The Federal Bureau of Investigation, the Department of Justice, and technology and internet companies have been waging a little-known war for years over how much information companies are obligated to hand over about customers during national security investigations — absent a court order.
In early June, when Yahoo disclosed three secret government requests for customer information — called national security letters — one of those requests revealed that the FBI might have been exceeding its authority by asking for email records, such as headers or browsing information, in addition to basic subscriber information.
While the revelation that the FBI kept asking for those records surprises some academics, lawmakers, and privacy advocates – national security attorneys and large technology companies have known about the problem for years, and have been arguing with FBI attorneys over what’s allowed and what’s not.
Meanwhile, the FBI has been pushing for a legislative solution to expand the range of information it can get with national security letters; there are currently two bills being discussed that could grant it.
The FBI’s effort has been prompted not by DOJ concerns, but by Silicon Valley companies refusing to share anything beyond the basic subscriber information they believe the statute requires.
Companies, including Facebook, Yahoo, and others interviewed by The Intercept, have refused to supply the FBI with email and browsing records when asked. Facebook officials recognized the issue in 2012 and published the company’s standards for compliance with national security letters — hoping others might take notice.
The FBI declined to comment on the issue.
“It’s been very clear that the FBI has been continuing to request things that they’re not supposed to get,” Michael German, former FBI agent and current fellow at the Brennan Center for Justice said during a phone interview. “There’s a behind the curtains push” to get information from “groups who either don’t want to fight or are otherwise inclined to help the FBI get the records they want. And it’s all happening in secret.”
A HISTORY OF AMBIGUITY
The FBI for several years had been issuing national security letters asking for “electronic communications transaction records” — email metadata and header information, URL browsing data, and more. However, in 2008 the Office of Legal Counsel under President George W. Bush advised that the FBI was not entitled to anything more than basic subscriber information, including name, address, and toll billing records — information the phone companies compile in their everyday business.
The controversy didn’t end there, however. According to the 2014 inspector general report and several national security attorneys who have worked closely on these cases, the FBI had a different interpretation of the legal advisories.
In 2011, then Assistant Attorney General for National Security Todd Hinnen directly told Congress during a hearing that companies are in fact required to turn over electronic records. Companies were refusing to comply because the text was confusing — not because the request was illegal, he insisted. “We expect to propose an amendment to eliminate this source of confusion,” Hinnen wrote in his prepared remarks.
It turns out the FBI thought it was allowed to ask for any basic records from companies based on a footnote in the 2008 Office of Legal Counsel opinion — as long as they were “parallel” to the basic records phone companies compile for billing records. The bureau started attaching a laundry list of types of information the companies might supply in response to the letter — leaving it up to them to decide what might actually be required.
The FBI also seems to also be able to retain any information that companies share, even if companies weren’t obligated to turn it over in the first place. Advisors in the Department of Justice’s National Security Division backed the FBI up on its interpretation, according to the 2014 report.
The FBI’s decision to ask companies for everything and let them figure out what they’re required to turn over has had the effect of potentially putting smaller companies with fewer resources at a disadvantage, say national security attorneys. Without expensive legal representation and a familiarity with the law, companies might turn over more content than is necessary.
It’s happened before, according to a 2007 inspector general report, which described at least one company turning over the contents of email messages, including images, in response to several national security letters asking for electronic communication transactional records — which is explicitly prohibited in the statute. The report doesn’t go into details on what other sensitive browsing or email information companies might have shared — or what the FBI did with the extra information.
“Many small companies don’t read these things carefully,” Albert Gidari, a prominent national security attorney who worked on many cases involving such letters, told The Intercept during an interview.
He said that years ago, small companies would come to him for advice on national security letters — concerned they were not even allowed to get a lawyer. Things have gotten better since then, he says — but not a whole lot. “Small companies really have no advocate.”
The 2007 report also suggests that FBI agents issuing the requests might have been just as confused as the companies about what they were allowed to use them for. Yet judging from the Yahoo National Security Letters disclosed in early June, attempts to clarify and limit those requests don’t seem to have restricted the scope of the over-broad letters.
“The FBI asks for so much, because it is banking that some companies won’t know the law and will disclose more than they have to. … The FBI is preying on small companies who don’t have the resources to hire national security law experts,” Chris Soghoian, chief technologist at the American Civil Liberties Union, told The Intercept.
Last year, the FBI issued nearly 13,000 national security letters. Only a handful, including the three redacted Yahoo letters, have been disclosed in any form to the public — because each letter comes with a gag order attached.
“The big companies, with lawyers that work on this, probably early on recognized the problem. They didn’t go along with the FBI on it,” Gidari said. “But nobody really stepped back and said, there’s probably a lot of little companies that should know about this, let’s turn this into an issue.”
The inspector general report “was pretty damning,” he continued. “But nobody really picked up on the fact that [this] was a continuing practice. And once [the FBI] over-collected, they didn’t dispose of the data. It’s like, somebody gave us too much change at McDonald’s, or we got fries inadvertently — let’s have lunch!”
Marc Zwillinger, another national security attorney, confirmed that the FBI believes that it’s up to every company “to decide” what records they’re required to turn over. “By 2010, some companies were producing electronic communications transaction records, and some companies weren’t,” he said. “In the FBI’s defense, it doesn’t make a whole lot of sense.”
But the FBI’s demand for all “electronic communication transactional records” — something that’s never been clearly defined, at least in the public record — is going too far, he says. It’s too much information to ask for “with no approval of a judge.”
Gidari agrees that the FBI didn’t wade into this issue with the intention of confusing and misleading anybody. The big companies used to be more sympathetic to the befuddling legal statutes, he argued, and may have in the past agreed to limited reform of the national security letter statutes.
