The Federal Bureau of Investigation, the Department of Justice, and technology and internet companies have been waging a little-known war for years over how much information companies are obligated to hand over about customers during national security investigations — absent a court order.
In early June, when Yahoo disclosed three secret government requests for customer information — called national security letters — one of those requests revealed that the FBI might have been exceeding its authority by asking for email records, such as headers or browsing information, in addition to basic subscriber information.
While the revelation that the FBI kept asking for those records surprises some academics, lawmakers, and privacy advocates – national security attorneys and large technology companies have known about the problem for years, and have been arguing with FBI attorneys over what’s allowed and what’s not.
Meanwhile, the FBI has been pushing for a legislative solution to expand the range of information it can get with national security letters; there are currently two bills being discussed that could grant it.
The FBI’s effort has been prompted not by DOJ concerns, but by Silicon Valley companies refusing to share anything beyond the basic subscriber information they believe the statute requires.
Companies, including Facebook, Yahoo, and others interviewed by The Intercept, have refused to supply the FBI with email and browsing records when asked. Facebook officials recognized the issue in 2012 and published the company’s standards for compliance with national security letters — hoping others might take notice.
The FBI declined to comment on the issue.
“It’s been very clear that the FBI has been continuing to request things that they’re not supposed to get,” Michael German, former FBI agent and current fellow at the Brennan Center for Justice said during a phone interview. “There’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want. And it’s all happening in secret.”
A HISTORY OF AMBIGUITY
The FBI for several years had been issuing national security letters asking for “electronic communications transaction records” — email metadata and header information, URL browsing data, and more. However, in 2008 the Office of Legal Counsel under President George W. Bush advised that the FBI was not entitled to anything more than basic subscriber information, including name, address, and toll billing records — information the phone companies compile in their everyday business.
The controversy didn’t end there, however. According to the 2014 inspector general report and several national security attorneys who have worked closely on these cases, the FBI had a different interpretation of the legal advisories.
In 2011, then Assistant Attorney General for National Security Todd Hinnen directly told Congress during a hearing that companies are in fact required to turn over electronic records. Companies were refusing to comply because the text was confusing — not because the request was illegal, he insisted. “We expect to propose an amendment to eliminate this source of confusion,” Hinnen wrote in his prepared remarks.
It turns out the FBI thought it was allowed to ask for any basic records from companies based on a footnote in the 2008 Office of Legal Counsel opinion — as long as they were “parallel” to the basic records phone companies compile for billing records. The bureau started attaching a laundry list of types of information the companies might supply in response to the letter — leaving it up to them to decide what might actually be required.
The FBI also seems to also be able to retain any information that companies share, even if companies weren’t obligated to turn it over in the first place. Advisors in the Department of Justice’s National Security Division backed the FBI up on its interpretation, according to the 2014 report.
The FBI’s decision to ask companies for everything and let them figure out what they’re required to turn over has had the effect of potentially putting smaller companies with fewer resources at a disadvantage, say national security attorneys. Without expensive legal representation and a familiarity with the law, companies might turn over more content than is necessary.
It’s happened before, according to a 2007 inspector general report, which described at least one company turning over the contents of email messages, including images, in response to several national security letters asking for electronic communication transactional records — which is explicitly prohibited in the statute. The report doesn’t go into details on what other sensitive browsing or email information companies might have shared — or what the FBI did with the extra information.
“Many small companies don’t read these things carefully,” Albert Gidari, a prominent national security attorney who worked on many cases involving such letters, told The Intercept during an interview.
He said that years ago, small companies would come to him for advice on national security letters — concerned they were not even allowed to get a lawyer. Things have gotten better since then, he says — but not a whole lot. “Small companies really have no advocate.”
The 2007 report also suggests that FBI agents issuing the requests might have been just as confused as the companies about what they were allowed to use them for. Yet judging from the Yahoo National Security Letters disclosed in early June, attempts to clarify and limit those requests don’t seem to have restricted the scope of the over-broad letters.
“The FBI asks for so much, because it is banking that some companies won’t know the law and will disclose more than they have to. … The FBI is preying on small companies who don’t have the resources to hire national security law experts,” Chris Soghoian, chief technologist at the American Civil Liberties Union, told The Intercept.
Last year, the FBI issued nearly 13,000 national security letters. Only a handful, including the three redacted Yahoo letters, have been disclosed in any form to the public — because each letter comes with a gag order attached.
“The big companies, with lawyers that work on this, probably early on recognized the problem. They didn’t go along with the FBI on it,” Gidari said. “But nobody really stepped back and said, there’s probably a lot of little companies that should know about this, let’s turn this into an issue.”
The inspector general report “was pretty damning,” he continued. “But nobody really picked up on the fact that [this] was a continuing practice. And once [the FBI] over-collected, they didn’t dispose of the data. It’s like, somebody gave us too much change at McDonald’s, or we got fries inadvertently — let’s have lunch!”
Marc Zwillinger, another national security attorney, confirmed that the FBI believes that it’s up to every company “to decide” what records they’re required to turn over. “By 2010, some companies were producing electronic communications transaction records, and some companies weren’t,” he said. “In the FBI’s defense, it doesn’t make a whole lot of sense.”
But the FBI’s demand for all “electronic communication transactional records” — something that’s never been clearly defined, at least in the public record — is going too far, he says. It’s too much information to ask for “with no approval of a judge.”
Gidari agrees that the FBI didn’t wade into this issue with the intention of confusing and misleading anybody. The big companies used to be more sympathetic to the befuddling legal statutes, he argued, and may have in the past agreed to limited reform of the national security letter statutes.
But following NSA whistleblower Edward Snowden’s release of a trove of documents on global government spying — companies changed their tune. The new position became: “There’s no way in hell the government should get more information,” Gidari said.
“Had the FBI put a reasonable position on the table … five years ago they probably would’ve got that through,” Gidari argues. “They’re their own worst enemy on this stuff.”