pageok
pageok
pageok
More on National Security Letters:
Last week, the Washington Post had an important story on the use (and possible overuse) of National Security Letters, an authority that permits the FBI to order third-parties such as ISPs and banks to disclose information in national security cases. The story quoted Michael J. Woods, former chief of the National Security Law Unit in the FBI's Office of the General Counsel, who was critical of some current FBI practices. I contacted Michael and asked him for further comment on the Washington Post story and the use of NSLs.

  Here is his response in its entirety, reprinted with his permission:
  My interest in National Security Letters (NSLs) stems from my experience running the office in the FBI's Office of General Counsel that, among other things, actually produced the bulk of these letters for the Bureau. In the counterintelligence/counter-terrorism business, NSLs are unglamorous, journeyman tools that historically garnered far less attention than the more intrusive search and surveillance authorities found in the Foreign Intelligence Surveillance Act (FISA). Significant changes to the NSLs were made in the USA PATRIOT Act with very little debate (even by the standards of the Act), and, absent Bart Gellman's article in the Post last Sunday, I doubt there would have been much discussion of them in the context of PATRIOT Act re-authorization.
  There are basically four kinds of NSLs, each of them delineating an exception to a statute protecting personal information in the hands of a third party. The most commonly used NSL exists in the Electronic Communications Privacy Act and allows access to telephone and electronic communications transactional records. The FBI is granted access to financial records by an NSL established in the Right to Financial Privacy Act, and to credit information by two separate NSLs found in the Fair Credit Reporting Act. All of these authorities in some way derive from the 1976 Supreme Court decision United States v. Miller, which held that there was no constitutionally protected privacy interest in business records entrusted to third parties. For those interested in a more detailed history, I traced the history of NSLs in the opening section of an article on Section 215 of the PATRIOT Act (it's in the Journal of National Security Law & Policy, and is available at http://www.mcgeorge.edu/jnslp/media/01-01/03%20Woods%20Master.pdf.
  In my view, NSLs reflect tensions between evolving technology and the increasing inadequate consent-based theory behind Miller. NSLs developed in a limited context: the users of NSLs (FBI counterintelligence agents) had discretionary access to the authorities, but were regulated by fairly strict guidelines and by the legal standard ("specific and articulable facts") embedded in the NSL statutes. At the same time, the utility of the "transactional information" available from an NSL was limited by the trivial nature of the information itself and the FBI's lack of technical or legal ability to do much with it. The PATRIOT Act and subsequent revisions of the FBI's operating guidelines significantly lowered the legal standards, devolved NSL issuing authority to FBI field offices, and even extended one species of NSL to an indeterminate list of other government agencies. The general impetus toward information-sharing among government entities and the massive investment in technical solutions may eventually deliver to the government the ability to process data efficiently. Finally, the rate at which individuals shed transactional data simply by living in a networked world seems to increase daily. The composite picture of individual activity that can emerge from such data is often of startling clarity, and will likely sharpen with in the future.
  We don't really have a coherent legal theory to address appropriately the growing privacy interests in this kind of data. The full-scale judicial supervision accorded electronic surveillance and physical searches is probably overkill, and far too cumbersome for data for which basic investigative access is justified. On the other hand, the Miller view that the "consensual" delivery of this data to third parties strips it of any privacy interest looks untenable when one considers the effect of the information aggregated. NSL revisions could be a vehicle for shaping a new approach, but I think this unlikely given the time pressures. Although the NSL provisions of the PATRIOT Act do not "sunset" this year, they are effectively part of the re-authorization legislation (which will be in conference this coming week). I am encouraged that there is talk of inserting into NSLs a right of the recipient to challenge the letter (which is not explicit in any of the NSLs now, and is thus quite difficult to do -- as evidenced in the pending NSL cases). It is possible that successive challenges to individual NSLs will generate a transactional information jurisprudence, though this doesn't seem to me the most efficient path to such a solution. Whatever happens to NSLs next week, they are definitely worth watching.
  I disagree with Michael on one point: I think it's a little inaccurate to say that United States v. Miller is responsible for current practices. Miller makes the proper legal threshold a legislative question rather than a judicial one, but it doesn't say anything about what that legislative threshold should be. Still, the possibility that Congress should modify the statutory standards for obtaining NSLs is worth debating. Stay tuned.
carpundit (www):
Miller may not be responsible for the practice, but it sure provides nice support. What the privacy advocates miss here is that the government doesn't give a damn who is talking to whom unless there's a reason to suspect a crime.

