step approval process. Case agents must secure the approval of the case agent's supervisor, an Assistant Special Agent in Charge, the field office's Chief Division Counsel, and the Special Agent in Charge (or equivalent supervisors and attorneys at FBI Headquarters) who signs the NSL. FBI personnel authorized to sign NSLs are all members of the Senior Executive Service. [FBI OIG 2010, p. 10]
The FBI initiated a short cut to NSLs known as Exigent Letters which were to be used in emergencies.
"Both USA PATRIOT Act reauthorization statutes—P.L. 109-177(H.R. 3199) and P.L. 109-178 (S. 2271)—amended each of the NSL statutes. They
- created a judicial enforcement mechanism and a judicial review procedure for both the requests and accompanying nondisclosure requirements;
- established specific penalties for failure to comply or to observe the nondisclosure requirements;
- made it clear that the nondisclosure requirements did not preclude a recipient from consulting an attorney;
- provided a process to ease the nondisclosure requirement;
- expanded congressional oversight;
- called for an Inspector General’s audit of use of the authority."
NSLs contain a Gag Rule provision. 18 USC § 2709(c). Sec. 2709 was amended to clarify the gag rule, including that the recipient of an NSL can consult their attorney. "A breach of a confidentiality requirement committed knowingly and with the intent to obstruct an investigation or related judicial proceedings is punishable by imprisonment for not more than five years and/or a fine of not more than $250,000 (not more than $500,000 for an organization)." [CRS p. 4 2009]
According to the Congressional Research Service: "In addition to authority to review and set aside NSL nondisclosure requirements, the federal courts also enjoy jurisdiction to review and enforce the underlying NSL requests. Recipients may petition and be granted an order modifying or setting aside an NSL, if the court finds that compliance would be unreasonable, oppressive, or otherwise unlawful.72 Subpoenas issued under the Federal Rules of Criminal Procedure may be modified or quashed if compliance would be unreasonable or oppressive.73 The Rule affords protection against undue burdens and protects privileged communications.74 Compliance with a particular NSL might be unduly burdensome in some situations, but the circumstances under which NSLs are used suggest few federally recognized privileges. The Rule also imposes a relevancy requirement, but in the context of an investigation a motion to quash will be denied unless it can be shown that "there is no reasonable possibility that the category of materials the Government seeks will produce information relevant" to the investigation.75 The authority to modify or set aside a NSL that is unlawful affords the court an opportunity to determine whether the NSL in question complies with the statutory provisions under which it was issued. On the other hand, the court's authority may be invoked to enforce the NSL against a recalcitrant recipient and failure to comply thereafter is punishable as contempt of court.76
72 28 U.S.C. 3511.
73 F.R.Crim.P. 17(c)(2).
74 2 WRIGHT, FEDERAL PRACTICE AND PROCEDURE §275 (Crim. 3d ed. 2000).
75 United States v. R. Enterprises, Inc., 498 U.S. 292, 301 (1991).
76 28 U.S.C. 3511(c)." [CRS p. 10 2009]
The use of NSL and Exigent Letters have been the subject of lawsuits and three FBI Office of the Inspector General Reports.
ECPA prohibits government access to customer communications records (transaction records) except where the government has a grand jury subpoena or an NSL.
After 9/11, in emergency (exigent) circumstances, the NY FBI Office adopted a practice which has come to be known as exigent letters. In 2003, this practice was adopted by FBI HQ. The FBI would provide an exigent letter to one of three cooperating telephone carriers, which would be followed up by a subpoena. The FBI Communications Analysis Unit issued a memo in 2003 describing exigent letters as follows:
Through liaison developed by the unit, in exigent circumstances the CAU is able to obtain specialized toll records information for international and domestic numbers which are linked to subjects of pending terrorism investigations. Appropriate legal authority (grand jury subpoena or NSL) must follow these requests. [Memo 2003]
An FBI OIG has issued three reports reviewing the use of exigent letters and has concluded
[B]y using exigent letters to acquire information from three communications service providers prior to serving NSLs or other legal process, the FBI circumvented the requirements of the Electron Communications Privacy Act (ECPA) NSL statute and violated the Attorney General's Guidelines for FBI National Security Investigations and Foreign Intelligence Collection (NSI Guidelines), and internal FBI policy. [OIG Report 2010 p 2]
No authority, not ECPA or internal guidelines authorized using this shortcut with the promise of "legal process to follow." [OIG Report 2010 p 11]
- The events in question involve more than 2000 records and span 2002 - 2006
- at least 739 exigent letters between 2003 and 2005. [OIG Report 2010 p 2]
- Exigent letters were authorized (signed) by the FBI Counterterrorism Division's Communication Exploitation Section who were not authorized to sign NSLs [OIG Report 2010 p 2]
- The emergencies used to justify the letters were not emergencies.