But following NSA whistleblower Edward Snowden’s release of a trove of documents on global government spying — companies changed their tune. The new position became: “There’s no way in hell the government should get more information,” Gidari said.
“Had the FBI put a reasonable position on the table … five years ago they probably would’ve got that through,” Gidari argues. “They’re their own worst enemy on this stuff.”
Top photo: “J. Edgar Hoover FBI Building” by Carl Clifford under CC BY 2.0.
The FBI was supposed to have dropped “intelligence” as a result of the 70’s Church Committee. No more COINTELPRO files were allowed. The FBI would be a “law enforcement only” agency. There is a difference between an intelligence focus and law enforcement. After 9/11, everything changed. Ashcroft made it clear that terrorism must be prevented. Now it’s come full circle and we have an intelligence agency again and we’re seeing a lot of the same abuses on civil liberties: harassment, surveillance, disruption ops, and worse. Today’s technology makes the surveillance incredibly pervasive. I believe the FBI wants access to all of our internet usage to get the dirt on potential subversives, who are just regular innocent Americans that might have lit up an algorithm for some stupid reason. Then the FBI turns over that info with some lies and exaggerations to InfraGard which proceeds to carry out dirty, illegal COINTELPRO ops on their “potential subversive” who has a possibility but not probability of harming national security in a crisis.
There is an NGO who will take those NSL requests for the little guy …. canaree.io .
Serves the Tech Companies right for not moving out of the US.
the F…B…I… has now found a way to extort any business to hand them everything under the pretense that if they dont, the business is now to blame for anything that goes wrong. In other words the f…b…i… is lost as to what to ask for and is instead bent on pursuing blame relief. it’s up to every company “to decide” what records they’re required to turn over. “
America has gone competely nutso wacko cracko smacko.
choose your pain. nothing is free.
It is not about privacy, it is about the bottom lie and the value of the intelligence they are gathering. If their consumers feel using their services puts them at risk, then the companies will be unable to recoup and profit from the resources they placed in ‘free services’ that collect intelligence for deep analysis of their users behaviors. By collecting this data they can then package it with the whole weight of their analytics and sell it as ‘advert’ services. The FBI leaving an open ended request is simply asking them, “just how much data _are_ you collecting and just how much do you actually know”. It has nothing at all to do with privacy. This is the US, where companies like Google Facebook etc only care about the bottom line.
I am not worried about the tech companies passing on the user information to our FBI because we all know that FBI is a pretty good organization and is potentially unlikely to misuse that information. What concerns me is what the tech companies do for instance in countries like Germany or Russia or China or Canada if their nasty governments issue national security letters and demand the same information? The servers are all synced to have the same information, so that would mean that China would have access to my emails synced to servers located in Shanghai. China is screwing us in all fronts. They have taken away our jobs and they have re-built their country with our money. They are dumping all their stuff here and we are losing to them $550 B every year. They devalue their currency and our leaders are such bad negotiators that they laugh behind our backs. As if that is not bad enough, they are probably reading all our emails. I don’t mind if they have read Crooked’s emails stored in personal servers, but I sure do if they have read mine.
We need to do something.
Interesting that you put Canada and Germany in the same bucket as China and Russia.
As a non-American, I agree with you. WTF should the American government have access to my emails?
Methinks you know very little about the history of the FBI. Look into what the Church Committee found…
Well you can see where all this is heading under future administrations. First there will be bills past that require companies give the info the Feds are requesting, then when that’s not enough for the information maw the government has more laws will be passed until ultimately every electronic communication, from everyone, will first pass through the FBI, CIA, and] NSA network, in toto, and then delivered to the recipient. The courts will decide that electronic communications use public networks so no expectation of privacy should apply.
If the tech companies terms of service obligated them to safeguard the privacy of their user’s data and to release it only when legally required and they then failed to exercise reasonable due diligence in making determinations about what is or is not legally required to be turned over, wouldn’t that be an actionable breach of their terms of service?
Yeah, and if you had a unicorn maybe you could ride it. Seriously, have you ever read a Privacy Policy? One and all they say the same thing: whenever, wherever, whatever, however, and subject to change at a moment’s notice. But aside from that, they make every effort to preserve your privacy, without guaranteeing it of course.
The big free service companies don’t value privacy, but some smaller companies that charge for their services and have privacy-conscious customers do.
“If you aren’t paying for the product, you are the product.”
Twitter is the devil.
“…the Office of Legal Counsel under President George W. Bush advised that the FBI was not entitled to anything more than basic subscriber information, including name, address, and toll billing records…”
Aww, the poor, poor Stasi’s propoganda backfired on them.
As much money as these companies make in tax breaks and corporate subsidies, it is absurd to believe that any of them have any objections to doing whatever the government asks of them.
Not really. If you own enough politicians you can have your cake and eat it too.
You mean getting to keep money you made, instead of involuntarily giving it away to an inefficient war-machine obligates you to comply with said entity? Please, tell me more.
Every reasonable person does not want his/her privacy violated, especially by government and/or corporate power.
As a dues paying member of the hoi polloi when I see conflict between two of my enemies my only hope is that they are both weakened.
There is no side in this fight that give a living shit about the privacy of the hoi polloi. The government is interested in expressing its power, and the corporation(s) are out to express their power – for their own exclusive use.
There is no champion of the people or of privacy involved in any way, ultimately it is about power and profit. Nothing what-so-ever to do with protection of human life much less privacy.
The EFF and ACLU are at least to some extent champions of the people. But tech companies are obviously motivated primarily by profit. Luckily, fighting for consumer privacy publicly does get them PR and thus boosts their sales, though. At the same time, they’re quietly selling consumer data to other businesses, of course.