A real crime. And, no, "Failure to Vote for Bush" is not a cognizable federal violation.

Could we please keep our eyes on the ball? This is a struggle against terrorist enemies and foreign spies. They're real, and they want to destroy us.

Absent any evidence that the government is abusing this power, we should not limit it any further.
11.15.2005 2:39pm
A.S.:
So, we think it's a good idea to narrow the use of NSLs? Just like it's a good idea to diminish the President's ability to hold detainees? How does either of these things help our cause? It is amazing to me that, as we go along since 9/11, we are restricting the tools the government has to fight terrorism, rather than increasing them. It's like some people are saying "it is apparent that, on 9/11, the government had too much power to stop terrorists... so let's make sure we take away some of that power. Because then we can certainly fight terrorism better!"
11.15.2005 2:57pm
Erik H.:
SOme problems with your argument:

"What the privacy advocates miss here is that the government doesn't give a damn who is talking to whom unless there's a reason to suspect a crime. "
This is a bit like torture: If we knoew the government was excruciatingly accurate in making the INITIAL (pre-NSL) determinatino of someone as a threat, well there's less reason to protest the NSL. But in fact we're not exspecially accurate, and the NSL (along with other Patriot Act issues) can be broadly used to get information without particularly good evidence.

"A real crime. And, no, "Failure to Vote for Bush" is not a cognizable federal violation. "
Well, a real crime for NSL can include suspicion of aiding terrorism, which--as we saw in a variety of media after 9/11--can include the federal crimes of "being muslim", "Taking photographs of the local town while wearing funny clothing", and the like. It's an old saw: EVERYONE goes to the limits of their allowed power, be it libs, conservatives, judges, or federal agencies. Everyone thinks they're right. Nobody is right, at least not all the time.

"Could we please keep our eyes on the ball? This is a struggle against terrorist enemies and foreign spies. They're real, and they want to destroy us."
Straw man. Yes, spies and terrorists are bad. But do you think foreign spies haven't been there for years? Do you think our methods are helping? Have we convicted anyone lately? Hell, have we TRIED anyone lately? OK, that's a straw man as well :) lol but seriously, simply saying 'bad people may exist' isn't a compelling argument.

"Absent any evidence that the government is abusing this power, we should not limit it any further."
Well, you can't GET evidence of the abuse of power in many cases, as it's classified. Hell, you can't even get a defense attorney if they think you're guilty. Or a court hearing, if you're unlucky.
11.15.2005 3:11pm
18 USC 1030 (mail):

So, we think it's a good idea to narrow the use of NSLs? Just like it's a good idea to diminish the President's ability to hold detainees?



It's not a good idea to narrow the executive authority; however, it is also not a good idea to EXPAND the authority to the point that it violates the laws of the land. I support the majority of the provisions of the PATRIOT Act, yet I also have concerns with certain provisions or the use thereof.

It is amazing to me that, as we go along since 9/11, we are restricting the tools the government has to fight terrorism, rather than increasing them.

We are not RESTRICTING that which has already been allowed, we are simply requiring the president to use tools in the intended manner, most importantly; to do so in a way that doesn't violate the laws of the land. Many of these tools did not exist until after 9/11, those tools that had existed had never been used on the scale they now are in order to be tested. Now the congress is able to modify legislation in order to tailor it to their original intent, not the whim of the executive. Do we really want the president to do whatever he wants?

"it is apparent that, on 9/11, the government had too much power to stop terrorists... so let's make sure we take away some of that power. Because then we can certainly fight terrorism better!"

At what cost should we be fighting terrorism? Would it be acceptable to fight terror in order to bring "freedom" to the middle east and in the process mitigate liberties found here? I am not saying that has occured or will occur definitively; I am saying if it were to occur that liberty was brought to Iraq at a cost to liberty at home should we accept it? I personally say no. I am not a liberal screaming this whole thing is wrong, but I do value my liberty and freedom. After all isn't that why we are told the terrorists hate us? If the terrorists hate freedom and our method of destroying terrorists is diminishing freedom here; who wins in the end? We need to fight terror without diminishing liberty, not becasue the ACLU will biatch if it doesn't happen, but because it is the right thing to do. What can be said for the group that aims to fight for liberty yet the method of doing so deprives liberty? Seems to me that in much of this we have lost the forest while focusing on the trees.
11.15.2005 3:28pm
Sebastianguy99 (mail):
"Could we please keep our eyes on the ball? This is a struggle against terrorist enemies and foreign spies. They're real, and they want to destroy us."