- "exigent letters were sometimes used in non-exigent circumstances" [OIG Report 2010 p 2]
- "While almost all exigent letters stated that subpoenas requesting the information had been submitted to a US Attorney's Office and would be served on the providers, in fact subpoenas were not issued in many instances and in other instances had not been requested." [OIG Report 2010 p 2]
- The phone comanies complied with the requests initially but began to push back on the requests that had not been backed by legal authority. The carriers were concerned about legal liability.
- Email from Patrice Kopistansky, to Bassem Youssef (Apr. 26, 2005) (stating that "the phone company reps are trying to be helpful, so they apparently are taking minimal process in order to assist us.")
- [Wash Post Jan. 19, 2010]
- In 2003 FBI entered into a contract with Company A where Company A colocated a Company A employee at the FBI CAU (Communications Analysis Unit) office.The FBI also entered into a contract with Company C in 2003 and with Company B in 2004 to colocate. [OIG Report 2010 p 16]
- "Under FBI internal policy, as operational support components, neither the CXS nor CAU could initiate national security investigations or sign NSLs" [OIG Report 2010 p 16]
- FBI staff began to alert superiors concerning the problems.
- Email from Patrice Kopistansky, to Bassem Youssef (Apr. 26, 2005) (clarifying that exigent letters should not be used in place of Natl Security Letters "when emergencies arent necessarily emergencies")
- FBI attempted to issue Natl Security Letters after the fact in order to comply with the requirements of the exigent letters, but experienced difficulty doing so, in part finding that no investigation was pending as required for a NSL.
- "We also found that the FBI was unable to later establish that some of the exigent letter requests were made in connection with the required open preliminary or full investigations conducted pursuant to the Attorney General's NSI Guidelines or that the records requested were relevant to those investigations." [OIG Report 2010 p 2]
- Email from Patrice Kopistansky to Marion Bowman, CAU Backlogs of NSLs (Apr. 5, 2005)
- Email from Patrice Kopistansky to Glenn T. Rogers, New NSL (Feb. 8, 2005) (declining to issue a NSL because no pending investigation could be identified)
- Email from Patrice Kopistansky to Marion Bowman, Julie Thomas, CAU Backlog of NSLs (Mar. 11, 2005) (commenting on difficulty of getting NSLs issued due to lack of pending investigations tied to the NSLs)
- Email from Patrice Kopistansky to Julie Thomas, CAU Backlog of NSLs (Apr. 12, 2005) (commenting on the inability to issue NSL without generic pending investigations).
- FBI staff began to push back on issuing exigent letters that were not based on emergencies.
- Email from Bassem Youssef, to [Redacted], Emergency NSLs (Apr. 27, 2005) ("We all need to differentiate between what is an exigent request and what is not.")
- FBI did not direct that the practice cease until 2007 when OIG issued its first report. [OIG Report 2010 p 2]
EFF: "News reports in December 2005 first revealed that the National Security Agency (NSA) has been intercepting Americans' phone calls and Internet communications. Those news reports, plus a USA Today story in May 2006 and the statements of several members of Congress, revealed that the NSA is also receiving wholesale copies of their telephone and other communications records. All of these surveillance activities are in violation of the privacy safeguards established by Congress and the U.S. Constitution.
The evidence also shows that the government did not act alone. EFF has obtained whistleblower evidence [PDF] from former AT&T technician Mark Klein showing that AT&T is cooperating with the illegal surveillance. The undisputed documents show that AT&T installed a fiberoptic splitter at its facility at 611 Folsom Street in San Francisco that makes copies of all emails, web browsing, and other Internet traffic to and from AT&T customers, and provides those copies to the NSA. This copying includes both domestic and international Internet activities of AT&T customers. As one expert observed, "this isn't a wiretap, it's a country-tap."
EFF is fighting these illegal activities on multiple fronts. In Hepting v. AT&T , EFF filed the first case against a telecom for violating its customers' privacy. In addition, EFF is representing victims of the illegal surveillance program in Jewel v. NSA , a lawsuit filed in September 2008 against the government seeking to stop the warrantless wiretapping and hold the government officials behind the program accountable." EFF NSA Spying
Law: 18 USC § 2709
(a) A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section.
(b) Required Certification.- The Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may-
(1) request the name, address, length of service, and local and long distance toll billing records of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that the name, address, length of service, and toll billing records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and
(2) request the name, address, and length of service of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.
(c) Prohibition of Certain Disclosure.-
(1) If the Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, certifies that otherwise there may result a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person, no wire or electronic communications service provider, or officer, employee, or agent thereof, shall disclose to any person (other than those to whom such disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal assistance with respect to the request) that the Federal Bureau of Investigation has sought or obtained access to information or records under this section.
