PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

FBI logo

According to the a DOJ investigation, the FBI has violated the law on several occasions in connection with the issuance of National Security Letters (NSLs). A NSL is a demand letter issued to a particular entity or organization to turn over various record and data pertaining to individuals. They do not require probable cause, a warrant, or even judicial oversight. They also come with a gag order, preventing the recipient of the letter from disclosing that the letter was ever issued. Compliance is mandatory.

There are several NSL provisions in various federal statutes: (1) Electronic Communications Privacy Act, 18 U.S.C. § 2709 (FBI can compel communications companies to disclose customer information); (2) Right to Financial Privacy Act, 12 U.S.C. § 3414(a)(5) (FBI can compel financial institutions to disclose customer information); (3) Fair Credit Reporting Act, 15 U.S.C. § 1681u (FBI can compel credit reporting agencies to disclose records on individuals).

According to the Washington Post:

A Justice Department investigation has found pervasive errors in the FBI’s use of its power to secretly demand telephone, e-mail and financial records in national security cases, officials with access to the report said yesterday.

The inspector general’s audit found 22 possible breaches of internal FBI and Justice Department regulations — some of which were potential violations of law — in a sampling of 293 “national security letters.” The letters were used by the FBI to obtain the personal records of U.S. residents or visitors between 2003 and 2005. The FBI identified 26 potential violations in other cases.

The study revealed a range of errors:

. . . Fine found that FBI agents used national security letters without citing an authorized investigation, claimed “exigent” circumstances that did not exist in demanding information and did not have adequate documentation to justify the issuance of letters.

In at least two cases, the officials said, Fine found that the FBI obtained full credit reports using a national security letter that could lawfully be employed to obtain only summary information. In an unknown number of other cases, third parties such as telephone companies, banks and Internet providers responded to national security letters with detailed personal information about customers that the letters do not permit to be released. The FBI “sequestered” that information, a law enforcement official said last night, but did not destroy it. . . .

Fine’s audit, which was limited to 77 case files in four FBI field offices, found that those offices did not even generate accurate counts of the national security letters they issued, omitting about one in five letters from the reports they sent to headquarters in Washington. Those inaccurate numbers, in turn, were used as the basis for required reports to Congress.

Officials said they believe that the 48 known problems may be the tip of the iceberg in an internal oversight system that one of them described as “shoddy.”

The report identified several instances in which the FBI used a tool known as “exigent letters” to obtain information urgently, promising that the requests would be covered later by grand jury subpoenas or national security letters. In several of those cases, the subpoenas were never sent, the review found.

The review also found several instances in which agents claimed there were exigent circumstances when none existed. The FBI recently ended the practice of using exigent letters in national security cases, officials said last night.

The New York Times coverage is here.

The DOJ report is available here.

Previous Posts on NSLs:

1. Solove, National Security Letters (Nov. 2005)

2. Solove, The Pentagon, the CIA, and National Security Letters (Jan. 2007)

Originally Posted at Concurring Opinions

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.

Professor Solove is the organizer, along with Paul Schwartz, of the Privacy + Security Forum and International Privacy + Security Forum, annual events designed for seasoned professionals.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
*
LinkedIn Influencer blog
*
Twitter
*
Newsletter

TeachPrivacy Ad Privacy Training Security Training 01