"Absent any evidence that the government is abusing this power, we should not limit it any further."


I don't think that fear is a sufficent reason to suspend the Constitution and grant the government unlimited power. According to Woods, it is unclear as to whether the mechanisms are in place to even determine evidence of abuse. Unchecked and unlimited government authority is what we expect from a totalitarian society, not to mention a most egregious violation of our founding principles.

Exactly what is wrong with a review of the Miller standard? The case was decided almost 30 years ago and as stated by Woods, much has changed since then. We now have evidence, the fight against spyware for example, that people do not feel that they completely give up their privacy interests when giving certain information(or when using certain products) to third parties.



"it is apparent that, on 9/11, the government had too much power to stop terrorists... so let's make sure we take away some of that power...Because then we can certainly fight terrorism better!"

According to the Secretary of Defense, we don't really have "the metrics" to evaluate the effectiviness of the fight. If we can't measure the fight with any degree of certainty, then how do we know what is "better" and what isn't working at all?

What we are left with is the politically self-serving assumption that since there have been no post 9-11 attacks what we are currently doing is the best policy.

I think it is instructive to note that there is a broad consensus,spanning the entire political spectrum,that desires a substantive debate about the scope of governmental authority since the passage of the PATRIOT Act.

The country should have that debate as secrecy is not a luxury we can afford when talking about infringement of civil liberties. Simply reducing the debate to those who want to stop terrorist versus those who do not, is productive.
11.15.2005 3:53pm
Richard Bellamy (mail):
"the government doesn't give a damn who is talking to whom unless there's a reason to suspect a crime.

"Absent any evidence that the government is abusing this power, we should not limit it any further."

According to the Washington Post article, National Security Letters were used to create (and maintain) a complete database of everyone who visited Las Vegas in late December, 2003.

These were not people suspected of committing a crime, or who anyone thought had a reason to commit a crime. These were people who went to Las Vegas for Christmas. They were guilty of nothing but bad taste.

"What happened in Vegas stayed in federal data banks. Under Ashcroft's revised policy, none of the information has been purged. For every visitor, Breinholt said, "the record of the Las Vegas hotel room would still exist.""

Next time you are called in for questioning on terrorism related charges, keep in mind whether you were in Vegas that month. It's one strike against you.
11.15.2005 4:13pm
Zargon (mail):
"We had to remove our freedoms to save our freedoms."
11.15.2005 4:56pm
Moneyrunner43 (www):
Let' see. If I went to Las Vegas in late December of 2003 and the FBI knows of this, I would be harmed ... exactly how? Am I subject to arrest for visiting Vegas? Why do they care if I visited Vegas? What do I have to fear because they know I visited Vegas?

Because my friend who lines his teeth with Saran wrap because his fillings poison him with mercury vapors is beginning to sound positively sane, I demand to know from the preservers of my precious freedoms what the hell makes this an issue.

Michael Newdow taking the US to court to remove "In God We Trust" sounds more grounded than some of these comments.
11.15.2005 8:53pm
Richard Bellamy (mail):
Apparently, Moneyrunner43 would have no problem wearing an RFID tag at all times, because he won't be going anywhere illegal, and trusts this government (and all subsequent ones of either party) to not misuse any information it collects.
11.15.2005 9:12pm
Windypundit (www):
Moneyrunner43, so, uhm, what's your real name? It's not on either of your blogs (at least not anyplace I could find quickly) or your Blogger profile. If we knew your real name, you would be harmed ... exactly how? Subject to arrest? What do you have to fear if we know your real name?

Actually, I don't dispute your right to post anonymously, but perhaps your reasons for hiding your name would shed light on why we prefer not to have our personal data tracked by the government.

Then there's the flipside of your questions: If I went to Las Vegas in late December of 2003, is there any benefit to me if the FBI knows of this? No. Is the United States harmed in any way by my going to Las Vegas? No. Would the FBI benefit from knowing about my trip to Vegas? No.

