From the New York Times:
The Pentagon and to a lesser extent the CIA have been using a little-known power to look at the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage within the United States, officials said Saturday.
The C.I.A. has also been issuing what are known as national security letters to gain access to financial records from American companies, though it has done so only rarely, intelligence officials say.
I blogged about National Security Letters (NSLs) before here. NSLs authorize the FBI to demand information from various businesses, such as financial institutions or ISPs. Compliance is mandatory. There are several NSL provisions in various federal statutes:
1. Electronic Communications Privacy Act, 18 U.S.C. § 2709 (FBI can compel communications companies to disclose customer information)
2. Right to Financial Privacy Act, 12 U.S.C. § 3414(a)(5) (FBI can compel financial institutions to disclose customer information).
3. Fair Credit Reporting Act, 15 U.S.C. § 1681u (FBI can compel credit reporting agencies to disclose records on individuals).
My understanding of the NSL provisions has been that they only authorize the FBI to issue the letters. I wasn’t aware that the CIA or Pentagon could also use these provisions.
According to the article:
The F.B.I., the lead agency on domestic counterterrorism and espionage, has issued thousands of national security letters since the attacks of Sept. 11, 2001, provoking criticism and court challenges from civil liberties advocates who see them as unjustified intrusions into Americans’ private lives.
But it was not previously known, even to some senior counterterrorism officials, that the Pentagon and the Central Intelligence Agency have been using their own “noncompulsory” versions of the letters. Congress has rejected several attempts by the two agencies since 2001 for authority to issue mandatory letters, in part because of concerns about the dangers of expanding their role in domestic spying. . . .
In the NSL provisions mentioned above, they specifically mention the FBI, not other government entities. The Right to Financial Privacy Act, § 3414(a)(1) exempts government authorities investigating terrorism or engaging in intelligence activities from the general requirements of the statute, but it doesn’t provide the authority to issue NSLs, which is granted solely to the FBI in § 3414(a)(5). Likewise, the NSL provision of the Electronic Communications Privacy Act, 18 U.S.C. § 2709 only mentions the FBI. What is the legal authority that allows the CIA and Pentagon to issue NSLs? Hopefully, somebody can point to a part of the law I’m missing.
Perhaps the CIA and Pentagon are issuing letters that simply resemble NSLs. But unlike NSLs, such letters wouldn’t be able to mandate cooperation. The article does say that the CIA and Pentagon have been issuing “using their own ‘noncompulsory’ versions of the letters.” So perhaps these letters aren’t technically NSLs. Nevertheless, it would be quite problematic if the letters were issued under the guise of an NSL and failed to indicate that cooperation was voluntary. On the facts given, we have no idea what these particular letters said or looked like.
But the article goes on to contain a discussion of NSL legal provisions and to quote unnamed government lawyers interpreting NSL provisions to allow the CIA and Pentagon to issue them:
Government lawyers say the legal authority for the Pentagon and the C.I.A. to use national security letters in gathering domestic records dates back nearly three decades and, by their reading, was strengthened by the antiterrorism law known as the USA Patriot Act.. . . .
Military officials say the Right to Financial Privacy Act of 1978, which establishes procedures for government access to sensitive banking data, first authorized them to issue national security letters. The military had used the letters sporadically for years, officials say, but the pace accelerated in late 2001, when lawyers and intelligence officials concluded that the Patriot Act strengthened their ability to use the letters to seek financial records on a voluntary basis and to issue mandatory letters to obtain credit ratings, the officials said.
The Patriot Act does not specifically mention military intelligence or C.I.A. officials in connection with the national security letters.
Some F.B.I. officials said they were surprised by the Pentagon’s interpretation of the law when military officials first informed them of it. “It was a very broad reading of the law,” a former counterterrorism official said.
So now I’m quite confused. Are these NSLs or not? If so, what is the legal authority for the CIA and Pentagon to issue them?
Related Post:
Solove, National Security Letters (Nov. 2005)
Originally Posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.
If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* LinkedIn Influencer blog
* Twitter
* Newsletter