Why Use a National Security Letter When You Have Post-It Notes?


In a report (PDF) issued today, Justice Department Inspector General Glenn Fine shows that the FBI routinely broke the law for several years by demanding telephone records through informal methods that were not authorized by statute. The abuses, which involved thousands of records, are especially striking because it is not very hard for the FBI to obtain this information legally. The Electronic Communications Privacy Act (ECPA) allows the bureau to demand records from phone companies through a "national security letter" (NSL) signed by the director or an official he designates. Under FBI policy, any special agent in charge can sign an NSL, which simply states that the records sought are "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities."

In 2003 FBI officials began dodging this minimal requirement by asking telecommunications carriers to suppy records without the legally required NSL "due to exigent circumstances" and promising to provide an NSL after the fact. These so-called exigent letters, which were often used when no emergency actually existed, were an extralegal contrivance that violated ECPA, bureau policy, and guidelines issued by the attorney general. The retroactive NSLs promised by the exigent letters often failed to appear because there was no authorized investigation to which they could be linked. To fix that problem, FBI officials resorted to another illegal procedure, issuing "blanket" NSLs tied to no particular investigation.

Even these pseudolegalities look downright upright next to the FBI's other informal methods of obtaining records, which included requests by email, phone, post-it note, and in-person oral communication as well as "sneak peeks," which were about as legitimate as they sound. The failure to follow the established NSL process is legally significant because ECPA prohibits telecom companies from disclosing customer records to the government except in specified circumstances. One of them is not when an FBI agent shows up at your office and says, "Mind if I take a look at that?"

The targets of the FBI's illegal record grabs are unknown, with one major exception. "Some of the most troubling improper requests for telephone records," the inspector general's report notes, "occurred in media leak cases, where the FBI sought and acquired reporters' telephone toll billing records and calling activity information without following federal regulation or obtaining the required Attorney General approval." In 2008 FBI Director Robert Mueller apologized for the bureau's improper snooping on foreign correspondents for The New York Times and The Washington Post.

Although the bureau's unauthorized data demands came to the attention of the FBI general counsel's office in 2004, they continued for two more years. The bureau did not stop using the illegal record-gathering methods until after Inspector General Fine issued his first report on the problem in March 2007. "We found widespread use of exigent letters and other informal requests for telephone records that did not comply with legal requirements or FBI policies," the new report says. "Our review also found that the FBI's initial attempts at corrective action were seriously deficient, ill-conceived, and poorly executed."

This episode speaks volumes about the willingness and ability of the FBI (or any law enforcement agency) to police itself. The natural tendency to cut corners for the sake of a noble goal, and to overlook such corner cutting when it's done by your colleagues, is one reason why it's a good idea to have someone outside the agency review its demands for information. Once that requirement is eliminated, it is not safe to assume that the remaining precautions will actually be followed, let alone be adequate to protect the privacy of innocent people.

The inspector general's report is here (PDF); go to page 270 for the conclusions and recommendations. The ACLU reacts. Previous Reason coverage of the issue here. Last week Brian Doherty asked if privacy can "survive the digital revolution."