If the FBI wants to track my personal data, I would prefer they offer a little better explanation than "because we want to."
11.15.2005 9:53pm
A.S.:
Do posters not understand what NSLs can ask for, or are they deliberately misrepresenting them?

NSLs can ask for records that you already have disclosed to third parties. I thought that was clear from the post.

In the case of Vegas, you have no expectation of privacy in people knowing you were in Vegas because you already disclosed that to the hotel. That's completely different than "wearing an RFID tag at all times", because an RFID would disclose information that you have not previously disclosed to other people.

To me, there is an enormous difference between information you want to keep private and information you've already disclosed to other people.
11.15.2005 10:26pm
John Wayne:
A.S. seems to forget that this is the United States of America, not Soviet Russia. Here in America, Big Brother doesn't have a right to know whether I stayed in the Ritz-Carlton or the Days Inn.
11.15.2005 11:04pm
go vols (mail):
If giving information to a third party voids any expectation of privacy, then we need to rethink the system. How, besides living off the grid, is a citizen supposed to function normally without giving some personal informaton to private parties? Does that mean that the evolution of technology will make privacy obsolete?
11.16.2005 12:14am
WindyT (mail):
Say, a future political candidate for high office went to Vegas that weekend. Say that person stayed in a hotel and charged porn on his TV to his hotel bill. I would assume that the FBI now knows the porn watching habits of this person, as the title of the film was most likely passed to the hotel. Now, this might be background noise in the original search for terrorists, but in the hands of an opposition party operative with access to this it means potential political leverage. I would find it difficult to imagine information like this NOT getting into the hands of those who have no interest in terrorism, but who do have a large interest in political leverage.

How soon will it be that EVERY Las Vegas visitor's hotel bill will be routinely sent to government data banks on a daily basis? I would feel better knowing there's some oversight going on.
11.16.2005 1:51am
Tom Cross (www):
Mr Kerr,

The question that Woods raises is whether advances in technology have increased the impact of the sheding of data to the level where these NSLs raise new, fundamental Constitutional problems that the "consensual" standard cannot resolve. If so, then this is an appropriate matter for the courts to address because this is what the courts do in our system of checks and balances. Referencing the fact that legislative oversight exists implys that you do not think the matter raises new Constitutional implications. To imply this without specifically explaining why, in light of the referenced arguement and the fact that this stuff sailed through Congress with hardly a reading, is akin to offering that those who wish to see civil liberties protected can "eat cake" if they want.
11.16.2005 3:04am
Bruce Hayden (mail) (www):
Good to know that the FBI apparently knows that I was in Las Vegas then. Went there to take my girlfriend to one of her doctors for her back. What is probably really suspicious to them is that we didn't gamble while we were there, despite staying at a casino. I didn't, for any number of reasons, including having written patents on slot machines. She didn't because I shamed her. Still, fairly suspicious.

I wonder though whether they were able to tie this stay to my other FBI records. They found a lot of compromising stuff when they investigated me for a security clearance some 20 years ago. And I think they know every time I have applied to sit for a bar exam or a real estate broker's license.

I don't of course have my SS# on my driver's license, but I have no doubt that they can get such from the state, and I did have to supply my license to register. So, they probably have the hooks to tie it all together.

I just don't know why they would bother.
11.16.2005 9:22am
A.S.:
"A.S. seems to forget that this is the United States of America, not Soviet Russia. Here in America, Big Brother doesn't have a right to know whether I stayed in the Ritz-Carlton or the Days Inn."

So, you're fine with the hotel chain knowing, with your credit card company knowing, and with the car rental agency knowing. It's just people investigating terrorism that you don't want to know. Got it.
11.16.2005 10:47am
Zargon (mail):
That's completely different than "wearing an RFID tag at all times", because an RFID would disclose information that you have not previously disclosed to other people.

...Which is completely different than your cell phone carrier informing where you (more precisely, your cell phone) went at all times, because you do disclose that information to them. Right?

Later: So, you're fine with the hotel chain knowing, with your credit card company knowing, and with the car rental agency knowing. It's just people investigating terrorism that you don't want to know. Got it.

