Techdirt. Stories filed under "nsls"

Court Orders Google To Comply With National Security Letters, But Suggests It Might Want To Ask Again

Mike Masnick — Fri, 31 May 2013 13:30:00 PDT

You may recall that back in April it was revealed that Google was fighting back against complying with a series of National Security Letters (NSLs), the notorious tool of law enforcement to snoop on people secretly, which has been abused widely. Google's decision to push back on these NSLs came following a ruling by the same judge, Susan Illston, who had ruled NSLs unconstitutional. Given that ruling, it appeared that Google hoped to get the judge to say that it didn't need to comply with 19 NSLs it had received.

Instead, Judge Illston has told Google it must comply -- following secret affidavits from FBI officials. However, it appears that Judge Illston may think that Google just asked in the wrong way, and might be more willing to kill the NSLs if Google presented more specifics about the NSLs in question, rather than asking to broadly ignore NSLs in general:

It wasn't a complete win for the Justice Department, however: Illston all but invited Google to try again, stressing that the company has only raised broad arguments, not ones "specific to the 19 NSLs at issue." She also reserved judgment on two of the 19 NSLs, saying she wanted the government to "provide further information" prior to making a decision.

Given that, I would imagine this is nowhere near over.

Permalink | Comments | Email This Story

DOJ's History Of Ignoring The Rules When Getting Phone Records Of Journalists

Mike Masnick — Tue, 14 May 2013 10:44:00 PDT

There was, of course, plenty of talk about the DOJ getting two months of phone records concerning calls involving some reporters. Since the original story came out, reporters have quickly deduced what the government was after: they were trying to figure out who leaked information about the CIA stopping a plane bombing plot, because the "would be bomber" was actually working for the US, and revealing the news apparently ended the work early. The DOJ going batshit insane over a leak to the press is, unfortunately, par for the course for the Obama administration, which has been ridiculously aggressive (to an unprecedented level) in going after anyone who leaks to the press.

And while some are still trying to argue that this is a non-story, what may be more important is pointing out what a complete bullshit response the DOJ gave to this whole thing:

Despite the seizure of the phone records, a Justice Department spokesman said the agency valued freedom of the press and was “always careful and deliberative in seeking to strike the right balance between the public interest in the free flow of information and the public interest in the fair and effective administration of our criminal laws.”

The "right balance"? Well, let's take a look about how "always careful and deliberative" the DOJ is on these kinds of things. Julian Sanchez helpfully points us to the infamous 2010 report from the DOJ's Inspector General detailing how the FBI regularly abused "exigent letters" (pdf) -- better known as National Security Letters or NSLs -- to get phone records. This report got plenty of attention at the time, but if you don't recall all 300 pages of it, there's a discussion about getting info from reporters' call logs starting on page 89 (of the official pagination, which falls on page 102 of the pdf) detailing heavily redacted examples of getting reporters' phone records without getting the proper authorization or approvals. What is striking is the extremely cavalier attitude law enforcement seems to have about this. Here is just one example of the DOJ's "always careful and deliberative process" when "seeking to strike the right balance" in getting access to reporters' phone records. This case was an investigation into a leak that appeared in articles in the NY Times and the Washington Post. The full story is much longer, but here are the key points:

On November 5, [redacted], the case agent sent an e-mail asking another Special Agent in the [redacted] Field Office to inquire, in the other agent's capacity as his squad's liaison to the CAU, whether the on-site communications service providers could obtain telephone toll records of U.S. persons making [redacted] calls [redacted]. The case agent's November 5 e-mail listed 12 [redacted] telephone numbers, 8 of which were identified in the e-mail as belonging to Washington Post reporters [redacted] and Washington Post researcher [redacted] and New York Times reporters [redacted] The email identified a 7-month period -- a few months before and a few months after the published articles -- as the time period of interest for the leak investigation.

[....] However, in absence of any request from the case agent or anyone in the FBI, the CAU SSA issued an exigent letter dated December 17, [redacted], to Company A for telephone records of the reporters and others listed in the case agent's November 5, [redacted], e-mail. We determined that the SSA did this without further discussion with the case agent or the Special Agent who had asked only whether such records could be obtained through on-site providers, not that the records should be obtained.

The CAU SSA's exigent letter sought records on nine telephone numbers, seven of which were identified in the e-mail exchanges described above as belonging to Washington Post and New York Times reporters or their news organizations' bureaus in [redacted].....

The exigent letter did not specify the 7-month interval noted in the case agent's November 5 e-mail, or contain any date restrictions. The exigent letter also stated that the request was made "due to exigent circumstances" and that "subpoenas requesting this information have been submitted to the U.S. Attorney's office who will process and serve them formally on [Company A] as expeditiously as possible." However, this statement was not accurate. A subpoena request had not been sent to the U.S. Attorney's Office at the time the exigent letter was served, or at any time thereafter.

