For the first time, Microsoft and Google have publicly revealed roughly how often they have been issued National Security Letters (NSL), which allow the Federal Bureau of Investigation to get private customer information without a judge's approval. It highlights why the letters, created in their current form by the Patriot Act, should be done away with -- and a recent court ruling may lead the way to doing just that.
The Patriot Act allows the FBI to issue NSLs to companies seeking a customer's "name, address, length of service, and local and long distance toll billing records" without a judge's prior approval. An FBI agent only needs to say that the request is "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities." A superior at the FBI must approve each request, but otherwise, there's no oversight.
The law has a gag provision that bans the company from saying anything about NSLs, not even so much as acknowledging that it has received one. That provision is invoked if the FBI deems that the disclosure would be a "danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person."
Again, there's no oversight.
In early March, under a deal with the Obama administration, Google became the first company to publicly reveal anything about the NSLs it has received from the FBI. Under the deal, it can disclose a range of the number of NSLs, but not the precise number. Still, the disclosure is revealing. In a " transparency report," Google said the company had received between 0 and 999 NSLs each year for 2009, 2010, 2011 and 2012.Those requests covered between 1,000 and 1,999 accounts each year, except for 2010, when they covered between 2,000 and 2,099.
Several weeks after Google released its report, Microsoft followed suit. Microsoft has been targeted more heavily than Google -- in 2009 it received between 0 and 999 NSLs for between 2,000 and 2,999 accounts; in 2010 it received between 1,000 and 1,999 NSLs for between 5,000 and 5,999 accounts; in 2011 it received between 1,000 and 1,999 NSLs for between 3,000 and 3,999 accounts; and in 2012 it received between 0 and 999 NSLs for between 1,000 and 1,999 accounts.
Both companies should be commended for bringing these numbers to light, because it reminds people how this portion of the Patriot Act endangers their liberties. Even at the low range, those numbers show that a great number of people in the U.S. have been subjected to intrusive prying by the government without their knowledge.
March proved to be a good month for privacy advocates, because in the middle of the month -- between the release of Google's and Microsoft's reports -- federal district court Judge Susan Illston ruled that NSLs are an unconstitutional violation of the First Amendment. She said that the requirement that companies couldn't report that they had received NSLs was "impermissibly overbroad," and pointed out that 97% of the more than 200,000 NSLs issued to date were accompanied by gag orders.
Her ruling doesn't go into effect immediately; she gave the Obama administration 90 days to appeal it.
The White House shouldn't appeal. NSLs clearly violate the Constitution. Outlawing them won't affect national security, because the FBI and government agencies can still quickly get information they need, as long as it's truly justified. They'll only have to ask a judge. Before the Patriot Act, that's the way things worked -- with proper oversight.
There's no reason to believe they can't work that way again, effectively and constitutionally.
Preston Gralla is a contributing editor for Computerworld.com and the author of more than 45 books, including Windows 8 Hacks (O'Reilly, 2012). See more by Preston Gralla on Computerworld.com.
Read more about privacy in Computerworld's Privacy Topic Center.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.