The laws acknowledged reality—that you can’t live normally in an electronic age without placing personal information in the hands of third parties, usually corporations that have little interest in fighting the government to protect your privacy.
Meanwhile, the Supreme Court was moving the other way by ruling that you lose your Fourth Amendment protection as soon as you provide records to banks, phone companies, and the like. In 1976, it reversed a circuit court decision to suppress the evidence of microfilmed canceled checks and deposit slips subpoenaed from two banks, finding in United States v. Miller no “expectation of privacy” in such commercial documents voluntarily conveyed to a financial institution. “The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to government authorities, even if the information is revealed on the assumption that it will be used only for a limited purpose and the confidence placed in the third party will not be betrayed.” Consequently, the warrant contemplated by the Fourth Amendment was not required; a subpoena—or, by implication, nothing more than a polite request to the bank—was sufficient to get your records.23
Three years later, the Court subtracted phone records from Fourth Amendment protection, finding in Smith v. Maryland that a customer has no “legitimate expectation of privacy” over what numbers he calls from his home telephone. A pen register, an electronic device placed by the company at police request to record outgoing phone numbers, is not a “search” because it keeps track of only the calling destinations, not the conversations’ contents. “Since the pen register was installed on telephone company property at the telephone company’s central offices, petitioner obviously cannot claim that his ‘property’ was invaded or that police intruded into a ‘constitutionally protected area,’ the Court ruled. “We doubt that people in general entertain any actual expectation of privacy in the numbers they dial. All telephone users realize that they must ‘convey’ phone numbers to the telephone company, since it is through telephone company switching equipment that their calls are completed. All subscribers realize, moreover, that the phone company has facilities for making permanent records of the numbers they dial, for they see a list of their long-distance (toll) calls on their monthly bills.”24
Maybe I don’t fall into the category of “people in general,” but I don’t think that my bank and the phone company are the same as the FBI. In my mind, there is a difference between the private sector and the state. When I push buttons on my phone, I recognize that the phone company’s switching equipment has to work for me, but I don’t expect the numbers I call to show up on the computer screens of government agencies. When I give my banker and broker personal financial information, I don’t expect cops to be looking over their shoulders. My expectation of privacy does not disappear when I share information with trusted service providers, because I am not placing it in the public square. My personal information should be treated like my personal property, inaccessible without my permission.
The Supreme Court has ruled otherwise, and its sophistry is a curse on the Bill of Rights. It goes like this: Because your personal information is collected by companies, you cannot expect it to remain private, and therefore government may acquire it. Since the government can get it, you have no expectation of privacy in such records, which allows the government to act as if there were no privacy.
In other words, obtaining the information is possible, so it is also permissible, for if you have no “expectation of privacy,” a “search” is not actually occurring under the Fourth Amendment. Your entire financial, travel, communications, purchasing, Web-browsing, and library-book-borrowing activities may be collected by law enforcement, but these are not “searches.” The logic is relentless: Citing Supreme Court opinions, “several senior FBI attorneys” told Justice Department investigators that National Security Letters for phone records “do not implicate privacy interests under the Fourth Amendment.”25 To protect information, you have to keep it solely in your home or office or wallet.
In a technological age, when few details of a person’s life remain in her desk drawer alone, this circular argument diminishing the “expectation of privacy” creates a whirlpool that sucks down a critical constitutional principle: that the state must be held at bay to preserve individual liberty. It’s a bit like the old Soviet Union arguing that since Russians obviously had no expectation of privacy on their phones, the KGB was perfectly entitled to listen in.
That interpretation leaves only the law, not the Constitution, to restrict third parties from revealing data. Read the little privacy brochures your bank, broker, and Internet provider send periodically and you’ll notice that they invariably begin with high-sounding promises: “We are honored that you have entrusted us with your financial affairs, and we are committed to safeguarding the privacy of information we maintain about you,” says Charles Schwab’s “Commitment to Your Privacy.” It sounds good until you get to page three, which notes the big exceptions: “We provide access to information about you to outside companies and other third parties in certain limited circumstances, including … when we believe that disclosure is required or permitted under law. For example, we may be required to disclose personal information to cooperate with regulatory or law enforcement authorities, to resolve consumer disputes, to perform credit/authentication checks, or for risk control.”26
In the 1970s and ’80s, as the boundaries of privacy were being redrawn by the courts, the Congress, and the executive branch’s law enforcement and intelligence agencies, the limits were made fluid by crosscurrents of invasion and protection. Into the ebb and flow came the three federal privacy statutes designed to defend Americans from government snooping by prohibiting companies from releasing information without overt, challengeable orders. And then each was diluted by the provision authorizing secret National Security Letters.