(2) The request shall notify the person or entity to whom the request is directed of the nondisclosure requirement under paragraph (1).
(3) Any recipient disclosing to those persons necessary to comply with the request or to an attorney to obtain legal advice or legal assistance with respect to the request shall inform such person of any applicable nondisclosure requirement. Any person who receives a disclosure under this subsection shall be subject to the same prohibitions on disclosure under paragraph (1).
(4) At the request of the Director of the Federal Bureau of Investigation or the designee of the Director, any person making or intending to make a disclosure under this section shall identify to the Director or such designee the person to whom such disclosure will be made or to whom such disclosure was made prior to the request, except that nothing in this section shall require a person to inform the Director or such designee of the identity of an attorney to whom disclosure was made or will be made to obtain legal advice or legal assistance with respect to the request under subsection (a).
(d) Dissemination by Bureau.- The Federal Bureau of Investigation may disseminate information and records obtained under this section only as provided in guidelines approved by the Attorney General for foreign intelligence collection and foreign counterintelligence investigations conducted by the Federal Bureau of Investigation, and, with respect to dissemination to an agency of the United States, only if such information is clearly relevant to the authorized responsibilities of such agency.
(e) Requirement That Certain Congressional Bodies Be Informed.- On a semiannual basis the Director of the Federal Bureau of Investigation shall fully inform the Permanent Select Committee on Intelligence of the House of Representatives and the Select Committee on Intelligence of the Senate, and the Committee on the Judiciary of the House of Representatives and the Committee on the Judiciary of the Senate, concerning all requests made under subsection (b) of this section.
(f) Libraries.- A library (as that term is defined in section 213(1) of the Library Services and Technology Act ( 20 U.S.C. 9122 (1) ), the services of which include access to the Internet, books, journals, magazines, newspapers, or other similar forms of communication in print or digitally by patrons for their use, review, examination, or circulation, is not a wire or electronic communication service provider for purposes of this section, unless the library is providing the services defined in section 2510 (15) ("electronic communication service") of this title.
- Patriot Act
- Patriot Reauthorization Act
- FBI Documents
- Memo from Counterterrorism CAS/CAU/Room 4944 to All Divisions, Communications Analysis Unit; Counterterrorism Program Matters Synopsis: (U) Review of the mission of the Communications Analysis Unite (sic) and a description of the services the unit provides (Jan. 6, 2003)
- Govt Reports
- A Review of the FBI's Use of Exigent Letters and other Information Requests for Telephone Records, Office of the Inspector General, Oversight and Review Division (Jan. 2010)
- Charles Doyle, National Security Letters in Foreign Intelligence Investigations: A Glimpse of the Legal Background and Recent Amendments, Congressional Research Service (Sept. 8, 2009) Full Report
- A Review of the FBI's Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, Special Report, March 2008
- "The second IG Report reviewed the FBI’s use of national security letter authority during calendar year 2006 and the corrective measures taken following the issuance of the IG’s first report. The second Report concluded that:
- “the FBI’s use of national security letters in 2006 continued the upward trend ... identified ... for the period covering 2003 through 2006”
- “the percentage of NSL requests generated from investigations of U.S. persons continued to increase significantly, from approximately 39% of all NSL requests issued in 2003 to approximately 57% of all NSL requests issued in 2006”
- the FBI and DoJ are committed to correcting the problems identified in IG Report I and “have made significant progress in addressing the need to improve compliance in the FBI’s use of NSLs”
- “it is too early to definitively state whether the new systems and controls developed by the FBI and the Department will eliminate fully the problems with NSLs that we identified,” IG Report II at 8-9. [CRS p. 15 2009]
- Luke O'Brein, AT&T, Verizon: We Obeyed FBI "Emergency" Requests - 739 of them, WIRED (Mar. 21, 2007)
- Kim Zetter, Internet Archive Successfully Fends Off Secret FBI Order, The Intercept (Dec. 1, 2016)
- ACLU back in court over National Security Letters, Ars Technica 9/2/2008
- Judges Question Whether National Security Letters Need To Come With Gag Orders, Techdirt 8/29/2008
- FBI Hid Patriot Act Abuses, Slashdot 3/17/2008
- FBI director acknowledges more surveillance abuses, CNET 3/7/2008
- FBI Gets DS3 Backdoor Into Verizon Wireless Network? - Another whistle-blower exposes surveillance project, dslreports 3/7/2008
- FBI Admits More Privacy Violations, Slahsdot 3/7/2008
- Senators React to Washington Post Report on National Security Letters, EFF 11/8/2005
- New Evidence: PATRIOT Act’s National Security Letters Used to Spy on Vast Number of Innocent Americans, EFF 11/8/2005