THE BLOG
11/06/2005 12:52 pm ET | Updated May 25, 2011

How the FBI Spies on You and Me

The Washington Post reports that the FBI has been obtaining and reviewing records of ordinary Americans in the name of the war on terror through the use of national security letters that gag the recipients.

"The FBI now issues more than 30,000 national security letters a year, according to government sources, a hundredfold increase over historic norms. The letters -- one of which can be used to sweep up the records of many people -- are extending the bureau's reach as never before into the telephone calls, correspondence and financial lives of ordinary Americans. "

What's a national security letter?

"Issued by FBI field supervisors, national security letters do not need the imprimatur of a prosecutor, grand jury or judge. They receive no review after the fact by the Justice Department or Congress. The executive branch maintains only statistics, which are incomplete and confined to classified reports. The Bush administration defeated legislation and a lawsuit to require a public accounting, and has offered no example in which the use of a national security letter helped disrupt a terrorist plot. "

Keep reading the article. It gets scarier by the paragraph.

The records it gathers describe where a person makes and spends money, with whom he lives and lived before, how much he gambles, what he buys online, what he pawns and borrows, where he travels, how he invests, what he searches for and reads on the Web, and who telephones or e-mails him at home and at work.

There is no judicial oversight of national security letters. The Patriot Act lessened the standard the FBI is to use in issuing the letters.

Under the old legal test, the FBI had to have "specific and articulable" reasons to believe the records it gathered in secret belonged to a terrorist or a spy. Now the bureau needs only to certify that the records are "sought for" or "relevant to" an investigation "to protect against international terrorism or clandestine intelligence activities." That standard enables investigators to look for conspirators by sifting the records of nearly anyone who crosses a suspect's path.

The Justice Department makes an unconvincing argument that national security letters are similar to grand jury subpoenas.

Grand juries tend to have a narrower focus because they investigate past conduct, not the speculative threat of unknown future attacks. Recipients of grand jury subpoenas are generally free to discuss the subpoenas publicly. And there are strict limits on sharing grand jury information with government agencies.

Who in the FBI can issue them? The better question might be, "Who can't?"

Since the Patriot Act, the FBI has dispersed the authority to sign national security letters to more than five dozen supervisors -- the special agents in charge of field offices, the deputies in New York, Los Angeles and Washington, and a few senior headquarters officials.

When can they be issued?

FBI rules established after the Patriot Act allow the letters to be issued long before a case is judged substantial enough for a "full field investigation." Agents commonly use the letters now in "preliminary investigations" and in the "threat assessments" that precede a decision whether to launch an investigation.

The FBI thinks its new power is just fine and dandy.

"Congress has given us this tool to obtain basic telephone data, basic banking data, basic credit reports," said Caproni, who is among the officials with signature authority. "The fact that a national security letter is a routine tool used, that doesn't bother me."

The Justice Department is happy with national security letters, too:

To Jeffrey Breinholt, deputy chief of the Justice Department's counterterrorism section, the civil liberties objections "are eccentric." Data collection on the innocent, he said, does no harm unless "someone [decides] to act on the information, put you on a no-fly list or something." Only a serious error, he said, could lead the government, based on nothing more than someone's bank or phone records, "to freeze your assets or go after you criminally and you suffer consequences that are irreparable." He added: "It's a pretty small chance."

What happens to your information after the investigation is over and establishes that you have done nothing wrong? Does the FBI destroy its data file on you? No. It used to, but former Attorney General John Ashcroft changed the rules.

Two years ago, Ashcroft rescinded a 1995 guideline directing that information obtained through a national security letter about a U.S. citizen or resident "shall be destroyed by the FBI and not further disseminated" if it proves "not relevant to the purposes for which it was collected." Ashcroft's new order was that "the FBI shall retain" all records it collects and "may disseminate" them freely among federal agencies.

National security letters aren't the only means the government is using to spy on ordinary Americans. Ratchet national security letters up a few notches and you get to data mining.

[Ascroft's new] order directed the FBI to develop "data mining" technology to probe for hidden links among the people in its growing cache of electronic files. According to an FBI status report, the bureau's office of intelligence began operating in January 2004 a new Investigative Data Warehouse, based on the same Oracle technology used by the CIA. The CIA is generally forbidden to keep such files on Americans. Data mining intensifies the impact of national security letters, because anyone's personal files can be scrutinized again and again without a fresh need to establish relevance.

Here’s where ChoicePoint and other commercial data services join the picture:

Ashcroft's new guidelines allowed the FBI for the first time to add to government files consumer data from commercial providers such as LexisNexis and ChoicePoint Inc. Previous attorneys general had decided that such a move would violate the Privacy Act. In many field offices, agents said, they now have access to ChoicePoint in their squad rooms.