That's the "always careful and deliberative process"? Hmm. Later in the report, they note that even when the agent only had asked about (and never actually sought) 7 months of records, thanks to the NSL, they got months and months of records, nearly none of which was actually in the 7 month period the agent was interested in. All total, they were sent 1,627 telephone call records, and only three calls were from that 7 month period. Oh, and once they got those records, they were uploaded into a database, where they were searchable by other FBI staff and other government personnel as well.

The report notes a few other examples of agents getting access to reporter phone information without the proper authorization as well.

Of course, once this came out the FBI and DOJ insisted that this was no big deal. But, in a coincidence of timing, just before this whole story broke, the FBI was in court, seeking to keep secret the memo that gave the "legal basis" for its past use of NSLs to access phone records. While the DOJ insists that it's not using these processes any more, it still thinks it should keep the legal basis for why it issued those letters a complete secret. They claim, ridiculously, that this would "chill deliberative discussions within the Executive Branch." But people aren't asking for deliberative discussions, just the very specific claimed legal basis for issuing such letters. And, of course, the DOJ would prefer not to say.

Given all of this, is it any wonder that people suspect the DOJ of being up to no good?

Permalink | Comments | Email This Story

Microsoft Releases Details Of Law Enforcement Requests

Mike Masnick — Fri, 22 Mar 2013 16:24:34 PDT

Kudos to Microsoft for joining companies like Google and Twitter in releasing transparency reports about government/law enforcement requests for information. On Thursday, Microsoft released data on law enforcement requests from 2012. The report covers requests for pretty much all of Microsoft's key online services, including Hotmail/Outlook, SkyDrive, XBox Live, Office 365 and even Skype. Microsoft has actually gone a step further than others in some areas, such as separating out which law enforcement requests involved sharing "customer content" data (such as images or email subject lines) vs. those that shared "non-content" data (such as identifying information).

Because of this distinction, Microsoft points out how rarely it ends up giving law enforcement customer content, noting it happened in only 2.1% of cases (1,558 requests). Nearly all of those requests came from the US government. The only non-US requests that resulted in the sharing of customer content were 14 disclosures given to Brazil, Ireland, Canada and New Zealand.

As for non-content information (i.e., identifying info), Microsoft disclosed that information 56,388 times (excluding Skype, which reported its data separately due to differences in the way they recorded data -- something that is being standardized). The top countries getting such info were the US, UK, Turkey, Germany and France. Turkey seems a bit surprising there. As for Skype, the top requests were from the UK, US, Germany, France and Taiwan. Microsoft also delivered no information at all 18% of the time, either because the company rejected the request or because no info was found, though they apparently don't break down the difference there.

Like Google, Microsoft also revealed how many National Security Letters it received, using a format nearly identical to the way Google released its data not too long ago: It's good to see Microsoft following in the footsteps of Google and Twitter in providing this kind of transparency. Hopefully we'll see even more companies follow as well.

Permalink | Comments | Email This Story

Google Reveals Some Data About National Security Letters, May Have Exposed DOJ Duplicity

Mike Masnick — Thu, 7 Mar 2013 16:00:19 PST

We've talked for years about the government's use of "national security letters" or NSLs, which are effectively a way for law enforcement types to seek information with less oversight than a subpoena, and which usually come with a very, very extreme gag order attached. Despite the fact that, by their own admission, law enforcement has regularly and systematically abused this tool, they are still widely used and there has been little effort to block the abuses. Google's latest transparency report is seeking to reveal some data about the NSLs it has received, but without revealing too much. Rather than directly revealing how many NSLs it has received, it is posting ranges (in bunches of 1,000) -- and apparently the company got at least some level of approval from the government to do this ("We're thankful to U.S. government officials for working with us").

By itself, the data doesn't seem that enlightening. However, there is some useful information you can pick out of there, and who better to pick out that info that Julian Sanchez, who has followed this issue closely. He's found that you can actually tease out some useful info even with those broad ranges.

It's illuminating to compare the minimum number of users affected by NSLs each year to the numbers we find in the government's official annual reports. In 2011—the last year for which we have a tally—the Justice Department acknowledged issuing 16,511 NSLs seeking information about U.S. persons, with a total of 7,201 Americans' information thus obtained. That's actually down from a staggering 14,212 Americans whose information DOJ reported obtaining via NSL the previous year. Remember, this total includes National Security Letters issued not just to all telecommunications providers—including online services like Google, broadband Internet companies, and cell phone carriers—but also "financial institutions," which are defined broadly to include a vast array of businesses beyond such obvious candidates as banks and credit card companies.

