Expansion of Secret National Security Letters – A Poison Pill for Email Privacy

Written by Gabe Rottman

2016-06-02 NSL_blog

This is a “national security letter.”  Initially meant as a very limited investigative tool in financial cases, national security letter (NSL) authority has morphed into a frequently used, and abused, way by which the FBI can secure telephone records in terrorism or espionage cases without going to a judge.  NSLs have been controversial for years, especially since NSL authority was broadly expanded under the USA Patriot Act.

The FBI, however, is now pushing for an even more dramatic expansion of NSL authority, and is trying to sneak it into non-controversial email privacy legislation (which passed the House unanimously without the offending NSL provision) or a “must-pass” intelligence spending bill.  Procedurally, this is deeply inappropriate.  Substantively, it would be a massive expansion of the government’s ability to spy on our electronic communications.

Substantively, it would be a massive expansion of the government’s ability to spy on our electronic communications.

NSLs are a type of administrative subpoena.  They are issued at the sole discretion of the FBI, are not reviewed by a judge, and they come with a broad gag order that prevents the recipient of the letter from telling people they’ve received one.

There are a few statutes that authorize the issuance of NSLs, but the most important—and the one with the greatest potential for abuse—is 18 U.S.C. § 2709, titled “Counterintelligence Access to Telephone Toll and Transactional Records.”  As the name suggests, the authority was meant to be limited to phone records.  It allows the FBI to issue NSLs to telecommunications companies to secure “the name, address, length of service, and local and long distance toll billing records of a person or entity” if the FBI certifies that they are relevant to a terrorism or espionage investigation. (The statute does mention the phrase “electronic communication transactional records,” but it still limits the types of covered records to name, address, length of service, and billing records–i.e., the equivalent of phone records.)

NSL authority was deliberately limited to phone records or the equivalent, which, while extremely sensitive, are less so than the ever-increasing universe of electronic data being created every second about each of us.  The FBI proposes now to expand § 2709 authority to a vast array of electronic records.

Called the “ECTR fix” for “electronic communications transactional records,” the proposed legislation would create several new categories of data that would be accessible under an NSL.  Those are, and I’m quoting directly from the proposal (new section 2709(b)(2)):

  1. Name, physical address, email address, telephone number, instrument number, and other similar account identifying information.
  2. Account number, login history, length of service (including start date), types of service, and means and sources of payment for service (including any card or bank account information).
  3. Local and long distance toll billing records.
  4. Internet Protocol (commonly known as ‘IP’) address or other network address, including any temporarily assigned IP or network address, communication addressing, routing, or transmission information, including any network address translation information (but excluding cell tower information), and session times and durations for an electronic communication.

Most of that is pretty self-explanatory.  Under the proposal, in addition to phone records, the FBI would be able to use an NSL to get various details about your internet service:  your account number, the identifier for your modem, types of service, how you pay, when you logon or off, etc.

But the rubber really meets the road in the fourth category.  It’s a bit confusingly written (there should be a semi-colon, not a period, right before “communication addressing”), but it covers two types of electronic communications data.

First, it would cover IP addresses, including temporary IP addresses, which are the unique numbers used to identify a device that is communicating over the internet.  Second, and crucially, that provision would broadly cover “communication addressing, routing, or transmission information, including any network address translation information.”

It means every time you interact with the internet, the record of that interaction is fair game for an NSL.

That’s dragnet language.  It means every time you interact with the internet (or any other network), the record of that interaction is fair game for an NSL.  Any time you send an email, for instance, your identity and the identity of the recipient of the email is “communication addressing, routing, or transmission information.”  Any time you send a text message, ditto.  Anytime you visit a website or update your Facebook page, ditto.

All of this information is deeply revelatory about our personal lives.  Although telephone records are certainly sensitive enough (a call to the suicide prevention hotline, for instance), in the modern age electronic communications are even more sensitive.  Here’s a partial list of what the FBI would be able to get using an NSL under the “ECTR fix proposal”:

  1. Your entire email history—who emailed whom, when, from which device, and where.
  2. Your entire web browsing history (every time you request a page, click a link on a page, or otherwise interact with a website, it creates addressing, transmission and routing information).
  3. Logs of all your text messages (though not the messages themselves), including those of third party messaging apps such as WhatsApp, Twitter direct messages, and Snapchat.
  4. Deanonymized records (the FBI could link the use of an anonymous communications platform—one used by a political activist, for instance—to account information and IP address).
  5. Detailed location information (the FBI could use a combination of your assigned IP address; GPS data; and Wi-Fi connection to track your movements within meters through, for instance, a medical facility and tell whether you visited an oncologist, a psychiatrist, or a doctor that specializes in AIDS/HIV.)
  6. The ability to get this information for users (potentially hundreds or thousands) who are behind a single IP address or other proxy (through a “network address translation” gateway, for instance, or Tor node).
  7. And, how long you spent doing something online.

Basically, even though the FBI would not be able to obtain content, the breadth of what they could get—again, without going to court—is nothing less than one’s digital fingerprint.  As we migrate our lives increasingly online, all of our beliefs, predilections, biases, wants and desires can be seen in that fingerprint.

If I’m a Trump voter, for instance, you’ll be able to see that pattern in the blogs I read, the email listservs I subscribe to, the group of friends I communicate with, or the fact that I took that selfie at the local Trump rally.  If I’m battling a serious illness, I’m going to create a series of digital breadcrumbs suggestive of my diagnosis.  Likewise if I’m a member of a religious minority or a controversial political movement.  If I’m a government or corporate whistleblower, I may be using anonymous communications tools to communicate with whistleblower organizations or the press.

The potential for misuse, abuse, or simple mistake is extreme.

The FBI will likely argue that the authority is only available in terrorism or espionage cases.  But that should be small comfort when you consider that—just as with “bulk” collection—a vast number of individuals who have nothing to do with a particular investigation may be in contact with someone or some entity that is in contact with the subject.

All that data then gets swept in all the same.  Add to that the sheer volume of national security letters being issued, which is in the tens of thousands.  Without a neutral judge keeping tabs on why the FBI is issuing these NSLs and seeking these records, the potential for misuse, abuse, or simple mistake is extreme.

It’s doubly offensive that the FBI is trying to sneak this provision into a bill that would finally bring email privacy into the 21st century or a “must-pass” intelligence budget bill.  At the very least, it must be subject to open and vigorous debate.  The Senate must reject the “ECTR fix” as a wholly unwarranted and dangerous expansion of government surveillance power.

Share Post