The FBI Wants to Codify Snooping

A few weeks ago, word began circulating among the privacy activist and civil liberties community that the Federal Bureau of Investigation was seeking to obscure a major power grab under the cover of a technical change to existing legislation. Yesterday, the Post's Ellen Nakashima clarified matters. The FBI, supported by the administration, wants to codify in law what's been common practice for a while: it wants to be able to force Internet providers to turn over meta-data about a user's traffic habits without a warrant.

The Justice Department and the FBI portray this request as non-controversial. Many ISPs, they say, already turn over this information when the FBI sends them National Security Letters. And those who don't say that the law is ambiguous and want some statutory protection before they'd risk a lawsuit by turning over data to the FBI.

"The Administration has proposed to clarify a statute that already requires internet service providers to produce 'electronic communication transactional records' to the FBI upon request," writes Dean Boyd, a Justice Department spokesman, in an e-mail. "The statute as written causes confusion and the potential for unnecessary litigation. This clarification will not allow the government to obtain or collect new categories of information, but it seeks to clarify what Congress intended when the statute was amended in 1993."

Clarify is in the eye of the beholder.

As Julian Sanchez, who first brought this change to my attention a few weeks ago, has noted, President Bush's Office of Legal Counsel specifically rejected this interpretation in 2008 when the FBI asked whether Congress's rules on what types of information they could collect from NSL was merely representative or exhaustive. "Exhaustive" was the word from OLC. 

Section 2709 is an exception to the background rule of privacy established by 18 U.S.C. § 2702(a), which generally bars a provider from giving the Government a record or other information pertaining to a subscriber or customer. Here, the exceptions listed in section 2709(b)(1) specify some types of information--a subscriber‟s name, address, length of service, and billing records--and not others. Other exceptions to the rule of privacy appear in section 2702(b), dealing with voluntary disclosures, and in section 2703, dealing with disclosures in response to subpoenas or warrants. We would not infer additional exceptions

According to an administration official, Obama's OLC lawyers concluded the same: in order for the FBI to formally request and lawfully receive e-mail metadata, Congress would need to change the law.

Here's how the amended law would read if Congress agrees to the changes:

§ 2709. Counterintelligence access to telephone toll and transactional records

 (a) Duty to Provide.-- A wire or electronic communication service provider shall comply with a request for subscriber information and toll billing records information, or electronic communication transactional records in its custody or possession made by the Director of the Federal Bureau of Investigation under subsection (b) of this section.

(b) Required Certification.-- The Director of the Federal Bureau of Investigation, or his designee in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau field office designated by the Director, may--

(1) request the name, address, length of service, and local and long distance toll billing records of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that the name, address, length of service, and toll billing records sought are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely on the basis of activities protected by the first amendment to the Constitution of the United States; and

(2) request the name, address, and length of service of a person or entity if the Director (or his designee) certifies in writing to the wire or electronic communication service provider to which the request is made that the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities, provided that such an investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution of the United States.

So what are electronic communication transactional records? In order to make people comfortable, the government notes that this information doesn't include the content of e-mails. But that's not really a cause to turn off the alarm bells. The data the FBI obtains will allow them to figure out all the sites a person of interest has visited on the Internet. It will include data to and from people who aren't targeted by the NSLs specifically. This "associational data" is what worries many privacy advocates. And NSLs are designed to be used as an investigative tool that does not require a warrant.

Now, there's a good faith case to be made that the FBI ought to have this authority. After all, the bad guys don't use telephones to talk to each other any more. But the FBI has abused the NSL authority, essentially fabricating pretexts for sending NSLs to thousands of people. Since the NSL authority was expanded by the PATRIOT Act, three separate OIG investigations have found abuses that rise above the level of incidental misuse of power. The FBI has excuses: it's the databases. It's the urgency of terrorism investigations. It's the lack of clarity in the language. 

The urgency factor is a good excuse for the FBI to have the authority, but not to misuse it. NSLs are issued without prior approval from a judge. They're now part of the standard anti-terrorism investigatory toolkit. They're needed.

Democrats on the judiciary and intelligence committees are skeptical of the request to change the statute for precisely these reasons, and one senior aide noted that the language was met with some skepticism by congressional staff who've grown wary of FBI excuses for overreaching. Then again, it is always hard for members of Congress to say no to something that the FBI claims is vital for its counterterrorism efforts. 

There is a compromise here: the FBI can subject its NSL issuances to post-facto review from judges, who can decide whether the FBI's pretexts are sufficient. The FBI doesn't need to get a judge's permission to issue an NSL and the internet provider can't wait until the judicial review kicks in. This way, the FBI can get what it needs and there would be a check on its power.

But this compromise won't work. The FBI issues tens of thousands of NSL requests per year, most of them for telephone records and other information, like credit reports. There's no way a judge can individually approve, even in retrospect, tens of thousands of requests without significantly adding to already overflowing caseloads. 

So, in the end, as with almost every issue about national security information, the question is one of trust. Can the American people, through Congress, trust the FBI to use its authority properly? Maybe the administration and the FBI should answer this question: given past abuses, what steps will you take to ensure that this authority isn't abused?