What ought to leap out at you here is the magnitude of Google's tally relative to that total: They got requests affecting at least 1,000 users in a year when DOJ reports just over 7,000 Americans affected by all NSLs—and it seems impossible that Google could account for anywhere remotely near a seventh of all NSL requests. Google, of course, is not limiting their tally to requests for information about Americans, which may explain part of the gap—but we know that, at least of a few years ago, the substantial majority of NSLs targeted Americans, and the proportion of the total targeting Americans was increasing year after year. As of 2006, for instance, 57 percent of NSL requests were for information about U.S. persons. So even if we reduce Google's minimum proportionately, that seems awfully high.

Sanchez wonders if the DOJ is effectively under-counting how many NSLs it uses by pretending that some of the NSLs they issue shouldn't count towards its official tally of NSLs.

There's a simple enough explanation for this apparent discrepancy: The numbers DOJ reports each year explicitly exclude NSL requests for “basic subscriber information,” meaning the “name, address, and length of service” associated with an account, and only count more expansive requests that also demand more detailed “electronic communications transactional records” that are “parallel to” the “toll billing records” maintained by traditional phone companies.

That would mean that the NSL number that the DOJ reports is not particularly accurate, and that the FBI really issues a hell of a lot more NSLs (not so). Shocking reveal of the day: the DOJ may not be entirely forthright about how often it's spying on Americans using a widely abused process with little oversight.

Permalink | Comments | Email This Story

Unconstitutional Fishing Expeditions: The Massive Abuse Of Administrative Subpoenas By The Government

Mike Masnick — Fri, 7 Sep 2012 14:38:00 PDT

For years, we've talked about how the Justice Department has massively abused the "National Security Letters" (NSLs) process that lets it seek information from third parties without judicial oversight. At least with FBI NSLs, the FBI is required to release some (though not all) info on how they're used, which is why we have some indication of how widely they're abused. However, as Dave Kravets recently detailed in a fantastic article at Wired.com, the use of "administrative subpoenas" (NSLs are a form of administrative subpoena) allowing government officials to issue mandatory subpoenas to third parties with no oversight at all has become quite widespread. Even worse: most government agencies don't seem to have any interest in revealing any data about them. In other words, if you thought the FBI was abusing NSLs, you should probably be even more concerned about some of these others administrative subpoenas.

Meet the administrative subpoena (.pdf): With a federal official’s signature, banks, hospitals, bookstores, telecommunications companies and even utilities and internet service providers — virtually all businesses — are required to hand over sensitive data on individuals or corporations, as long as a government agent declares the information is relevant to an investigation. Via a wide range of laws, Congress has authorized the government to bypass the Fourth Amendment — the constitutional guard against unreasonable searches and seizures that requires a probable-cause warrant signed by a judge.

In fact, there are roughly 335 federal statutes on the books (.pdf) passed by Congress giving dozens upon dozens of federal agencies the power of the administrative subpoena, according to interviews and government reports. (.pdf)

It's worth reading Kravets' full article, even if it is depressing. What amazes me is that we let this kind of stuff continue unabated. We've seen increasing surveillance and abuse over the years, but it seems that any time people push back on these processes, they're brushed off because "OMG!Terrorists!" or something along those lines. It's sad that we, as a country, seem so accepting of the government taking away basic Constitutional rights if it just screams something about terrorists and crime.

Permalink | Comments | Email This Story

ISP Owner Finally Able To Admit That He Stood Up To The FBI Over Questionable Data Request

Mike Masnick — Tue, 10 Aug 2010 17:32:11 PDT

We've noted, repeatedly, that the feds have been caught abusing National Security Letters (NSLs) to try to get information they had no legal right to get. Because these NSLs usually contained an immediate gag order and no judicial review, basically the FBI could request whatever it wanted, and no one would review it and people couldn't speak out against it. So it was great to hear, about three years ago, that one ISP owner recipient of such an NSL was anonymously fighting back, specifically about the required gag order. We were disappointed last year, when a judge refused to drop the gag order, even if the actual request had been dropped by the feds.

However, six years after first receiving the NSL, Nicholas Merrill, the head of Calyx Internet Access is finally able to admit that he's the guy who's been fighting this legal battle. Prior to this, he'd even kept it secret from his fiancee, family and friends -- even when they happened to bring up the case in casual conversation. Of course, this doesn't change that it happened, and even if we keep being told that the feds have been ordered to stop abusing these processes, there's little to no evidence that anything is really being done. For every Nicholas Merrill, you can bet that thousands of others just gave in and didn't put up a fight -- even if the requests were bogus.

There is a clear legal process for obtaining information, involving warrants and judicial oversight. I have no problem with attempts to get information through such means. But when law enforcement routes around those oversight channels, and then tries to gag people from even talking about it, there's a serious problem.

