The FBI has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.
The requests, which the FBI says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends -- encompassing scores of banks, credit agencies, cellphone carriers and even universities.
The demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don't require a judge's approval and usually come with a gag order, leaving them shrouded in secrecy. Fewer than 20 entities, most of them tech companies, have ever revealed that they've received the subpoenas, known as national security letters.
The documents, obtained by the Electronic Frontier Foundation through a Freedom of Information Act lawsuit and shared with The New York Times, shed light on the scope of the demands -- more than 120 companies and other entities were included in the filing -- and raise questions about the effectiveness of a 2015 law that was intended to increase transparency around them.
"This is a pretty potent authority for the government," said Stephen Vladeck, a law professor at the University of Texas who specializes in national security. "The question is: Do we have a right to know when the government is collecting information on us?"
The documents provide information on about 750 of the subpoenas -- representing a small but telling fraction of the half-million issued since 2001, when the USAPATRIOT Act expanded their powers.
The credit agencies Equifax, Experian and TransUnion received a large number of the letters in the filing. So did financial institutions like Bank of America, Western Union and even the Federal Reserve Bank of New York. All declined to explain how they handle the letters. An array of other entities received smaller numbers of requests -- including Kansas State University and the University of Alabama at Birmingham, probably because of their role in providing Internet service.
Other companies included major cellular providers such as AT&T and Verizon, as well as tech giants like Google and Facebook, which have acknowledged receiving the letters in the past.
Albert Gidari, a lawyer who long represented tech and telecommunications companies and is now the privacy director at Stanford's Center for Internet and Society, said Silicon Valley had been associated with the subpoenas because it was more willing than other industries to fight the gag orders. "Telecoms and financial institutions get little attention," he said, even though the law specifically says they are fair game.
The FBI determined that information on the roughly 750 letters could be disclosed under a 2015 law, the USA Freedom Act, that requires the government to review the secrecy orders "at appropriate intervals."
The Justice Department's interpretation of those instructions has left many letters secret indefinitely. Department guidelines say the gag orders must be evaluated three years after an investigation starts and also when an investigation is closed. But a federal judge noted "several large loopholes," suggesting that "a large swath" of gag orders might never be reviewed.
According to the new documents, the FBI evaluated 11,874 orders between early 2016, when the rules went into effect, and September 2017, when the Electronic Frontier Foundation, a digital rights group, requested the information.
"We are not sure the FBI is taking its obligations under USA Freedom seriously," said Andrew Crocker, a lawyer with the foundation. "There still is a huge problem with permanent gag orders."
The Justice Department declined to comment.
Much of the concern about the letters has focused on the gag orders, which accompany nearly every request and prevent the recipient -- typically indefinitely -- from disclosing even the existence of the letter. The federal government has argued that the secrecy is necessary to avoid alerting targets, giving would-be terrorists clues about how the government conducts its surveillance, or hurting diplomatic relations.
After a series of court rulings found that the gag orders violated First Amendment protections, Congress enacted the review requirements.
The documents obtained through the lawsuit include the number of orders reviewed, as well as redacted copies of 751 letters from the FBI informing companies and organizations their gag orders had been lifted. These so-called termination letters do not reveal the contents of the original national security letters, but indicate which entities received them.
A Section on 09/21/2019