The National Security Letter Provision of the USA Patriot Act: Why It Ought to Be Amended during the Reauthorization Debates

Monday, Jan. 09, 2006

Currently, Congress is debating how to amend the USA Patriot Act, before reauthorizing this controversial post-9/11 legislation. In a prior column, I commented on proposed amendments to the business records provision contained in Section 215 of the Act. Here, I will discuss proposed amendments to the Actís National Security Letter (NSL) provision, Section 505.

As with the business records provision, my view as to the NSL provision, Section 505, is that, while some of the amendments proposed are laudable, they are not enough. Congress should go further in safeguarding the privacy of Americans, in ways I will discuss.

Notably, itís not just civil liberties groups who are advocating amendments to Section 505. Far from it: Such staid institutions as the National Association of Manufacturers, the Financial Services Roundtable and the U.S. Chamber of Commerce are also among those critiquing this Section.

Indeed, in an October 2005 letter to Senator Arlen Specter, the chair of the Senate Judiciary Committee, these institutions expressed concern that, because of Section 505, "confidential files Ė records about our customers or our employees Ė can too easily be obtained and disseminated," and that the exercise of Section 505 powers "lack[s] sufficient checks and balances."

When business leaders and civil libertarians speak as one, itís high time for Congress to pay attention.

NSLs, Pre-Patriot Act: Granted on Specific Facts

Pre-Patriot Act, NSLs could already be issued by the FBI in connection with certain foreign intelligence investigation. Authorization came from to the Electronic Communications Privacy Act (ECPA), which allows NSLs to be issued to Internet Service Providers (ISPs), telephone companies, and even some libraries, and puts a "gag" on the recipient preventing it from disclosing the NSL; the Right to Financial Privacy Act, which allows NSLs to be issued to financial institutions, and also puts a "gag" on the recipient; and the Fair Credit Reporting Act, which allows NSLs to be issued to credit reporting agencies.

That meant that, even pre-Patriot Act, the FBI could already use NSLs to get, from an ISP, its subscriber records -- as well as the email addresses of everyone a subscriber emailed and everyone from whom he received email, and possibly even the web address of the websites he visited. It could also already get, from a bank, information about someone's account and details of transactions related to that account.

This kind of information can be invaluable when the target of the NSL is a terrorist or spy. We certainly want to know whom a terrorist or spy is calling or emailing, and what bank transactions he or she is conducting.

Pre-Patriot Act, before the FBI issued an NSL, it had to certify two things that were meant to limit the use of NSLs to narrow circumstances:

First, it had to certify that the records sought were connected to a foreign intelligence investigation.

Second, and crucially, it had to certify that there were specific and articulable facts linking the information sought to a foreign power or agent of a foreign power, as defined by the Foreign Intelligence Surveillance Act (FISA). (As noted above, however, this was only a certification: The FBI has never had to go to the FISA Court to get an NSL).

Why, readers may ask, didn't these pre-Patriot Act statutes violate the Fourth Amendment, which protects citizens against unreasonable government searches and seizures? To get a criminal warrant, the FBI must go to a judge and make a showing of probable cause. To get a warrant relating to intelligence-gathering, the government must go to the Foreign Intelligence Surveillance Act (FISA) Court. So how could NSLs be issued by the FBI itself, without any consultation with any court?

The answer is that Supreme Court precedents, such as the 1976 ruling in United States v. Miller, have held that there is no constitutionally protected privacy interest in business records entrusted to third parties, such as the businesses themselves. The reasoning is simple: If we have voluntarily given over information to a business, where it can be accessed by its employees, that information is no longer truly private. And the Fourth Amendment only protects us when the search or seizure at issue invades our reasonable expectation of privacy.

Commentators have argued that we need to revisit this issue, because much more data is now stored about us, in electronic format, and can be used in new ways - for instance, to create so-called "digital dossiers" that aggregate all kinds of data about us and our activities. So far, the Court's Fourth Amendment precedent stands. But "digital dossiers" and "data mining" do change the terrain, suggesting the Court should indeed revise its views.

As citizens and consumers we often have to relinquish such data in order to gain access to vital services including telephone and Internet service - so we may not be "voluntarily" relinquishing the data.

Even when the Fourth Amendment is not applicable, however, Congress can still step in and provide safeguards to prevent unwarranted government access to our personal data.

NSLs, Post-Patriot Act: Granted on a Mere Claim of a Terrorist/Spy Connection

According to news reports, the FBI currently issues more than 30,000 NSLs letters a year - this is about a hundredfold more than the numbers reflected in earlier estimates.

According to the Washington Post, businesses typically comply with NSLs, for "[m] ost of them are served on large companies in highly regulated industries, with business interests that favor cooperation. . . . . National security letters give them a shield against liability to their customers." Yet, as noted above, businesses often do so unwillingly - feeling they are compromising their customers' confidential information in the process.

Why the huge jump in the number of NSLs? In part, it may be because Section 505 lowered the standard necessary to issue an NSL.

