A national security letter (NSL) is an administrative subpoena issued by the United States government to gather information for national security purposes. NSLs do not require prior approval from a judge. The Stored Communications Act, Fair Credit Reporting Act, and Right to Financial Privacy Act authorize the United States government to seek such information that is "relevant" to authorized national security investigations. By law, NSLs can request only non-content information, for example, transactional records and phone numbers dialed, but never the content of telephone calls or e-mails.
NSLs typically contain a nondisclosure requirement forbidding the recipient of an NSL from disclosing that the FBI had requested the information. The nondisclosure provision must be authorized by the Director of the FBI, and only after he or she certifies "that otherwise there may result a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person." Even then, the recipient of the NSL may still challenge the nondisclosure provision in federal court.
The constitutionality of such nondisclosure provisions has been repeatedly challenged. The requirement was initially ruled to be unconstitutional as an infringement of free speech in the Doe v. Gonzales case, but that decision was later vacated in 2008 by the Second Circuit Court of Appeals after it held the USA PATRIOT Improvement and Reauthorization Act gave the recipient of an NSL that included a nondisclosure provision the right to challenge the nondisclosure provision in federal court. In March 2013, a judge in the Northern District of California held the nondisclosure provision in an NSL was unconstitutional. But on August 24, 2015, the Ninth Circuit Court of Appeals vacated the district court's decision and remanded the case to the district court for further proceedings. On remand, the district court held the "NSLs were issued in full compliance with the procedural and substantive requirements suggested by the Second Circuit in John Doe, Inc. v. Mukasey, 549 F.3d 861 (2d Cir. 2008), which had held that the 2006 NSL law could be constitutionally applied" ... and "the NSL law, as amended [by the USA FREEDOM ACT of 2015], was constitutional." The two petitioners then appealed. On appeal, the Ninth Circuit Court of Appeals upheld the district court ruling, holding that NSLs are constitutional, and stated, "the nondisclosure requirement does not run afoul of the First Amendment." Under Seal v. Jefferson B. Sessions, III, Attorney General, Nos. 16-16067, 16-16081, and 16-16082, July 17, 2017.
The oldest NSL provisions were created in 1978 as a little-used investigative tool in terrorism and espionage investigations to obtain financial records. Under the Right to Financial Privacy Act (RFPA), part of the Financial Institutions Regulatory and Interest Rate Control Act of 1978), the FBI could obtain the records only if the FBI could first demonstrate the person was a foreign power or an agent of a foreign power. Compliance by the recipient of the NSL was voluntary, and states' consumer privacy laws often allowed financial institutions to reject the requests. In 1986, Congress amended RFPA to allow the government to request disclosure of the requested information. In 1986, Congress passed the Electronic Communications Privacy Act (ECPA), part of the Stored Communications Act), which created provisions similar to the RFPA that allowed the FBI to issue NSLs. Still, neither RFPA or ECPA act included penalties for not complying with the NSL. A 1993 amendment removed the restriction regarding "foreign powers" and allowed the use of NSLs to request information concerning persons who are not the direct subject of the investigation.
In 2001, section 505 of the USA PATRIOT Act expanded the use of the NSLs. In March 2006, the USA PATRIOT Improvement and Reauthorization Act allowed for judicial review of an NSL. A federal judge could repeal or modify an NSL if the court found the request for information was "unreasonable, oppressive, or otherwise unlawful." The nondisclosure provision the government could include in an NSL was also weakened. The court could repeal the nondisclosure provision if it found it had been made in bad faith. Other amendments allowed the recipient of an NSL to inform their attorney about the request and the government had to rely on the courts to enforce compliance with an NSL.
Section 505 of the USA PATRIOT Act (2001) allowed the use of the NSLs when seeking information "relevant" in authorized national security investigations to protect against international terrorism or clandestine intelligence activities. The act also provided the Department of Defense when conducting a law enforcement investigation, counterintelligence inquiry, or security determination. The Central Intelligence Agency has also allegedly issued NSLs. The Patriot Act reauthorization statutes passed during the 109th Congress added potential penalties for failure to comply with an NSL or disclosing an NSL if the NSL included a nondisclosure provision.
Two contentious aspects of NSLs are the nondisclosure provision and judicial oversight when the FBI issues an NSL. When the Director of the FBI (or his designee) authorizes the inclusion of a nondisclosure provision in an NSL, the recipient may face criminal prosecution if it reveals the contents of the NSL or that it was received. The purpose of a nondisclosure provision is to prevent the recipient of an NSL from compromising both the current FBI investigation involving a specific person and future investigations as well (see 18 U.S.C. 2709), which could fetter the Government's efforts to address national security threats. An NSL recipient (later revealed to be Nicholas Merrill) writing in The Washington Post said,
"[L]iving under the gag order has been stressful and surreal. Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case...from my colleagues, my family and my friends. When I meet with my attorneys I cannot tell my girlfriend where I am going or where I have been."