The Fair Credit Reporting Act of 1970 required firms to keep your credit reports private and, even if properly subpoenaed, to reveal only your name, addresses, and places of employment. It was watered down with an NSL section in 1996.27
The Right to Financial Privacy Act, passed in 1978, concealed your check-writing, investing, travel, and other such records. It was weakened by an NSL exception in 1986.28
Your telephone and Internet browsing records and e-mails were made inaccessible under the Electronic Communications Privacy Act, which took effect in 1986 only to be breached by expanded NSL authorizations in 1993 and 1996.29 A fourth law, the National Security Act of 1947, was amended in 1994 after the arrest of the CIA spy Aldrich Ames, to permit NSLs against government employees suspected of disclosing classified information.30
Even in its early form, the investigative tool of the NSL circumvented judicial oversight, carried the automatic gag order, and provided the target with neither notification nor appeal. Yet it generated little opposition. Its limitation to counterintelligence, plus the six to twelve months it took to get a letter issued, made it relatively unpopular in the FBI. So it lurked in legal shadows until the rush of panic that produced the Patriot Act after September 11, 2001. Then the number of annual requests for information via NSLs soared, from about 8,500 in 2000 to 56,000 in 2004 (decreasing somewhat to 47,000 in 2005), according to incomplete FBI records. (An internal sampling of files found the actual number to be 17 percent higher than these official figures.)31
Furthermore, the Defense Department secretly issued about five hundred NSLs for contractors’ and employees’ financial and credit card records between September 11, 2001, and 2007, according to an internal review, thereby breaching the traditional barrier designed to prevent military involvement in domestic intelligence and law enforcement. The letters, made public in an ACLU Freedom of Information suit, sometimes asked for all credit card charges or bank account records over as much as a five-year period
, indicating that investigators were looking for purchases and deposits beyond a person’s means, perhaps from extraordinary payments for espionage.
In the hands of the Pentagon, the tool was a request, not a requirement, legally less powerful than the FBI’s version. The air force letters that were released contained a standard warning not to disclose the request “regardless of whether you provide this information,” suggesting that compliance was optional. But one letter also called itself a “subpoena” and was stamped “This Subpoena contains a: NON-DISCLOSURE ORDER. Do Not Notify Customer. Do Not Charge Account.” In the face of such a document stating that it was part of “an official foreign counterintelligence investigation,” very few institutions refused, the records showed. To add muscle, the FBI was sometimes asked to use its more draconian variant to get information the Pentagon wanted for investigations of alleged spying, terrorism, or other supposed threats against the military. The ACLU believed the targets included antiwar activists.32
MISSION CREEP
This history of the National Security Letter is a cautionary tale of metamorphosis, illustrating how an intrusion that seems reasonable and tightly focused can evolve into a menace. In all three privacy statutes, the limited NSL loopholes that had been added in the 1980s and 1990s were broadened by the Patriot Act. No longer did the letters require “specific and articulable facts giving reason to believe” that the records sought belonged to “a foreign power or agent of a foreign power,” but now could be gathered if “relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities.”33
It was a powerful sentence. Adding antiterrorism to counterintelligence, removing the foreign-agent criterion, and making the information merely “relevant” eliminated the concept of individualized suspicion that is central to the Fourth Amendment. It opened the NSL for use against more than the suspect in an investigation by permitting information collection on relatives, friends—indeed, anyone the suspect may have contacted, including innocent people whose data are now floating around in numerous agencies’ computers. How many non-suspects have been targeted is unknown, since the FBI did not keep track before 2006.
The amendment in the Patriot Act also invited the use of the NSL in criminal cases. If a foreign spy has diplomatic immunity from prosecution—as most probably do—agencies might just want to monitor him or expel him from the country, the customary remedy. Americans and nondiplomats can be arrested, of course, but those instances come along infrequently. By contrast, a suspected terrorist on U.S. soil is usually put into the criminal justice system: arrested, indicted, tried—certainly not expelled. So the NSL, a device conceived for intelligence gathering, was transformed into an evidence-gathering tool, raising constitutional implications.
The Patriot Act expanded the number of people who could issue a letter, from ten high-ranking officials in FBI headquarters to the heads of all fifty-six FBI field offices plus numerous managers in various divisions based in Washington.34 This made authorization quite easy. Furthermore, a new form of NSL was added to the Fair Credit Reporting Act permitting authorities to demand from credit companies any information on individuals, including full credit reports.
The amendments allowed a continuous hailstorm of NSLs to pepper Internet providers, telephone companies, banks, libraries, and other institutions holding private records of millions of people. The nature of the targets also shifted. Before the Patriot Act, about 39 percent were “U.S. persons,” a term defined in law as citizens and legal immigrants who are permanent residents.35 From 2003 through 2005, U.S. persons jumped to 53 percent in the FBI’s official tallies, and a sample survey by the Justice Department’s inspector general showed the figure as 12 percent higher, or about 65 percent overall.36 Terrorism investigations accounted for about 73 percent of the NSLs, intelligence cases for just 26 percent, and foreign computer intrusions for the remaining 1 percent, according to the inspector general’s study. The National Security Letter had been entirely transformed.
