iOS app Android app More

Featuring fresh takes and real-time analysis from HuffPost's signature lineup of contributors
Susan Landau


Wrong Direction on Privacy

Posted: 08/02/10 04:56 PM ET

The White House wants to make it easier for the FBI to get at your email and web browsing records; the plan is to make transactional information surrounding your Internet
communications --- the to/from information and the times and dates of those communications --- subject to National Security Letters (NSLs), meaning the FBI could get these records without going through a judge.

NSLs were created in 1978 to give FBI investigators an easy way to obtain various business records, including the transactional information of phone records (not the content, which is subject to more stringent protections). The "easy" part of NSLs is that no courts are involved in issuing an NSL; the bureau does so itself. FBI guidelines require NSLs to be issued only on a written request of an FBI Special Agent in Charge (or other specially delegated senior FBI official), and there are four approval steps in the process.

Originally NSLs were to be used against foreign powers and people believed to be their agents. But proving someone was an agent of a foreign power was not all that easy, and NSLs were rarely used. That situation changed with the PATRIOT Act, which allowed NSLs to be used to gather information relevant to international terrorism cases. In an Orwellian touch, under the PATRIOT Act the bureau could require that the recipient of an NSL keep the order secret. NSL numbers shot up; between 2003-2006, the FBI issued 192,000 NSLs. Many were to phone companies. Why is clear; knowing who the bad guys are communicating with leads to untangling plots, often before law enforcement understands exactly what the plot might be. Such appears to be what happened, for example, in the case of Najibullah Zazi, who recently pled guilty to a plot to bomb the New York City subways.

At first in the initial aftermath of September 11th, telephone company workers were sharing offices with the FBI Communications Assistance Unit, and many times the required procedures went by the wayside. And instead of NSLs, the FBI begun using "exigent letters'' requesting immediate access to telephone records with claims to the phone companies that the appropriate subpoenas were in process. Many times that wasn't true. Sometimes there wasn't even a paper trail for the requests; they were just issued verbally. Dates and other specifics were often missing from the requests, which meant law enforcement got many more months of data than there was need for.

Why does this matter? It turns out that communications transactional information is remarkably revelatory. When NSLs were created in 1978, phones were fixed devices, and the information of who was calling whom provided a useful past history of behavior. The information is much richer with mobile devices; knowing who is calling whom, or whose cellphone is repeatedly located in the same cellphone sector as whose, provides invaluable information --- information that is simultaneously remarkably invasive. Transactional data reveals who spends time together, what an organization's structure is, what business or political deals might be occurring. Reporters were the subject of some of the exigent letter requests. For First Amendment reasons, there are very strict federal guidelines regarding acquiring journalist's phone records, but many of these were disregarded by the FBI. Such broad searches can have a very chilling effect on a reporter's ability to do investigative reporting.

The FBI Inspector General's report said that there "numerous, repeated, and significant management failures [that] led to the FBI's use of exigent letters and other informal requests over an extended period of time," and that the FBI failed to follow the Electronic Privacy Communications Act (ECPA) and the Attorney General's guidelines for FBI national-security investigations. The administration response? Six months after the Inspector General's report, the White House requested that Congress amend ECPA to assure that the FBI could acquire transactional records for Internet activity through NSLs --- with no judicial oversight involved.

There is no question that bad actors, from criminals and terrorists, to those involved in massive data exfiltration from U.S. corporations and government, use the network to conduct their activities. But in a world in which everyone's cellphone broadcasts their locations several times an hour and where a simple browser history can easily reveal someone's private plans, better protections for transactional information needs to be part of new wiretap law. The FBI's recent history on the use of exigent letters underscores that need. The administration is currently heading in exactly the wrong direction on access to transactional information. Instead, for both security and privacy's sake, the administration should be pressing for stronger protections for transactional information, not weaker ones.