Like other administrative subpoenas, NSLs do not require judicial approval. For NSLs, that is because the U.S. Supreme Court has held the types of information the FBI obtains with NSLs provide no constitutionally protected reasonable expectation of privacy. Because a person has already provided the information to a third party, e.g., their telephone company, they no longer have a reasonable expectation of privacy to the information, and therefore there is no Fourth Amendment requirement to obtain a judge's approval to obtain the information. Nonetheless, the recipient of the NSL may still challenge the nondisclosure provision in federal court.
The media reported in 2007 that a government audit found the FBI had violated the rules more than 1,000 times in an audit of 10% of its national investigations between 2002 and 2007. Twenty such incidents involved requests by agents for information not permitted under the law. A subsequent report in 2014 by the Justice Department Office of Inspector General concluded the FBI had corrected its practices and that NSLs complied federal statutes.
According to 2,500 pages of documents the FBI provided to the Electronic Frontier Foundation in response to a Freedom of Information Act lawsuit, the FBI had used NSLs to obtain information about individuals who were the subject of an FBI terrorism or counterintelligence investigation and information from telecommunications companies about individuals with whom the subject of the investigation had communicated. According to a September 9, 2007, New York Times report,
"In many cases, the target of a[n FBI] national security letter whose records are being sought is not necessarily the actual subject of a terrorism investigation. Under the USA PATRIOT Act, the FBI must assert only that the records gathered through the letter are considered relevant to a terrorism [or counterintelligence] investigation."
In April 2008, the American Civil Liberties Union alleged that the military was using the FBI to skirt legal restrictions on domestic surveillance to obtain private records of Americans' Internet service providers, financial institutions, and telephone companies. The ACLU based its allegation on a review of more than 1,000 documents provided by the Defense Department. The Department of Justice Office of Inspector General later determined the Department of Defense (not the FBI) had lawfully obtained the information under the National Security Act of 1947, not through NSLs.
The lack of judicial oversight and the Supreme Court ruling in Smith v. Maryland was the core of Doe v. Ashcroft, a test case brought by the ACLU concerning the use of NSLs. The lawsuit was file on behalf of "John Doe" plaintiff Nicholas Merrill, founder of Calyx Internet Access, who had received an NSL. The action challenged the constitutionality of NSLs, specifically the nondisclosure provision. At the district court, Judge of the Southern District of New York held in September 2004 that NSLs violated the Fourth Amendment ("it has the effect of authorizing coercive searches effectively immune from any judicial process") and First Amendment. However, Judge Marrero stayed his ruling while the case proceeded to the court of appeals.
Because of the New York district court ruling, while the case was still on appeal, Congress amended the USA PATRIOT Act to provide for more judicial review of NSLs and clarified the NSL nondisclosure provision. Based on the U.S. Supreme Court rulings, there is still no requirement to seek judicial approval for the FBI issuing an NSL.
The government appealed Judge Marrero's decision to the Second Circuit Court of Appeals, which heard arguments in May 2006. In March 2008, the Second Circuit ruled that nondisclosure provisions were permissible only when the FBI certified that disclosure may result in certain statutorily enumerated harms (see, e.g., 18 U.S.C. 2709), and held the nondisclosure provision to a strict scrutiny standard. The Second Circuit then returned the case to the district court based on amendments to the USA PATRIOT Act that Congress had enacted while the case had been on appeal.
Another effect of Doe v. Ashcroft was increased congressional oversight. The amendments to the USA PATRIOT Act mentioned above included requirements for semiannual reporting to Congress. Although the reports are classified, a nonclassified accounting of how many NSLs are issued is also required. On April 28, 2006, the Department of Justice reported to the House and Senate that in calendar year 2005, "The Government made requests for certain information concerning 3,501 United States persons pursuant to NSLs. During this period, the total number of NSL requests ... for information concerning U.S. persons totaled 9,254."
In 2010, the FBI agreed to lift partially the nondisclosure provision to allow Merrill to reveal his identity. Merrill has since created a corporation for the purposes of educating and researching privacy issues.
On August 28, 2015, Judge Marrero rescinded the nondisclosure provision associated with the NSL Merrill had received, thereby allowing him to speak about the contents of the NSL. On November 30, 2015, the unredacted court ruling was published in full.
url=value (help). The New York Times.
Although you’re allowed to challenge the gag every year now under the new [amended] law, the last time I did it, the government presented secret evidence that only they and the judge could see, and my attorneys could not see, and therefore could not challenge. It does kind of add up to a lot of responsibility, and that’s part of what motivated me to start my nonprofit organization, the Calyx Institute. Part of it is to defend people who are gagged. Part of it is also to promote best practices among telecommunications companies in regards to the privacy of customer data.