Wrong Direction on Privacy

08/02/2010 03:57 pm ET | Updated Oct 26, 2011

The White House wants to make it easier for the FBI to get at your email and web browsing records; the plan is to make transactional information surrounding your Internet
communications --- the to/from information and the times and dates of those communications --- subject to National Security Letters (NSLs), meaning the FBI could get these records without going through a judge.

NSLs were created in 1978 to give FBI investigators an easy way to
obtain various business records, including the transactional
information of phone records (not the content, which is subject to
more stringent protections). The "easy" part of NSLs is that no
courts are involved in issuing an NSL; the bureau does so itself. FBI
guidelines require NSLs to be issued only on a written request of an
FBI Special Agent in Charge (or other specially delegated senior FBI
official), and there are four approval steps in the process.

Originally NSLs were to be used against foreign powers and people
believed to be their agents. But proving someone was an agent of a
foreign power was not all that easy, and NSLs were rarely used. That
situation changed with the PATRIOT Act, which allowed NSLs to be used
to gather information relevant to international terrorism cases. In
an Orwellian touch, under the PATRIOT Act the bureau could require
that the recipient of an NSL keep the order secret. NSL numbers shot
up; between 2003-2006, the FBI issued 192,000 NSLs. Many were to
phone companies. Why is clear; knowing who the bad guys are
communicating with leads to untangling plots, often before law
enforcement understands exactly what the plot might be. Such appears
to be what happened, for example, in the case

At first in the initial aftermath of September 11th, telephone
company workers were sharing offices with the FBI Communications
Assistance Unit, and many times the required procedures went by the
wayside. And instead of NSLs, the FBI begun using "exigent letters''
requesting immediate access to telephone records with claims to the phone
companies that the appropriate subpoenas were in process. Many times
that wasn't true. Sometimes there wasn't even a paper trail for the
requests; they were just issued verbally. Dates and other specifics
were often missing from the requests, which meant law enforcement got
many more months of data than there was need for.

Why does this matter? It turns out that communications
transactional information is remarkably revelatory. When NSLs were
created in 1978, phones were fixed devices, and the information of who
was calling whom provided a useful past history of behavior. The
information is much richer with mobile devices; knowing who is calling
whom, or whose cellphone is repeatedly located in the same cellphone
sector as whose, provides invaluable information --- information that
is simultaneously remarkably invasive. Transactional data reveals who
spends time together, what an organization's structure is, what
business or political deals might be occurring. Reporters were the
subject of some of the exigent letter requests. For First Amendment
reasons, there are very strict federal guidelines regarding acquiring
journalist's phone records, but many of these were disregarded by the
FBI. Such broad searches can have a very chilling effect on a
reporter's ability to do investigative reporting.

The FBI Inspector General's
said that there "numerous, repeated, and significant management
failures [that] led to the FBI's use of exigent letters and other
informal requests over an extended period of time," and that the FBI
failed to follow the Electronic Privacy Communications Act
(ECPA) and the Attorney General's guidelines for FBI national-security
investigations. The administration response? Six months after the
Inspector General's report, the White House requested that Congress
amend ECPA to assure that the FBI could acquire transactional records
for Internet activity through NSLs --- with no judicial oversight

There is no question that bad actors, from criminals and
terrorists, to those involved in massive data exfiltration from
U.S. corporations and government, use the network to conduct their
activities. But in a world in which everyone's cellphone broadcasts
their locations several times an hour and where a simple browser
history can easily reveal someone's private plans, better protections
for transactional information needs to be part of new wiretap law.
The FBI's recent history on the use of exigent letters underscores
that need. The administration is currently heading in exactly the
wrong direction on access to transactional information. Instead, for
both security and privacy's sake, the administration should be
pressing for stronger protections for transactional information, not
weaker ones.