The F.B.I. has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.
The
requests, which the F.B.I. says are critical to its counterterrorism
efforts, have raised privacy concerns for years but have been associated
mainly with tech companies. Now, records show how far beyond Silicon
Valley the practice extends — encompassing scores of banks, credit
agencies, cellphone carriers and even universities.
The
demands can scoop up a variety of information, including usernames,
locations, IP addresses and records of purchases. They don’t require a
judge’s approval and usually come with a gag order, leaving them
shrouded in secrecy. Fewer than 20 entities, most of them tech
companies, have ever revealed that they’ve received the subpoenas, known
as national security letters.
The documents, obtained by the Electronic Frontier Foundation through a Freedom of Information Act lawsuit and shared with The New York Times, shed light on the scope of the
demands — more than 120 companies and other entities were included in
the filing — and raise questions about the effectiveness of a 2015 law
that was intended to increase transparency around them.
“This
is a pretty potent authority for the government,” said Stephen Vladeck,
a law professor at the University of Texas who specializes in national
security. “The question is: Do we have a right to know when the
government is collecting information on us?”
The
documents provide information on about 750 of the subpoenas —
representing a small but telling fraction of the half-million issued
since 2001, when the Patriot Act expanded their powers.
The
credit agencies Equifax, Experian and TransUnion received a large
number of the letters in the filing. So did financial institutions like
Bank of America, Western Union and even the Federal Reserve Bank of New
York. All declined to explain how they handle the letters. An array of
other entities received smaller numbers of requests — including Kansas
State University and the University of Alabama at Birmingham, probably
because of their role in providing internet service.
Other
companies included major cellular providers such as AT&T and
Verizon, as well as tech giants like Google and Facebook, which have acknowledged receiving the letters in the past.
Albert
Gidari, a lawyer who long represented tech and telecommunications
companies and is now the privacy director at Stanford’s Center for
Internet and Society, said Silicon Valley had been associated with the
subpoenas because it was more willing than other industries to fight the
gag orders. “Telecoms and financial institutions get little attention,”
he said, even though the law specifically says they are fair game.
The
Federal Bureau of Investigation determined that information on the
roughly 750 letters could be disclosed under a 2015 law, the USA Freedom
Act, that requires the government to review the secrecy orders “at
appropriate intervals.”
The Justice Department’s interpretation of those instructions has left many letters secret indefinitely. Department guidelines say the gag orders must be evaluated three years after an investigation starts and also when an investigation is closed. But a federal judge noted “several large loopholes,” suggesting that “a large swath” of gag orders might never be reviewed.
According
to the new documents, the F.B.I. evaluated 11,874 orders between early
2016, when the rules went into effect, and September 2017, when the
Electronic Frontier Foundation, a digital rights group, requested the
information.
“We are not sure the
F.B.I. is taking its obligations under USA Freedom seriously,” said
Andrew Crocker, a lawyer with the foundation. “There still is a huge
problem with permanent gag orders.”
The Justice Department declined to comment.
National
security letters, which the F.B.I. has issued since the 1980s, have
long been a point of contention in the debate over privacy and security.
Initially, the bureau had to show “specific and articulable facts”
indicating that the target was an agent of a foreign power. Now, the
F.B.I. must certify that the information is “relevant” to a terrorism,
counterintelligence or leak investigation.
“NSLs
are an indispensable investigative tool,” the Justice Department argued
in the Freedom of Information Act case. The department has said in legal documents that the information gleaned from the letters is important to
identifying subjects and their associates, while helping to clear the
innocent of suspicion.
According to a 2007 report from the Justice Department inspector general, the F.B.I. didn’t track
how often information from the letters was used in criminal proceedings.
But the report also said the letters had led to guilty pleas for arms
trading, at least one conviction for material support of terrorism, and
multiple charges of fraud and money laundering. The tool was also cited in efforts to investigate Russian meddling in the 2016 election.
Much
of the concern about the letters has focused on the gag orders, which
accompany nearly every request and prevent the recipient — typically
indefinitely — from disclosing even the existence of the letter. The
federal government has argued that the secrecy is necessary to avoid
alerting targets, giving would-be terrorists clues about how the
government conducts its surveillance or hurting diplomatic relations.
After
a series of court rulings found that the gag orders violated First
Amendment protections, Congress enacted the review requirements.
The
documents obtained through the lawsuit include the number of orders
reviewed, as well as redacted copies of 751 letters from the F.B.I.
informing companies and organizations their gag orders had been lifted.
These so-called termination letters do not reveal the contents of the
original national security letters, but indicate which entities received
them.
Because so few gag orders have
been reviewed and rescinded, it isn’t possible to say whether the
companies that received the most termination letters also received the
most national security letters. But given the overall secrecy around the
program, the termination letters offer a rare glimpse into these
subpoenas.
Equifax, Experian and
AT&T received the most termination letters: more than 50 each.
TransUnion, T-Mobile and Verizon each received more than 40. Yahoo,
Google and Microsoft got more than 20 apiece. Over 60 companies received just one.
The
underlying national security letters were not included in the
documents, and it is unclear when most of them were issued and who the
individual targets were.
Tech
companies have disclosed more information about the letters they
received than the major phone providers, which included general
information about them in transparency reports.
“We
have fought for the right to be transparent about our receipt” of
national security letters, Richard Salgado, Google’s director of law
enforcement and information security, said in a 2016 statement explaining why the company was releasing the subpoenas. “Our goal in doing so is to shed more light on the nature and scope” of the requests, he added.
Other
companies have generally remained mum. In response to inquiries, a
TransUnion spokesman would say only that the company “has not disclosed
the receipt of any national security letters.” A spokesman for Equifax
said it was “compliant with the national security letters process.”
Mr.
Gidari, the former tech lawyer, attributed some of that lack of
reporting to differences in company culture, noting that tech firms were
more predisposed to openness, and financial institutions less likely to
discuss any outside access to customer data. And most small companies,
he said, don’t have the resources to keep long-term track of or
challenge the subpoenas.
“That’s the
problem with the Freedom Act: It procedurally pretended to solve the
problem,” he said. “But the whole structure of this involves presumption
in favor of the government for perpetual sealing.”