The FBI routinely uses secret orders known as national security letters to demand information that recipients might not actually have to give up, internal documents indicate. The letters are among the FBI’s most potent instruments, because they function like subpoenas without requiring the approval of a judge. Internal guidelines suggest that the bureau has been using them to pursue sensitive electronic data and phone records — despite the fact that such attempts overstep the bureau’s legal authority. The Intercept obtained the FBI’s rules for national security letters as they are spelled out in two different guides: a document detailing current guidelines for agents using the letters and an uncensored 2011 version of the FBI’s main operating manual, the Domestic Investigations and Operations Guide, or DIOG. Both documents are marked “unclassified” or “for official use only.” The first document has not been previously released. The DIOG has been made public only in heavily redacted form. The FBI issues thousands of NSLs each year. They are controversial in part because they carry the force of law but are created entirely outside the judicial system: To issue one, an FBI official just needs to attest that the information sought is relevant to a national security investigation. The letters have also been criticized because they are shrouded in secrecy. Companies that receive them are for the most part forbidden from notifying their customers or the public. The government has fought to keep even basic rules governing them secret. The FBI’s internal guidelines suggest that the bureau uses the letters to demand sensitive information on email transactions — even though the Justice Department has specifically advised the FBI that it does not have the authority to use the letters this way. The documents also indicate that the FBI can use national security letters to surveil a “community of interest” by obtaining information from a business about a customer and every person that customer has contacted. This is a controversial practice that the bureau once halted amid scrutiny. But the documents reveal that a secretive unit that mines phone records can still initiate such requests. Last June, Congress narrowly rejected a proposal to allow the FBI to use the letters to demand information like browsing history, email headers (not including subject lines), and, depending on your reading of the bill, possibly even some social media information. An amendment to a criminal justice funding bill making that change fell just two votes short of passage. Even so, the newer document on NSL policy contains a reference to a “model NSL” the FBI uses to request “email transactional” data from companies and other organizations — despite the fact that the organizations are not obligated to provide such information. The bureau has long used NSLs to obtain basic subscriber information from telecom companies. The Electronic Communications Privacy Act lists four types of information the bureau is allowed to obtain, including the name of the owner of an account, how long that person has owned it, the person’s address, and toll billing records, which show phone numbers called, the date and time of each call, and the length of each call. Several years ago, the FBI began using the letters to ask for email headers and internet browsing records — assuming that such queries were consistent with the bureau’s right to procure “basic subscriber information.” To that end, the bureau requested a broad category of information it sometimes refers to as “electronic communication transactional records.” In 2008, Department of Justice lawyers clarified that the FBI didn’t actually have the legal authority to demand that technology companies hand over records outside of the four types listed. However, as The Intercept previously reported, the FBI disagreed with that conclusion and asked for such material anyway in a 2013 NSL it sent to Yahoo. Some large companies like Facebook and Yahoo have refused to provide email and browsing data in response to such NSLs, but FBI agents may have expected that other companies, especially small ones, would be too ignorant or weak to fight back. “The government’s position is: We can ask for anything analogous to toll billing records” — such as email and browsing data — “and if the providers are dumb enough to give it to us, that’s not our problem,” said Chris Soghoian, a technologist formerly with the American Civil Liberties Union. The FBI guide to NSLs obtained by The Intercept references a set of “model NSLs” for agents to choose from; among the options are “email transactional NSL,” along with model letters for more conventional requests: “telephone subscriber NSL” and “telephone toll billing record NSL.” “The existence of a standard form in the FBI’s NSL system suggests that this is not one or two agents that are misreading the statute, it’s policy,” said Soghoian of the “email transactional NSL.” The 2011 DIOG obtained by The Intercept does delineate a few “sorts of records” that couldn’t be obtained through an NSL, at least in 2011, including social media friend lists and virtual property owned on platforms like Second Life. But neither guide specifies exactly how it defines toll billing records, which are expressly allowed, or “electronic transactional” data, the umbrella term that often appears in the letters. Even when not explicitly asking for email or electronic transaction records, the FBI implies that toll billing records might include such data, said Al Gidari, a prominent national security attorney who has worked on NSL cases in the past. The language of the letters is ambiguous and “leaves the impression that the provider better think broadly about what a toll record is as opposed to ‘Hey, it’s up to you as to what you give us,’” Gidari said. The Department of Justice’s inspector general found widespread misuse of NSLs at the FBI in the early 2000s, and the model letters in this case were, ironically, actually part of an effort to reform the NSL process. The idea was that an automated system for generating and submitting NSLs would prevent agents from issuing improper requests for information. In the case of “email transactional” NSLs, however, automation appears to have systematized the bureau’s contentious reading of the law. Chris Soghoian speaks at TEDSummit 2016 held in Banff, Canada, in June. Photo: Bret Hartman/TEDThe unredacted 2011 DIOG obtained by The Intercept sheds light on another