The FBI's Misuse of National Security Letters Reveals the Often-False Dichotomy Between Security and Privacy

Wednesday, Mar. 14, 2007

The Patriot Act greatly increased the FBI's authority to issue so-called "national security letters" (NSLs)--warrantless demands for private information from third parties such as phone companies, Internet service providers and banks. When Congress reauthorized the Patriot Act in early 2006, it did so on the condition that it receive detailed information about the use, misuse, and efficacy of NSLs. Last week, Justice Department Inspector General Glenn A. Fine issued his first report on NSLs.

The results are not pretty. Among the problems identified by the report are: sloppy and inconsistent recordkeeping by the FBI, which resulted in substantial under-reporting of errors within the FBI; NSLs that were signed by personnel without proper authorization to do so; confusion among recipients of NSLs that resulted in disclosure of private information to which the FBI was not entitled; and most disturbingly, a pattern of short-circuiting the already-streamlined NSL process by improperly labeling requests as exigent in the absence of any exigency.

There is, however, some good news in the report, and in the reaction to it. In general, the failures to follow the law and internal Justice Department policies were the result of overwork and insufficient training of junior staff, rather than of any deliberate effort to obtain protected data or any improper political motive. The report notes that the FBI has been under enormous pressure in the last five-and-a-half years, as it shifts its priorities from domestic law enforcement to counter-terrorism.

Further, the Administration's official reaction to the report has been refreshingly responsible. FBI Director Robert Mueller, Attorney General Alberto Gonzales, and President Bush have all agreed that the problems the report identifies are serious, and have committed to implementing Inspector General Fine's recommended reforms.

Should the FBI quickly move to correct its procedures for issuing NSLs, that will be a victory for civil liberties. It will also be a victory for law enforcement. As I explain below, the use and misuse of NSLs belies the old saw that protection of liberty or privacy necessarily comes at the cost of security. Some of the problems identified by the Inspector General's report resulted in the sacrifice of both privacy and security.

The Patriot Act's Expansion of National Security Letter Authority

For roughly two decades, the FBI has had the authority to demand information about foreign threats to national security by issuing an NSL to a third party, such as a telephone company or bank, without any judicial oversight. The 2001 Patriot Act expanded that authority, principally by lowering the threshold for the issuance of an NSL.

Before the Patriot Act, an NSL could only issue for information relating to a foreign power or its agent. Now, the Patriot Act permits the use of an NSL that is relevant to or sought for an investigation to protect against international terrorism or clandestine intelligence activities, provided the investigation is not based solely on the First Amendment-protected activities of U.S. citizens, permanent residents, or domestic corporations or associations. The FBI can issue NSLs without judicial oversight by the Foreign Intelligence Surveillance Act (FISA) court, or any other court.

The Patriot Act also expanded the list of people who could authorize NSLs. Formerly, all such requests had to come from FBI headquarters, but since the passage of the Patriot Act, they can also be signed by the Special Agent in Charge in any FBI field office. This expansion was designed to make it easier for the FBI to issue NSLs, and so it did. According to its own records, the FBI issued approximately 8,500 NSL requests in 2000. From 2003 through 2005, the FBI says it issued almost 150,000 NSL requests for phone call and email records, bank and credit card records, and other normally private information. That's a more than five-fold increase in annual requests.

The Worst Abuse Identified by the Inspector General's Report: False Exigencies

Of the problems identified by the Inspector General's report, the only one that can reasonably be characterized as an abuse is the pattern of false claims of exigency. In violation of its own internal guidelines and express statements contained in contracts into which the FBI entered with three telephone companies, the FBI obtained telephone billing information without issuing NSLs or obtaining subpoenas.

Although the ostensible ground for obtaining information in this manner was the need to track suspected terrorists in real time, according to the report, "many exigent letters were not sent in exigent circumstances." As a consequence, the FBI received private phone data on hundreds of people without any internal or external check on the genuineness of the need for that information.

Mostly Sloppiness, Not Overreaching

By contrast with the pattern of abuse with respect to "exigent letters," the other violations of law and policy detailed in the Inspector General's report were the result of overwork and inadequate training, not a policy of circumvention. The Inspector General found, for example, that poor communications between the FBI and the recipients of NSLs sometimes resulted in the transmission of the contents of emails, rather than just of the identities of persons with whom emails were exchanged, which was all that was properly requested.

By auditing individual case files, the Inspector General also determined that the FBI was systematically undercounting both the number of NSLs issued and the number of errors and legal violations that occurred in handling NSL requests. For instance, the FBI's internal recordkeeping mechanism reported only 26 violations in a three-year period, but the Inspector General's audit found nearly that many unreported violations in a relatively small sample of case files.

The Virtues of Bureaucracy

Well, so what? These were not deliberate abuses. Indeed, shouldn't we be thankful to the FBI case agents that they were more focused on tracking down suspected terrorists than on filling out paperwork? Anybody who has ever worked for a large organization has experienced various reporting requirements as a nuisance that interferes with his or her ability to do the actual job.

If one takes that view, then the lesson of the Inspector General's report may well be that the law and procedures should be reformed, so as to relax recordkeeping and reporting requirements. Let the FBI focus on threats, rather than spending time dotting i's and crossing t's to detect abuses that do not exist anyway.

Yet even if one cared not at all about privacy and exclusively about counterterrorism, that would be the wrong lesson to draw. As the Inspector General documented, the sloppy recordkeeping extended to operational details, such as typographical errors in NSLs. A phone company that provides the calling records for the wrong telephone number provides the FBI with useless information, while the information that could track down a suspected terrorist goes unreported.

More broadly, sloppy recordkeeping often suggests operational failure. The world's best-run private firms have long understood this point. Japanese manufacturing companies practice "kaizen," often translated as "continual improvement." By carefully measuring inputs and outputs, they aim to detect inefficiencies that can then be eliminated. These processes have been widely adopted throughout the world.

Nor is this process restricted to the private sector. Standards-based school reform--the core of President Bush's signature domestic policy program, No Child Left Behind--works on the assumption that to improve schools' performance, one must, at a minimum, be able to measure that performance over time. Likewise, an FBI that does not even know how many NSL requests it issues cannot have any great confidence in their efficacy.

Integrating Privacy Recordkeeping with Operational Recordkeeping

The Inspector General's report devotes approximately twenty pages to evaluating the effectiveness of NSLs as an investigative tool. The report's conclusion is phrased, tellingly, in the following terms: "FBI Headquarters and field personnel told us that they believe national security letters are indispensable investigative tools that serve as building blocks in many counterterrorism and counterintelligence investigations."

Note that the report does not say that NSLs are indispensable tools, only that FBI personnel so told the auditors. Although the report does confirm that NSLs are frequently used in support of FISA applications, and cites three counterterrorism cases and one counterintelligence case in which NSL-derived information had been useful, the truth is that no one really knows how effective NSLs are, because the FBI's sloppy and unsystematic records provide no adequate basis for drawing such conclusions.

What we do know is that implementing the reforms proposed by the Inspector General would serve both security and privacy. To be sure, some protections for privacy sacrifice security, at least in the short run. In expanding the authority of the FBI to use NSLs, the Patriot Act gave the government access to much information that formerly would have remained private. However, given the law currently on the books, careful tracking of how NSLs are used will enable the FBI both to improve its performance and to provide credible assurances that it follows procedures that protect privacy.

Michael C. Dorf is the Isidor & Seville Sulzbacher Professor of Law at Columbia University. He is the author of No Litmus Test: Law and Politics in the Twenty-First Century and he blogs at

Ads by FindLaw