Post-Patriot Act, rather than having to make the two certifications above - and remember, one demanded specific facts -- the FBI can now get an NSL simply by certifying that the information sought could be "relevant" to a terrorism or espionage investigation. And it's still the case that the recipient cannot disclose the NSL.

Also, previously, a senior FBI official had to authorize an NSL. Now, any Field Supervisor at any local FBI office can do it.

Finally, rather than authorizing NSLs to telephone companies, ISPs, banks and credit reporting agencies companies alone, other federal laws have expanded the scope of NSL requests. NSLs can be issued to any "financial institution" - a term defined broadly enough to sweep in pawnbrokers, car dealers, boat dealers, insurance companies, and casinos.

The Patriot Act's NSL provision, Section 505, does include one safeguard, but it's not worth very much: It stipulates that the investigation of a United States "person" (meaning a citizen or a permanent resident) cannot be conducted solely upon the basis of activities (such as speech) protected by the First Amendment. But that does not prevent First Amendment-protected activities from constituting a significant reason for an investigation.

The ACLU's Challenges to Section 505

In ACLU has filed two suits challenging post-Patriot Act law on NSLs.

In the first suit, the ACLU argued that the "gag" provision of the law violated the First Amendment. U.S. District Judge Victor Marrero agreed. He reasoned that, by permananently forbidding disclosure of an NSL by the recipient, the "gag" provision acts as an unconstutional prior restraint on free speech.

The ACLU also argued that post-Patriot Act law violated the Fourth Amendment. Again, Judge Marrero agreed, finding that - especially because the "gag" provision ensures secrecy - the current law "has the effect of authorizing coercive searches effectively immune from any judicial process."

Finally, the ACLU argued that the application of post-Patriot Act law to the Internet violated the Fourth Amendment. It argued - and Judge Marrero again agreed - that an individual has a reasonable expectation of privacy in transactional records relating to this Internet use, such as to whom he sent e-mails; what the subject lines of those e-mails were; and more.

Sending an email, the ACLU urged, isn't the kind of release of information to a third party that the Supreme Court previously held negates a reasonable expectation of privacy, and defeats a Fourth Amendment Claim. And this argument seems correct: Sending an email seems much more like sending a personal letter, than telling a company your information knowing that any employee will be able to access that information at any time.

The government's appeal of Judge Marrero's decision is current pending at the U.S. Court of Appeals for the Second Circuit.

In a separate challenge, the ACLU is representing an unnamed "John Doe" library in challenging the "gag" provision. (The library received an NSL because it was deemed a "wire or electronic communications service provider.") The library wants to get the "gag" lifted so it can challenge the NSL, and participate in the critical public debate now underway about the Patriot Act.

At the preliminary injunction stage, a federal judge in Connecticut ordered that the gag order be lifted. But the U.S. Court of Appeals for the Second Circuit reversed that ruling.

The Proposed Amendments to the NSL Provisions are Good, But Not Sufficient

Congress is set to consider several worthwhile amendments to Section 505.

One would allow the recipient of an NSL to consult with an attorney and challenge the NSL in court. This is an improvement, but many businesses still would not have much incentive to challenge NSLs; the persons with incentives to do so, would be those whose records are sought, and they will not hear of the NSL due to the "gag" provision

And another would allow recipient of an NSL to petition for an order modifying or setting aside the "gag" provision as applied to that particular NSL. Such an order could be issued if a court finds that "there is no reason to believe that disclosure may harm national security or interfere with ongoing counterintelligence or terrorism investigation or endanger the life or safety of a person."

Note, though, that this standard governs the relation between the disclosure of the gag order and any investigation - not the relation between the NSL itself and any investigation. So it does nothing at all to prevent the FBI from issuing non-investigation-related NSLs.

Section 505 Should Also Be Amended to Raise the Standard To Obtain NSLs

What is missing in these amendments, is a change in the very low standard currently needed for the FBI to issue an NSL in the first place.

As I discussed above, prior to the Patriot Act, the FBI had to cite specific facts establishing a connection between the records sought, and a terrorism or intelligence investigation to be able to issue an NSL.

Today, post-Patriot Act, the FBI need only claim, in a conclusory way, that the records sought are "relevant" to a terrorism or intelligence investigation to be able to issue an NSL.

No wonder that many fear that the government will exploit this low standard to engage in fishing expeditions. As the business associations listed earlier told Senator Specter, Section 505 "should be revised to require individual suspicion linking the records to a terrorist, spy or other foreign agent." They aptly added, "Reforming the Patriot Act is an important step to ensure that powerful law enforcement tools are focused on those who would do us harm and that privacy rights and business interests are protected by checks and balances."

Anita Ramasastry is an Associate Professor of Law at the University of Washington School of Law in Seattle and a Director of the Shidler Center for Law, Commerce & Technology. She has previously written on business law, cyberlaw, and other legal issues for this site, which contains an archive of her columns.