So when you get stopped for a traffic ticket and are told to wait in your car while the officer radios in your driver’s license information, what he gets back from headquarters likely will include everything from a credit report to lawsuits you've been involved in to information about the time your neighbor called the police to complain your dog was barking too loud. Unless, of course, his squad car is equipped with its own terminal, and then he can access this information directly on the highway.

Still, you say, this is just too remote for you to worry about because you don't even know anyone who knows anyone who knows a terrorist. Do you stay at hotels? Do you ever rent a car? Have you ever spent New Year's, for example, in Las Vegas? Read on.

On December 21, 2003 Homeland Security issued a terror alert due to information about a possible New Year’s terror attack in Las Vegas. The FBI's Proactive Data Exploitation Unit and its chief, Gurvais Grigg, were called upon to serve.

An average of about 300,000 tourists a day stayed an average of four days each, presenting Grigg's team with close to a million potential suspects in the ensuing two weeks....Government and private sector sources who followed the operation described epic efforts to vacuum up information.....

An interagency task force began pulling together the records of every hotel guest, everyone who rented a car or truck, every lease on a storage space, and every airplane passenger who landed in the city. Grigg's unit filtered that population for leads. Any link to the known terrorist universe -- a shared address or utility account, a check deposited, a telephone call -- could give investigators a start.

When cooperation began drying up for voluntary release of records, the FBI turned to national security letters and grand jury subpoenas.

Early in the operation, according to participants, the FBI gathered casino executives and asked for guest lists. The MGM Mirage company, followed by others, balked.

How did word get out?

The operation remained secret for about a week. Then casino sources told Rod Smith, gaming editor of the Las Vegas Review-Journal, that the FBI had served national security letters on them.

According to one account, the FBI had some pressure tactics up its sleeve.

Agents encouraged voluntary disclosures, he said, by raising the prospect that the FBI would use the letters to gather something more sensitive: the gambling profiles of casino guests.

So, does what happened in Vegas really stay in Vegas? Of course not.

What happened in Vegas stayed in federal data banks. Under Ashcroft's revised policy, none of the information has been purged. For every visitor, Breinholt said, "the record of the Las Vegas hotel room would still exist."

And what happened with the terror alert?

Grigg's operation found no suspect, and the orange alert ended on Jan. 10, 2004. "The whole thing washed out," one participant said.

If you are counting on the hotels, rental car agencies or internet companies to raise a challenge when served with national security letters for your information, you're likely to be out of luck.

Resistance to national security letters is rare. Most of them are served on large companies in highly regulated industries, with business interests that favor cooperation. The in-house lawyers who handle such cases, said Jim Dempsey, executive director of the Center for Democracy and Technology, "are often former prosecutors -- instinctively pro-government but also instinctively by-the-books." National security letters give them a shield against liability to their customers.

Nor, in my opinion, is the proposed Patriot Act expansion bill currently in conference between the House and Senate likely to help ordinary Americans:

The House and Senate bills renewing the Patriot Act do not tighten privacy protections, but they offer a concession to business interests. In both bills, a judge may modify a national security letter if it imposes an "unreasonable" or "oppressive" burden on the company that is asked for information.

But you won't be told the request is made, so you won't know to ask the company holding your data to challenge the letter. Except perhaps for Las Vegas casinos that want to maintain customer privacy, this mostly seems to be a cosmetic reform.

How many of the national security letters have yielded information helpful to a terrorist inquiry? No one knows because there is no such reporting requirement.

In the executive branch, no FBI or Justice Department official audits the use of national security letters to assess whether they are appropriately targeted, lawfully applied or contribute important facts to an investigation.

Here's another joke of a reporting requirement. Inspector General Glenn Fine files reports on abuses twice a year. He hasn't found any. Ask yourself, how can someone report an abuse if he is never notified of the search in the first instance? As Fine himself told Congress:

We do rely upon complaints coming in," Fine said in House testimony in May. He added: "To the extent that people do not know of anything happening to them, there is an issue about whether they can complain. So, I think that's a legitimate question."

The ACLU has been actively litigating the legality of the National Security Letters. Their latest press release is here.

Also, the ACLU is less critical than I am of activity taking place in Congress now where conferees of the Senate and House are working out a compromise version of Patriot Act extension legislation that will resolve differences in versions passed by each in the last Congress. The ACLU reports that the Senate version contains some modest improvements respecting your privacy rights while the House version contains further intrusions. There is still time to contact the conferees. The ACLU provides more information and a sample letter here.

History shows that once new power is granted to the government, it rarely gives it back. Even if you wouldn’t recognize a terrorist if he were standing in front of you, let alone consort with one, now is the time to raise your voice