The secret government requests for customer information Yahoo
made public Wednesday reveal that the FBI is still demanding email
records from companies without a warrant, despite being told by Justice
Department lawyers in 2008 that it doesn’t have the lawful authority to
do so.
By: Jenna McLaughlin
WASHINGTON (TheIntercept)
- That comes as a particular surprise given that FBI Director James
Comey has said that one of his top legislative priorities this year is
to get the right to acquire precisely such records with those
warrantless secret requests, called national security letters, or NSLs.
“We need it very much,” Comey told Sen. Tom Cotton, R-Ark., during a
congressional hearing in February.
At issue is whether the
national security letters empower the FBI to demand what are called
“electronic communication transactions records,” or ECTRs. Such records
can include email header information – not their content – and browsing
histories.
In 2008, the Justice Department’s Office of Legal
Counsel concluded that the FBI was only entitled to get the name,
address, length of service, and toll billing records from companies
without a warrant. Opinions issued by the OLC are generally treated as
binding and final within the executive branch.
The FBI has said
it disagrees with that conclusion, and interprets the opinion
differently, according to a 2014 inspector general report. It sees the
question as more of an “impasse” than an actual legal barrier.
But activists, members of Congress, and academics think the DOJ opinion was pretty clear.
“The
Justice Department told FBI officials that if they want to demand
Americans’ email records, they need a court order,” Senator Ron Wyden,
D-Ore., said in a statement emailed to The Intercept. “It is very
troubling that the FBI has apparently not been adhering to that
guidance.”
“It seems that the FBI has again crossed the line when
it comes to ECTRs, even after being explicitly told — under the Bush
administration, no less — that they were not legally authorized to
demand these personal records absent a court order,” Robyn Greene,
policy counsel for the Open Technology Institute, wrote in a message to
The Intercept. “The last thing Congress should be doing right now is
giving the FBI more leeway to abuse its NSL authorities.”
The FBI declined to comment. But one of the letters Yahoo released — after being released from a gag order — started as follows:
Under the authority of Executive order 12333, dated July 30, 2008,
and pursuant to Title 18 of the United States Code (U.S.C.), 2709 (201
of the Electronic Communications Privacy Act of 1986) (as amended), you
are hereby directed to provide to the Federal Bureau of Investigation
(FBI) the names, addresses, and length of service and electronic
communications transactional records, to include existing
transaction/activity logs and all electronic mail (e-mail) header
information, for the below-listed email/IP address holder(s).
Major
service providers know the FBI doesn’t have the authority to make all
those demands. In fact, Yahoo did not turn over the electronic
communication transactions records, including “activity logs and all
e-mail header information.” “We disclosed [the records] as authorized by
law,” wrote Chris Madsen, head of Yahoo’s global law enforcement,
security, and safety team, in a blog post.
Chris Soghoian, chief
technologist at the American Civil Liberties Union, said FBI agents
might be hoping at least some recipients don’t know they lack the
authority they claim to have.
“Essentially, the FBI believes they
can ask for the sun, the moon and the stars in an NSL, while knowing
that tech companies don’t have to turn over anything more than name,
address and length of service,” he wrote in an email.
“The FBI
asks for so much, because it is banking that some companies won’t know
the law and will disclose more than they have to. … The FBI is preying
on small companies who don’t have the resources to hire national
security law experts,” he argued.
Facebook officials drafted and
made public their law enforcement guidelines in 2012, in the hopes of
clarifying what they believed technology companies are required to turn
over. “We interpret the national security letter provision as applied to
Facebook to require the production of only two categories of
information: name and length of service,” read the guidelines.
Technology
companies rarely talk about NSLs because of the accompanying gag
orders. But one technology company official told The Intercept on
background that “it is our general understanding that other companies
also comply narrowly (in line with the DOJ OLC Opinion).”
The FBI
issued nearly 13,000 national security letters in 2015 alone, for
information about almost 50,000 different people. They go to internet,
technology, social media, and communications companies of all sizes, as
well as banks.
Only now are some of the gags being lifted, nearly
two and a half years after President Obama announced that he was
ordering the Justice Department to terminate gag orders “within a fixed
time unless the government demonstrates a real need for further
secrecy.”
The debate over how much power an NSL grants started 10
years ago, when two unidentified technology companies refused to
provide information beyond the most basic subscriber data. (In NSLs of
that era and before, that have since been disclosed, the FBI’s demands
sometimes included web browsing records as well as email metadata.)
The
companies argued that the law cited in the NSLs didn’t obligate them to
turn over anything more – and President George W. Bush’s Department of
Justice agreed.
The FBI has repeatedly asked Congress to give it
the explicit power to get email and browsing data through NSLs, with no
success. Right now, there are provisions in two separate bills that
would do so.
Privacy advocates have fought tooth and nail against
such a move, considering it a huge expansion of the FBI’s warrantless
surveillance capabilities.
Comey described the change during a
congressional hearing in February. “It’s necessary because what I
believe is a typo in the 1993 statue that has led to some companies
interpreting it in a way I don’t believe Congress ever intended,” he
said. “So it’s ordinary, but it affects our work in a very, very big and
practical way.”
Privacy advocates say that’s disingenuous—and
they are even more infuriated that the FBI is apparently asking for that
information anyway.
“This should send up a huge red flag for Congress about the real potential for abuse,” OTI’s Robyn Greene concluded.
No comments:
Post a Comment