One of the more interesting things to sneak out around the edges of the FBI’s redaction bars in Yahoo’s document dump of National Security Letters was the sheer amount of information the agency was demanding. The FBI — using letters it writes and approves with no outside oversight — wants all of the following in exchange for a piece of paper backed by nothing but the FBI’s “national security” claims.

In preparing your response to this National Security Letter, you should determine whether your company maintains the following types of information which may be considered by you to be an electronic communications transactional record in accordance with Title 18 United States Code § 2709.

Subscriber name and related subscriber information

Account number(s)

Date the account opened or closed

Physical and or postal addresses associated with the account

Subscriber day/evening telephone numbers

Screen names or other on-line names associated with the account

All billing and method of payment related to the account including alternative billed numbers or calling cards

All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and or user names identified by you as belonging to the targeted account in this letter

Internet Protocol (IP) addresses assigned to this account and related e-mail accounts

Uniform Resource Locator (URL) assigned to the account

Plain old telephone{s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP), Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account

The names of any and all upstream and providers facilitating this account’s communications

This is odd because the FBI is not entitled to all of this information when using NSLs, as Gabe Rottman of CDT points out.

There are a few statutes that authorize the issuance of NSLs, but the most important—and the one with the greatest potential for abuse—is 18 U.S.C. § 2709, titled “Counterintelligence Access to Telephone Toll and Transactional Records.” As the name suggests, the authority was meant to be limited to phone records. It allows the FBI to issue NSLs to telecommunications companies to secure “the name, address, length of service, and local and long distance toll billing records of a person or entity” if the FBI certifies that they are relevant to a terrorism or espionage investigation. (The statute does mention the phrase “electronic communication transactional records,” but it still limits the types of covered records to name, address, length of service, and billing records–i.e., the equivalent of phone records.)

So, the FBI is asking for far more than it’s allowed to get with an NSL. It’s apparently hoping some NSL recipients won’t know they’re not required to turn over all of this information. Certainly, Yahoo knows, having battled the FBI (and the FISA court) over government demands for information. But the FBI issues thousands of these every year, and not every recipient is going to know what it does or doesn’t have to turn over to the feds.

This perhaps explains the push to expand the FBI’s NSL capabilities. Secret language in the Senate’s secret intelligence bill looks to add email metadata and possibly browsing history to the list of records the FBI can acquire with NSLs. FBI Director James Comey has been stumping for this change, claiming the only thing standing between the FBI and records it always should have had access to in the first place is a typo.

On top of that, Sen. John Cornyn is attempting to “fix” the ECPA… by making even more of a mockery of the words behind the acronym: Electronic Communications Privacy Act. This is what Cornyn wants to give the FBI warrantless access to:

Name, physical address, email address, telephone number, instrument number, and other similar account identifying information.

Account number, login history, length of service (including start date), types of service, and means and sources of payment for service (including any card or bank account information).

Local and long distance toll billing records.

Internet Protocol (commonly known as ‘IP’) address or other network address, including any temporarily assigned IP or network address, communication addressing, routing, or transmission information, including any network address translation information (but excluding cell tower information), and session times and durations for an electronic communication.

As you can see, some of those records are already being requested by the FBI with NSLs, even though it has no legal basis to do so. It appears the FBI is pushing for codification of practices it already uses. That’s the intelligence community way: it’s better to ask for legislative fixes than permission. It’s a forgiveness that pardons past behavior and permanently shields the agency from future legal challenges.




Please enter your comment!
Please enter your name here