But even the loose standards weren’t loose enough for agents who violated them frequently. Two official studies found the FBI files on NSLs laced with evidence of bureaucratic confusion and shortcuts, ignorance of the law, and outright dishonesty.
Part of the fault lies with a Congress skilled in writing complexities into statutes. Hapless FBI agents, few of whom are lawyers, cannot always be blamed for mistakes as they journey through bewildering loopholes and labyrinths. “We found confusion about the authorities available under the various NSL statutes,” the first study reported blandly in 2007. It did not go on to suggest the remedy: either judicial oversight or a straightforward prohibition against administrative government access to private records. Instead, we have protective laws riddled with exceptions.
The confused legal terrain allows officials to wander unbridled as they issue NSLs. The inspector general found “no clear guidance” to FBI agents, for example, on how to reconcile “the expansive authorities in the NSL statutes” with a long-standing presidential executive order mandating “the least intrusive collection techniques feasible.”37
The FBI’s carelessness in drawing up National Security Letters rivaled its laboratory’s imprecision in analyzing evidence. Its official statistics understated the number of NSLs actually in the files, the inspector general found, and forty-eight violations were discovered in a relatively small sample of 293 NSLs. Despite the Patriot Act’s vague requirement that the information be “relevant to an authorized investigation,” many letters were issued where no investigation had been launched. In three of the four divisions surveyed, signed copies were not kept, so investigators could not check on whether they had been approved by an official authorized to issue them. A cavalier approach prevailed.
Mistyped phone numbers and e-mail addresses produced personal information about the wrong people. Communications companies turned over more than was requested or allowed. Nine NSLs were illegally used to obtain full credit reports for counterintelligence, although the law authorized them only for counterterrorism.38 Two NSLs illegally sought content information from e-mails, beyond the addresses and subject lines the law permitted. Time limits were violated as phone records were obtained for periods thirty to eighty-one days longer than prescribed by the NSLs. One agent, using a bank customer’s PIN obtained through a FISA warrant, got illegal access to the person’s account without an NSL.
Thanks to press reports, the inspector general learned that a North Carolina university was served with an NSL going far beyond its legal authority by demanding “applications for admission, housing information, emergency contacts, and campus health records,” as the FBI investigated a student’s possible involvement in the 2005 bus and subway bombings in London. Oddly, a grand jury subpoena for the records, already in process, was later served, and the university complied. Agents seemed to see the NSL as a shortcut.
“In most cases,” the report concluded, “the FBI was seeking to obtain information that it could have obtained properly if it had followed applicable statutes, guidelines, and internal policies.” But the broadened NSL became the administrative path of least resistance where even the thinnest checks and balances were missing. This led some agents to cheat the law and lie to each other, as well as to telecommunications firms.
The FBI entered into contracts with three unnamed phone companies to provide information on thousands of numbers, often through pen registers, which record the destinations of outgoing calls, and through trap-and-trace devices, which capture incoming numbers. (The names are anachronistic, dating from an era of copper wires and electromechanical switches; their functions are now performed by computers.)
The inspector general, Glenn A. Fine, blasted the FBI in 2010 for the “casual culture” that had grown up between agents and telecom firms. Instead of using NSLs or other legal means, “FBI personnel sought and received telephone records based on informal requests made by e-mail, by telephone, face-to-face, and even on post-it n
otes,” he reported. At least 3,500 phone numbers were monitored in this informal manner, facilitated by three phone companies stationing employees in the FBI’s Communications Analysis Unit, which “blurred the line between the FBI and the service providers” and “contributed to the serious abuses.” In a practice called sneak peeks, the company representatives “would check their records and provide a preview of the available information for a targeted phone number, without documentation of the fact of the request. At times, the service providers’ employees simply invited FBI personnel to view the telephone records on their computer screens. Notably, virtually none of these FBI requests for telephone records—either the exigent letters or the other informal requests—was accompanied by documentation explaining the authority for the requests.” Agents obtained phone records on news reporters without the required authorization by the attorney general.
The FBI also “made inaccurate statements to the [secret] FISA Court,” Fine discovered. “In several instances, the FBI submitted affidavits to the Court that information in FISA applications was obtained through NSLs or a grand jury subpoena, when in fact the information was obtained by other means, such as exigent letters.”
Evading even the relaxed procedures for obtaining National Security Letters, agents in the Counterterrorism Division who were not authorized to sign NSLs issued 739 of these so-called exigent letters requesting data on about 3,000 phone numbers from March 2003 to December 2005. They were trying to invert a Patriot Act provision allowing telecom firms that see something suspicious to tell the government without risking a lawsuit by the customer. But here, the FBI was initiating the request, and agents lied to the phone companies, and sometimes to other FBI officials, that NSLs or grand jury subpoenas had been applied for and would soon follow, and that the situations were emergencies.
The Rights of the People Page 29