Among the cache of classified and unclassified documents recently obtained and disclosed by the Intercept, was the US Federal Bureau of Investigation’s (FBI) rules for working with national security letters (NSL). National security letters are one of the most powerful tools for obtaining confidential information and communications available to the FBI because they work almost exactly like a subpoena except they don’t require a judge’s sign-off on a probable-cause warrant, or any judicial oversight of any kind at all. Instead, all that’s needed is a certification by an FBI field office that the information sought is relevant to a counterterrorism investigation. Thousands of NSL’s are issued in secret — and accompanied by gag orders — by the FBI annually.
The documents obtained by the Intercept indicate that the FBI has been using NSLs to “pursue sensitive electronic data and phone records,” information that is not ordinarily subject to a NSL and has been found to be out-of-scope by the US Department of Justice (DOJ). Jena McLaughlin and Cora Currier writing for the Intercept report that these actions “overstep the bureau’s legal authority.”
McLaughlin and Currier report that two of the documents obtained, the 2011 version of the FBI’s main operating manual, the Domestic Investigations and Operations Guide (DIOG), and a partially-redacted document containing current guidelines for using NSLs.
The NSL guidelines document implies that the FBI uses NSLs to demand confidential information on email transactions, something that in 2008 the DOJ’s Office of Legal Counsel specifically told the FBI it does not have the authority to acquire under a NSL. The document also implies that the FBI can use NSLs to “surveil a community of interest” by using a NSL to obtain confidential information from a business about a specific customer’s web of contacts. Under previous inquiry, the FBI was thought to have discontinued this controversial and legally questionable out-of-scope practice. But as McLaughlin and Currier report, “the documents reveal that a secretive unit that mines phone records can still initiate such requests.”
ECPA limits scope of information subject to NSL
In June 2016, proposed legislation — an amendment to the Electronic Communications Privacy Act (ECPA) reform bill — to allow the FBI to use NSLs to obtain additional information, currently considered to be out-of-scope, including email headers, social media information, and browsing history, was defeated by two votes in the US Congress.
McLaughlin and Currier report:
“Even so, the newer document on NSL policy contains a reference to a ‘model NSL’ the FBI uses to request ‘email transactional’ data from companies and other organizations — despite the fact that the organizations are not obligated to provide such information.“
The ECPA specifies four limited types of information the FBI is allowed to obtain via a NSL:
- The name of the owner of a specific account
- The amount of time that person has owned the account
- The owner’s address
- Billing records indicating metadata about phone calls made (number called, date and time of each call, and the length of each call)
FBI continues to demand out-of-scope NSL information
Nonetheless, the FBI continues to demand (and obtain) “electronic communication transactional records” outside the scope of the four limited types of information available by NSL. McLaughlin and Currier report that one of the “model NSLs” obtained by the Intercept includes an “email transactional NSL.”
Tim Cushing writing for Techdirt reports on the out-of-scope information sought by the FBI from Twitter and Yahoo with NSLs. In 2014, Twitter sued the DOJ over gag orders accompanying both NSLs and Foreign Intelligence Surveillance Court (FISC) orders.
As early as 2002, the FBI was illegally obtaining US telephone call records — including those of Washington Post and New York Times journalists — by falsely claiming a terrorism emergency and later issuing NSLs to make the seizures appear legitimate.
Twitter’s attorney told Techdirt that it only discloses information in compliance with DOJ’s legal guidance. Cushing reports that a NSL received by Yahoo demanded the following information, mostly out-of-bounds according to the DOJ:
- Subscriber name and related subscriber information
- Account number(s)
- Date the account opened or closed
- Physical and or postal addresses associated with the account
- Subscriber day/evening telephone numbers
- Screen names or other on-line names associated with the account
- All billing and method of payment related to the account including alternative billed numbers or calling cards
- All email addresses associated with the account to include any and all of the above information for any secondary or additional email addresses and/or user names identified by you as belonging to the targeted account in this letter
- Internet Protocol (IP) addresses assigned to this account and related e-mail accounts
- Uniform Resource Locator (URL) assigned to the account
- Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP), Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account
- The names of any and all upstream and providers facilitating this account’s communications
Yahoo was the first recipient of a NSL to publish its contents.