The secret government requests for customer information Yahoo made public Wednesday reveal that the FBI is still demanding email records from companies without a warrant, despite being told by Justice Department lawyers in 2008 that it doesn’t have the lawful authority to do so.
That comes as a particular surprise given that FBI Director James Comey has said that one of his top legislative priorities this year is to get the right to acquire precisely such records with those warrantless secret requests, called national security letters, or NSLs. “We need it very much,” Comey told Sen. Tom Cotton, R-Ark., during a congressional hearing in February.
At issue is whether the national security letters empower the FBI to demand what are called “electronic communication transactions records,” or ECTRs. Such records can include email header information – not their content – and browsing histories.
In 2008, the Justice Department’s Office of Legal Counsel concluded that the FBI was only entitled to get the name, address, length of service, and toll billing records from companies without a warrant. Opinions issued by the OLC are generally treated as binding and final within the executive branch.
The FBI has said it disagrees with that conclusion, and interprets the opinion differently, according to a 2014 inspector general report. It sees the question as more of an “impasse” than an actual legal barrier.
But activists, members of Congress, and academics think the DOJ opinion was pretty clear.
“The Justice Department told FBI officials that if they want to demand Americans’ email records, they need a court order,” Senator Ron Wyden, D-Ore., said in a statement emailed to The Intercept. “It is very troubling that the FBI has apparently not been adhering to that guidance.”
“It seems that the FBI has again crossed the line when it comes to ECTRs, even after being explicitly told — under the Bush administration, no less — that they were not legally authorized to demand these personal records absent a court order,” Robyn Greene, policy counsel for the Open Technology Institute, wrote in a message to The Intercept. “The last thing Congress should be doing right now is giving the FBI more leeway to abuse its NSL authorities.”
The FBI declined to comment. But one of the letters Yahoo released — after being released from a gag order — started as follows:
Under the authority of Executive order 12333, dated July 30, 2008, and pursuant to Title 18 of the United States Code (U.S.C.), 2709 (201 of the Electronic Communications Privacy Act of 1986) (as amended), you are hereby directed to provide to the Federal Bureau of Investigation (FBI) the names, addresses, and length of service and electronic communications transactional records, to include existing transaction/activity logs and all electronic mail (e-mail) header information, for the below-listed email/IP address holder(s).
Major service providers know the FBI doesn’t have the authority to make all those demands. In fact, Yahoo did not turn over the electronic communication transactions records, including “activity logs and all e-mail header information.” “We disclosed [the records] as authorized by law,” wrote Chris Madsen, head of Yahoo’s global law enforcement, security, and safety team, in a blog post.
Chris Soghoian, chief technologist at the American Civil Liberties Union, said FBI agents might be hoping at least some recipients don’t know they lack the authority they claim to have.
“Essentially, the FBI believes they can ask for the sun, the moon and the stars in an NSL, while knowing that tech companies don’t have to turn over anything more than name, address and length of service,” he wrote in an email.
“The FBI asks for so much, because it is banking that some companies won’t know the law and will disclose more than they have to. … The FBI is preying on small companies who don’t have the resources to hire national security law experts,” he argued.
Facebook officials drafted and made public their law enforcement guidelines in 2012, in the hopes of clarifying what they believed technology companies are required to turn over. “We interpret the national security letter provision as applied to Facebook to require the production of only two categories of information: name and length of service,” read the guidelines.
Technology companies rarely talk about NSLs because of the accompanying gag orders. But one technology company official told The Intercept on background that “it is our general understanding that other companies also comply narrowly (in line with the DOJ OLC Opinion).”
The FBI issued nearly 13,000 national security letters in 2015 alone, for information about almost 50,000 different people. They go to internet, technology, social media, and communications companies of all sizes, as well as banks.
Only now are some of the gags being lifted, nearly two and a half years after President Obama announced that he was ordering the Justice Department to terminate gag orders “within a fixed time unless the government demonstrates a real need for further secrecy.”
The debate over how much power an NSL grants started 10 years ago, when two unidentified technology companies refused to provide information beyond the most basic subscriber data. (In NSLs of that era and before, that have since been disclosed, the FBI’s demands sometimes included web browsing records as well as email metadata.)
The companies argued that the law cited in the NSLs didn’t obligate them to turn over anything more – and President George W. Bush’s Department of Justice agreed.
The FBI has repeatedly asked Congress to give it the explicit power to get email and browsing data through NSLs, with no success. Right now, there are provisions in two separate bills that would do so.
Privacy advocates have fought tooth and nail against such a move, considering it a huge expansion of the FBI’s warrantless surveillance capabilities.
Comey described the change during a congressional hearing in February. “It’s necessary because what I believe is a typo in the 1993 statue that has led to some companies interpreting it in a way I don’t believe Congress ever intended,” he said. “So it’s ordinary, but it affects our work in a very, very big and practical way.”
Privacy advocates say that’s disingenuous—and they are even more infuriated that the FBI is apparently asking for that information anyway.
“This should send up a huge red flag for Congress about the real potential for abuse,” OTI’s Robyn Greene concluded.