That's precisely correct, because "people investigating terrorism" today will have different motives tomorrow. Governments always expand control over citizens to the extent that technology practically allows. Assuming the US will somehow behave differently only ensures that that happens sooner.

One can only hope that these "conservative" voices regain their healthy suspicion of government interference at some point... maybe a Democrat in office will help the process along.
11.16.2005 11:39am
John Wayne:
"Investigating terrorism" shouldn't give the government the right to know where I slept or what I had for breakfast unless they actually have "probable cause."
11.16.2005 11:46am
carpundit (www):
>>>...unless they actually have "probable cause."<<<

You cannot possibly mean that. Limiting the acquisition of investigative information to those situations where the government has probable cause would effectively end all anti-crime and anti-terror efforts.

I cannot think of a (sane) reason to extend Fourth Amendment protections to your morning oatmeal. Protection of privacy is important. Extreme protection of privacy is suicide.
11.16.2005 1:02pm
Sebastianguy99 (mail):
"One can only hope that these "conservative" voices regain their healthy suspicion of government interference at some point..."

There does seem to be some tension between the idea of "limited government" which is usually the gold standard on this blog, and the idea that government should nevertheless have the broad authority discussed within this thread.

I do not see how the two can be reconciled, at least not in an "orginalist" fashion. Perhaps it is because the "expectation of privacy" doctorine, while convenient, is also an open invitation for expansion of goverment power.
11.16.2005 2:06pm
John Wayne:

You cannot possibly mean that. Limiting the acquisition of investigative information to those situations where the government has probable cause would effectively end all anti-crime and anti-terror efforts.


So you want the government to have carte blanche to know what books you read, where you shop, and where you travel. I thought this was the U.S.A., not the U.S.S.R.
11.16.2005 3:09pm
BruceB (mail):
There is a big difference between the hotel or the rental car agency knowing I was there (which of course, they must, in order to provide the service), and the government knowing. The biggest and most obvious reason is that the hotel has no power over me. The government does.

The idea that "there is no problem with the government knowing every detail of my life, as long as I'm not doing anything wrong" is a non-starter. This is how every totalitarian government thinks. There is a reason we have constitutional limits to what government can do to us.

Power belongs to citizens, not to the government. This is one of the defining themes of American democracy. Any power that we give to the government WILL be abused at some point - law enforcement personnel are not perfect any more than the rest of us. You don't think any law enforcement employee anywhere is using information gleaned through his job to harrass his ex-girlfriend or her new boyfriend? You are much, much more optimistic than I am that all this data is being used only for combating terrorism.

Maybe you just trust the current government administration. Maybe you are right to do so. But picture this same power in a government administration that you don't trust, whatever that may be - because these powers don't go away. Once you give up a freedom, it's next to impossible to acquire it again.
11.16.2005 3:31pm
dk:
Even if recipients can't expose which individuals they have received national security letters about, it would be useful if they published aggregate statistics on how many people the FBI has asked them to track. If there are 100,000 being tracked rather than 1-2,000 nationwide, it would send very different signals about whether this is a follow-up on promising leads or a fishing expedition by a lazy federal bureaucracy.
11.16.2005 3:56pm
carpundit (www):
BruceB,

Your points are thoughtful and well-put. You wrote, "But picture this same power in a government administration that you don't trust, whatever that may be - because these powers don't go away."

But that's wrong. We're talking about taking them away now. That's my core point. The government needs these powers now. When we start seeing abuse, we can restrict the tool. That isn't now. Don't believe the ACLU on this stuff. There's a lot of misinformation out there about the law and the way the USG uses it.
11.16.2005 5:06pm
Sebastianguy99 (mail):
If the government feels that the need is so great, why does it not ask for an amendment to the Constitution granting it this authority?
11.16.2005 11:52pm
Blues on Bach (mail):
Carpundit said:
>>>
Limiting [NSLs to cases with probable cause ...] would effectively end all anti-crime and anti-terror efforts. [...] Extreme protection of privacy is suicide.
>>>

NSLs should never, ever, be used to investigate or track anyone other than foreign terrorists. Extending this power to "anti-crime" effectively grants the DOJ carte blanche to gather any data that you are unwittingly sharing. For example, when you install a browser toolbar, you may be sending data about the web sites you visit along with your IP address to a third party. The FBI could use an NSL to gather this information as well, for virtually any reason.
11.17.2005 1:36pm