Permalink | Comments | Email This Story

White House Seeks Easier FBI Access To Internet Records, Blocks Oversight Attempt... Just As FBI Caught Cheating On Exam To Stop Abuse

Mike Masnick — Thu, 29 Jul 2010 14:31:55 PDT

We're still at a loss to explain why there's been so little outrage over the fact that the FBI got a total free pass for its massive abuse in getting phone records. As you may recall, reports came out about how the FBI regularly abused the official process for obtaining phone records, avoiding any of the required oversight, but right before that info came out the White House issued a ruling saying that it was okay for the FBI to break the law. That's not how things are supposed to work.

And, it appears that since there was no outrage over all of this, the White House keeps pushing further. Three new articles highlight what a travesty this has become. First, the White House wants to quietly make it easier for the FBI to demand internet log file information without a judge's approval." Just as I finished reading that, I saw Julian Sanchez's new writeup about how the White House blocked and killed a proposal to give the GAO power to review US intelligence agencies. The GAO is the one government operation that seems to actually focus on doing what's right, rather than what's politically expedient. Sanchez notes that, beyond the sterling reputation of the GAO, it's also ready, willing and able to handle this kind of oversight:

The GAO has the capacity Congress lacks: as of last year, the office had 199 staffers cleared at the top-secret level, with 96 holding still more rarefied "sensitive compartmented information" clearances. And those cleared staff have a proven record of working to oversee highly classified Defense Department programs without generating leaks. Gen. Clapper, the prospective DNI, has testified that the GAO "held our feet to the fire" at the Pentagon with thorough analysis and constructive criticism.

Unlike the inspectors general at the various agencies--which also do vital oversight work--the GAO is directly answerable to Congress, not to the executive branch. And while it's in a position to take a broad, pangovernmental view, the GAO also hosts analysts with highly specialized economic and management expertise the IG offices lack. Unleashing GAO would be the first step in discovering what the Post couldn't: whether the billions we're pouring into building a surveillance and national security state are really making us safer.

Oh, and just to make this all more comically depressing, just as I finished reading both of these stories, I saw a story about a new investigation into reports that FBI agents were caught cheating on an exam, which was designed to get them to stop abusing surveillance tools. Yes, you read that right. After all the reports of abuse of surveillance tools, the FBI set up a series of tests to train FBI agents how to properly go about surveillance without breaking the law... and a bunch of FBI agents allegedly cheated on the test that's supposed to stop them from "cheating" on the law. And, not just a few. From the quotes, it sounds like this cheating was "widespread." But, of course, it might not matter, since the requirements for surveillance are being lowered, oversight is being blocked, and apparently the White House is willing to retroactively "legalize" any illegal surveillance anyway.

Permalink | Comments | Email This Story

Court Limits, But Doesn't Eliminate, Secrecy Of National Security Letters

Mike Masnick — Tue, 16 Dec 2008 16:23:00 PST

The Patriot Act, among other things, allows law enforcement to issue "National Security Letters" to ISPs and telcos to obtain certain information about individuals. The letters are, as the name implies, designed for situations where national security is at stake, and a more thorough process of going through legal channels to gain approval would be a serious threat to national security. Except, of course, that's not how things have worked in practice. The FBI was found to have engaged in "serious misuse" of NSLs on a regular basis, issuing tens of thousands of them. Even worse, part of the rules surrounding NSLs are that they must be kept entirely secret. This raises very serious First Amendment questions. While a lower court agreed that the secrecy on NSLs violated the Constitution, an Appeals Court, that had initially seemed skeptical has allowed the secrecy to continue, though with some limitations.

Rather than saying secrecy was okay, if revealing the NSL would create "interference with diplomatic relations, or danger to the life or physical safety of any person" (the old rule), the court has said the rule should be that secrecy is allowed if revealing the NSL "may result in an enumerated harm that is related to an authorized investigation to protect against international terrorism or clandestine intelligence activities." It is certainly more of a limitation, though some may note that it may not make much of a difference in actual application. NSLs are still likely to be abused, and it's unlikely that most ISPs or telcos on the receiving end of such NSLs will feel concerned enough to challenge them.

Permalink | Comments | Email This Story

Judges Question Whether National Security Letters Need To Come With Gag Orders

Mike Masnick — Thu, 28 Aug 2008 03:14:00 PDT

The Patriot Act allows the FBI to issue "National Security Letters" to ISPs and other organizations, seeking information on users of those service providers -- with an automatic gag order forbidding the service provider from telling anyone that they have received an NSL. Not surprisingly, this resulted in the NSLs being widely abused, with the FBI issuing them in many, many cases when they were not appropriate. But, of course, since no one could complain, there was no incentive for the FBI to actually follow the rules. A panel of judges is now reviewing the overall constitutionality of the gag order on NSLs -- and, so far, they seem skeptical. It seems ridiculous that the FBI should be allowed to impart an automatic gag order without any sort of judicial overview -- especially when it's already been shown that the FBI can and does abuse this power quite often.

Permalink | Comments | Email This Story