worrying use of NSLs — in this case, to obtain multiple individuals’ call records in one fell swoop, in order to suss out what is variously referred to as “community of interest,” “calling circle,” or “second generation” information. The fact that the FBI made such requests was first disclosed in 2007, at which time the practice was halted under scrutiny from the inspector general of the Department of Justice. The FBI seems to have eventually started it up again, under rules that have not previously been made public. The DIOG states that “under limited circumstances, one NSL may simultaneously request toll or transactional information for a ‘seed number’ [normally the target of the investigation] and toll or transactional information for all telephone numbers that have been in contact with the seed number.” Such requests need the approval of the deputy general counsel of the FBI’s National Security Law Branch. The guide states that NSLs seeking “second generation/community of interest information” are “used rarely,” and specifies that agents cannot ask for second-generation information “if there is reason to believe the ‘seed number’ has been in contact with members of the news media.” (In June, The Intercept published the FBI’s standards for NSLs targeting the media, which require a modicum more oversight.) The guide doesn’t detail what circumstances warrant second-generation requests, but it confirms that they are issued by a secretive FBI data-mining unit. Back in 2007, it was reported that the FBI used the information it gleaned from community of interest requests for a technique it called call-link analysis, visualizing phone data to look for patterns and connections and identify previously unknown suspects. Soghoian said that the FBI might be especially sensitive about community of interest requests because they have the potential to suck up information on a large number of people who may have only a tangential connection to a national security threat; the letters can target people who are not even the subject of an investigation, but merely deemed “relevant” to one. The FBI abused this power in the past. In 2007, documents released to the Electronic Frontier Foundation showed orders with boilerplate language asking for “a community of interest for the telephone numbers in the attached list.” At the time, an unnamed government official told the New York Times that the data “was limited to people and phone numbers ‘once removed’ from the actual target” of the NSL — the same standard in the 2011 DIOG. A spokesperson for the FBI also told the Times that community of interest data “was used infrequently.” Yet despite this, a 2010 report from the Justice Department’s inspector general found that the FBI “often” asked for such data, both through NSLs and other orders and requests. It identified hundreds of NSLs that included language seeking second-generation records. At the time, at least, AT&T was apparently the only company capable of providing community of interest information; Verizon had told Congress it didn’t keep that data. In some cases, the report found that FBI officials who signed NSLs with community of interest language “were not even aware that they were making such requests.” Overall, the report concluded the FBI’s community of interest practices were “improper,” “inappropriate,” and “likely resulted in the FBI obtaining and uploading into a [redacted] database thousands of telephone records” without actually certifying that they were relevant to an investigation. In a 2014 follow-up report, the inspector general concluded that the FBI’s policy on community of interest requests as written in the DIOG was a good start in fixing these problems because it required the general counsel’s review — but the description of the policy itself was almost entirely redacted. The FBI recently posted an updated section on NSLs from the DIOG from 2013, but it is heavily redacted, including the section on community of interest requests, making it impossible to know what updates have been made. “I can say that the DIOG has been updated to reflect privacy concerns re: community of interest information,” said an FBI spokesperson. He did not respond to questions about how often the FBI issues community of interest requests, whether they are still always limited to information once-removed from the original target of the NSL, and whether they could be used to obtain email as well as telephone records. Reporters work on their laptops during a campaign event for then Sen. Barack Obama on May 9, 2008, in Beaverton, Ore. Photo: Mark Wilson/Getty ImagesSome of the instructions in the manuals imply meaningful restrictions on the bureau’s use of NSLs. For example, the DIOG includes instructions for what agents should do if a company “overproduces” in response to such a letter and hands over more information than requested, such as data outside the time frame specified in the request, or data on the wrong phone number. When that happens, the FBI is not allowed to upload the excess data into any of its internal systems except in cases where the information may be obtained via NSL and the bureau issues a second, “curative” letter. The newer policy document on NSLs also spells out a clear prohibition on “exigent letters” — informal requests, supposedly issued only in an emergency, through which the FBI demanded information without even the internal approval and record keeping required of an NSL, let alone the approval of a judge. Up until 2006, the FBI used these letters to ask for information from companies without any particular authority, sometimes promising to follow up with a subpoena or NSL, but not always doing so. In 2010, the inspector general found that the bureau had illegally collected more than 2,000 call records between 2003 and 2006, often also asking for community of interest information. The report concluded that the FBI’s use of the letters flouted the law and internal policies. The newer NSL guidelines suggest that since 2007, the FBI has complied with this judgment: The document contains a section headed “NO EXIGENT LETTERS,” in upper-case letters. “The practice of using exigent letters to obtain NSL-type information is prohibited,” it continues. Top photo: An employee fixes part of a web server inside the Facebook Inc. Prineville Data Center in Prineville, Ore., on April 28, 2014. The post National Security Letters Demand Data That Companies Aren’t Obligated to Provide appeared first on The Intercept.