While the Snowden documents have demystified the intelligence community’s hacking abilities, few specifics are known about National Security Letters, law enforcement’s most powerful tool to compel telecommunications and Internet service providers to turn over a broad scope of user data, and which carries with it a gag order.
Yesterday, all of that changed when Nicholas Merrill, owner of the now-defunct ISP Calyx, was legally cleared to publicly reveal a NSL attachment he received in 2004 seeking information on one of his customers.
In August, United States District Judge Victor Marrero ruled in favor of Merrill, granting his motion that the FBI had not demonstrated that disclosure of the NSA attachment would “risk an enumerated harm,” and lifted the gag order. Merrill gave the government three months to appeal before disclosing yesterday.
“The FBI has interpreted its NSL authority to encompass the websites we read, the web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs,” Merrill said in a statement released by his attorneys at the Yale Law School.
The unredacted attachment is a laundry list of information the FBI considered to be under the umbrella of a vague legal term: “electronic communication transactional record.” In Merrill’s specific case, the FBI not only sought detailed personal subscriber information, but browser history, IP addresses the subscriber connected to, email addresses, screen names and online aliases associated with the account, plus six months worth of online purchases. The FBI also sought a radius log, which includes cell tower-based tracking information.
Today my #NationalSecurityLetter gag order is gone after over 11 years of litigation. I hope others who get NSLs find ways to challenge them
— Nicholas Merrill (@nickcalyx) November 30, 2015
NSLs, which are written and executed without a warrant in cases affecting national security, have been prominently debated since the Snowden revelations began in June 2013. Technology companies have argued—and filed suit in some cases—that NSLs violate First and Fourth Amendment rights. Companies such as Twitter, Google and other giants say the NSL gag order keeps tech companies from revealing the scope of their cooperation with the government and opens the door to speculation that the NSA, FBI and other law enforcement could have direct access to customer data.
“The broad scope of the FBI’s claimed NSL authority is deeply problematic because the government can issue NSLs without any judicial oversight,” said Lulu Pantin, a law student intern who represented Merrill. “Mr. Merrill’s experience demonstrates the FBI indefinitely silences Internet Service Providers while forcing them to de-anonymize their users and divulge a broad range of information about law-abiding citizens’ online activity, simply by issuing a letter.”
The FBI began issuing NSLs in 2001, shortly after the September 11 terrorist attacks in the U.S. under the expanded powers offered by the PATRIOT Act. With the passage of the USA FREEDOM Act, the powers afforded law enforcement by a NSL have been reined in, said Andrew Crocker, staff attorney at the Electronic Frontier Foundation.
“On one level, this is a very big deal. This is the first NSL attachment that has been unsealed and the FBI issued 300,000 since 2001. That’s a lot to be issued without seeing even one attachment,” Crocker said. “We get to see the scope of what the FBI could get with a NSL since 2004. It’s since then been reined in, and the scope is a little bit narrower. But it’s a big deal to see the breadth of what they thought they could get back then.”
The next step, Crocker said, is to continue to challenge NSLs—which remain in use to the tune of approximately 10,000 issued annually—on the grounds of it being a First Amendment violation.
“It’s clear the scope they had was very broad,” Crocker said, pointing to the open ended nature of what is considered an electronic communications transactional record, which in Merrill’s case was used to get cell site location and track targets’ physical location via their mobile phone.
Crocker believes that while the FBI will continue to use NSLs in investigations, he believes more challenges will surface, despite the relatively small number since 2001. The EFF, he said, currently has two such challenges in court.
“The most obvious reason we haven’t seen many challenges is that when you get a letter from the FBI that says ‘give us information and don’t tell anyone, it’s a bit intimidating and people are not inclined to stand up to them. There’s an inherent intimidation,” Crocker said. “Also, when they go to an ISP with a NSL, they may not care about giving information up about their customers; it’s not their information. We’ve seen a long history of cooperation with NSA surveillance. Some may think it’s their patriotic duty to cooperate. But we’ve seen that change since Snowden. Customers care about privacy and companies are taking different stands on privacy where they may not have thought much about it previously.”
In the meantime, challenges such as Merrill’s and the EFF’s two cases will continue to slog it out in court, especially now as the judicial system has to consider and apply the USA FREEDOM Act to suits.
“It’s a little bit disappointing it’s taken so long to get to this point,” Crocker said, adding that lawyers have reached settlements in the past to get other parts of NSLs unsealed and unredacted. “They’ve issued 300,000 NSLs since 2001 and there’s only been a handful of challenges. It shows the imbalance of surveillance powers and how hard it is to stand up to it.”