More on National Security Letters:
Last week, the Washington Post had an important story on the use (and possible overuse) of National Security Letters, an authority that permits the FBI to order third-parties such as ISPs and banks to disclose information in national security cases. The story quoted Michael J. Woods, former chief of the National Security Law Unit in the FBI's Office of the General Counsel, who was critical of some current FBI practices. I contacted Michael and asked him for further comment on the Washington Post story and the use of NSLs.

  Here is his response in its entirety, reprinted with his permission:
  My interest in National Security Letters (NSLs) stems from my experience running the office in the FBI's Office of General Counsel that, among other things, actually produced the bulk of these letters for the Bureau. In the counterintelligence/counter-terrorism business, NSLs are unglamorous, journeyman tools that historically garnered far less attention than the more intrusive search and surveillance authorities found in the Foreign Intelligence Surveillance Act (FISA). Significant changes to the NSLs were made in the USA PATRIOT Act with very little debate (even by the standards of the Act), and, absent Bart Gellman's article in the Post last Sunday, I doubt there would have been much discussion of them in the context of PATRIOT Act re-authorization.
  There are basically four kinds of NSLs, each of them delineating an exception to a statute protecting personal information in the hands of a third party. The most commonly used NSL exists in the Electronic Communications Privacy Act and allows access to telephone and electronic communications transactional records. The FBI is granted access to financial records by an NSL established in the Right to Financial Privacy Act, and to credit information by two separate NSLs found in the Fair Credit Reporting Act. All of these authorities in some way derive from the 1976 Supreme Court decision United States v. Miller, which held that there was no constitutionally protected privacy interest in business records entrusted to third parties. For those interested in a more detailed history, I traced the history of NSLs in the opening section of an article on Section 215 of the PATRIOT Act (it's in the Journal of National Security Law & Policy, and is available at
  In my view, NSLs reflect tensions between evolving technology and the increasing inadequate consent-based theory behind Miller. NSLs developed in a limited context: the users of NSLs (FBI counterintelligence agents) had discretionary access to the authorities, but were regulated by fairly strict guidelines and by the legal standard ("specific and articulable facts") embedded in the NSL statutes. At the same time, the utility of the "transactional information" available from an NSL was limited by the trivial nature of the information itself and the FBI's lack of technical or legal ability to do much with it. The PATRIOT Act and subsequent revisions of the FBI's operating guidelines significantly lowered the legal standards, devolved NSL issuing authority to FBI field offices, and even extended one species of NSL to an indeterminate list of other government agencies. The general impetus toward information-sharing among government entities and the massive investment in technical solutions may eventually deliver to the government the ability to process data efficiently. Finally, the rate at which individuals shed transactional data simply by living in a networked world seems to increase daily. The composite picture of individual activity that can emerge from such data is often of startling clarity, and will likely sharpen with in the future.
  We don't really have a coherent legal theory to address appropriately the growing privacy interests in this kind of data. The full-scale judicial supervision accorded electronic surveillance and physical searches is probably overkill, and far too cumbersome for data for which basic investigative access is justified. On the other hand, the Miller view that the "consensual" delivery of this data to third parties strips it of any privacy interest looks untenable when one considers the effect of the information aggregated. NSL revisions could be a vehicle for shaping a new approach, but I think this unlikely given the time pressures. Although the NSL provisions of the PATRIOT Act do not "sunset" this year, they are effectively part of the re-authorization legislation (which will be in conference this coming week). I am encouraged that there is talk of inserting into NSLs a right of the recipient to challenge the letter (which is not explicit in any of the NSLs now, and is thus quite difficult to do -- as evidenced in the pending NSL cases). It is possible that successive challenges to individual NSLs will generate a transactional information jurisprudence, though this doesn't seem to me the most efficient path to such a solution. Whatever happens to NSLs next week, they are definitely worth watching.
  I disagree with Michael on one point: I think it's a little inaccurate to say that United States v. Miller is responsible for current practices. Miller makes the proper legal threshold a legislative question rather than a judicial one, but it doesn't say anything about what that legislative threshold should be. Still, the possibility that Congress should modify the statutory standards for obtaining NSLs is worth debating. Stay tuned.