An ISP has released the first unredacted National Security Letter attachment ever made public, exposing just how much access US law enforcement asks for in its secretive letters. In 2004, the FBI requested that Nicholas Merrill and his former ISP, the Calyx Internet Access Corporation, submit anything considered an "electronic communication transactional record," and it didn't clarify the vague wording. The agency did, however, explicitly list some examples for Merrill to go off, including his complete web DSL account information, including subscriber information and account numbers, along with his internet service provider and other personal data. He also received, like nearly all other NSL targets, a gag order with the letter, which he directly challenged in his court case.
National Security Letters are controversial among privacy advocates because of their broad powers and minimal oversight. The FBI sends the letters whenever senior officials deem necessary, but no court approval is involved. Although the legal weight of the letters is unclear, the agency's intimidation tactics typically work, said Andrew Crocker, staff attorney at the Electronic Frontier Foundation in an interview with The Verge. Recipients comply, especially when they’re bound to silence and can’t discuss the terrifying letter they just received. "More transparency is really needed, and not just [around] what [the FBI] can get and how many they issue," Crocker said. The gag order and lack of judicial opinions over their constitutionality particularly need to be rethought, he said. Merrill's case is a start.
Recipients comply, especially when they’re bound to silence and can’t discuss the terrifying letter they just received
In Merrill's years-long suit, law enforcement argued the release of the letter details would compromise national security. The court dismantled this concern, mainly based off the fact that most of the supposedly sensitive information contained in the attachment, including the specific data requests, was already public knowledge. The court cited a publicly available Justice Department educational manual that contained a hypothetical NSL as evidence. The sample letter lists the information a recipient could be asked to turn over, which includes their entire web browsing history, telephone records, online purchase history, and the IP addresses of everyone they’ve emailed.
Supposedly sensitive information contained in the attachment was already public knowledge
Even with limited information and non-disclosure agreements, some statistics on NSLs has gotten out. In 2007, the Office of the Inspector General reported that the FBI issued approximately 40,000 to 60,000 letters per year. President Obama’s Intelligence Review Group reported more recently in 2013 that the government issued an average of nearly 60 NSLs per day. Merrill’s letter represents only one of hundreds of thousands.
Private companies, too, have tried to disclose the number of NSLs they receive yearly through transparency reports, but have restrictions on how explicit they can get. Companies can only report NSLs in bands of 1,000, if they're separated from FISA court order requests, or in bands of 250 if reported as a broader "national security request." So, if Google received one NSL during the first half of 2015, for instance, it would have to report that it received somewhere between zero and 999 letters. If it received 999 letters, it would still report that same band.
Calling it a vague and unchecked power, Crocker said he hoped Merrill’s letter would encourage people to "pay attention to NSLs and recognize that it’s a vast power that we don’t know much about."