Privacy activists suffered a legal blow when a panel of California appeals court judges ruled Monday the Federal Bureau of Investigation could continue its practice of secretly issuing National Security Letter (NSL) requests for customer data from communications firms.
The case involved a challenge to the FBI practice of issuing NSL gag orders by content delivery network Cloudflare and phone network operator Credo Mobile. In a unanimous decision by the Ninth U.S. Court of Appeals in San Francisco, a three-judge panel ruled that NSL gag orders did not violate the First Amendment.
Both firms filed a lawsuit challenging the United States Department of Justice’s gag provision and “sought to enjoin the government from “issuing additional NSLs and from imposing additional nondisclosure requirements.”
The ruling is a blow to privacy activists who fervently believe that preventing companies from publicly stating the FBI is requesting customer data is a violation of their free speech protection guaranteed under the First Amendment.
“We are disappointed in the Ninth Circuit’s decision and are considering our options for next steps,” said Credo CEO Ray Morris in a prepared statement. “At Credo, we know what an uphill battle challenging these gag orders can be and feel that the court missed an opportunity to protect the First Amendment rights of companies that want to speak out in the future.”
Andrew Crocker, an attorney for the Electronic Frontier Foundation, which represented the companies in the consolidated case, said his clients were considering their next-step options.
“NSLs prevent service providers like our clients Credo Mobile and Cloudflare from being truthful with their customers and the public about the scope of government surveillance, and we applaud their courage in standing up to these gags,” Crocker told Threatpost. “Unfortunately, the Ninth Circuit avoided addressing the serious First Amendment problems with NSLs, particularly the fact that they are often left in place permanently.”
Companies that receive NSLs are traditionally subjected to a gag order. It took Cloudflare nearly four years to disclose a NSL this past January which the company received in February 2013. Between 2011 and 2013, Credo said it received three NSL notices.
The use of NSLs have long come under scrutiny by privacy activists and the tech firms on the receiving end of them. Apple and Yahoo have each revealed in transparency reports that they have received NSLs. Google, only after it managed to successfully fight gag provisions in court, disclosed the contents of eight NSLs it received from 2010 to 2015 last December.
In a related lawsuit, Electronic Frontier Foundation sued the DoJ in June demanding to know whether the agency is complying with rules that mandate a periodic review of National Security Letter gag orders.
That suit, filed in U.S. District Court for the Northern District of California, claims that the FBI is not complying with 2015 Congressional rules that require a periodic review of NSL gag orders and mandate the disclosure of information related to those NSLs that are no longer needed.