For the FBI, secret, warrantless snooping on companies’ user data may be about to get much more difficult.
In a landmark court victory for privacy advocates, U.S. District Judge Susan Illston ruled Friday that the FBI’s covert requests for Americans' private information known as National Security Letters (NSLs) are illegal and ordered the Department of Justice to stop issuing the letters, but gave the government 90 days to appeal her decision. Illston declared the letters, enabled by the controversial section 2709 of the Patriot Act, unconstitutional under the First Amendment due to the gag orders that frequently accompany them, preventing recipients of the data requests from revealing the FBI's surveillance.
"The Court concludes that the nondisclosure provision...violates the First Amendment and the separation of powers principle," reads Illston's order, embedded above. "The government is therefore enjoined from issuing NSLs under 2709 or from enforcing the nondisclosure provision in this or any other case."
NSLs have long been opposed by privacy advocates due to the secret, unaccountable surveillance they allow. Any FBI field office can issue one of the letters to a telecommunications company or Internet firm without any judicial oversight. And since September 11th, the Bureau has sent hundreds of thousands of the requests, drawing complaints from Congress and from watchdog groups that it has abused the Patriot Act to enable massive, secret surveillance.
Illston's order emerged from a case in which an unnamed telecom firm was sued by the Department of Justice for challenging its authority to issue NSLs. Due to the residual secrecy surrounding NSLs, that company remains unnamed and unable to speak out about the FBI's demands.
"This is a major victory for our client," says Matthew Zimmermann, an attorney with the EFF who represented the unnamed firm. "People understand the instinctive problem with a statute like [the Patriot Act's 2709], that cuts out the judiciary and allows the FBI to decide who gets investigated, and then gags the recipient so they can’t speak out about it. I think this decision is a major recognition by a federal a district court judge that our concerns were correct."
Reporting by the Wall Street Journal last summer narrowed the possible recipients of the NSL in question to a small cell phone firm called Credo Mobile. Wired, which first reported Friday's ruling, says that Credo's CEO Michael Kieschnick wouldn't confirm or deny that his company was at the center of the case. Credo has a history of criticizing the complicity of other telecoms such as AT&T and Verizon in the NSA's warrantless wiretapping of Americans during the Bush administration.
Illston's decision to strike down the 2709 statute based on the First Amendment may seem strange, given that the case seems to be centered on privacy, rather than censorship. But Illston argues in her ruling that a 1965 case known as Freedman vs. Maryland requires certain procedures in cases of "prior restraint"--a legal term for preemptively preventing information from being published--to put the burden of proving the need for censorship on the censor rather than the publisher. Since the NSLs are designed to skirt judicial scrutiny, Illston argued that they violate that procedural requirement.
She further argues that it's not enough to merely remove the gag order element of NSLs. The primary purpose of the letters, she writes, is to allow secret surveillance. Since the secrecy properties of the letters can't be severed from the idea of the letters themselves, she writes that the entire practice of issuing NSLs must be banned.
"There is ample evidence...that Congress fully understood the issues at hand and the importance of the nondisclosure provisions," Illston writes. "Moreover, it is hard to imagine how the substantive NSL provisions--which are important for national security purposes--could function if no recipient were required to abide by the nondisclosure provisions which have been issued in approximately 97% of the NSLs issued."
The decision comes on the heels of a report from Google that for the first time gave a ballpark figure of the number of its users targeted by NSLs over the last four years. In each of those years since 2009, at least a thousand Google users have been affected by the requests, which would allow the government to learn who those users communicated with and when, although other information such as IP addresses and message content wouldn't be subject to surveillance.
Nonetheless, those numbers pointed to much wider use of the NSLs than the 7,201 targets of the letters reported by the Department of Justice in 2011. Julian Sanchez, an research fellow with the Cato Institute, pointed out at the time that the letters could be used to de-anonymize IP addresses, potentially tying users' sensitive online activities to their identifiable Google accounts.
“This is a tool that can be sued to strip away online anonymity,” says Sanchez. “And extrapolating from these numbers it’s being used on a much larger scale than the official numbers would lead one to believe.”
Read Illstron's full order banning NSLs here.
—
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
