You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at epic.org.

National Security Letters

National Security Letters (NSLs) are an extraordinary search procedure that gives the FBI the power to compel the disclosure of customer records held by banks, telephone companies, Internet Service Providers, and others. These entities are prohibited, or "gagged," from telling anyone about their receipt of the NSL, which makes oversight difficult. The Number of NSLs issued has grown dramatically since the Patriot Act expanded the FBI's authority to issue them.

Top News

  • EPIC Obtains FBI's Updated Media Guidelines: In response to EPIC's Freedom of Information Act request, the Federal Bureau of Investigation has released documents (part 1, part 2, part 3) concerning the agency's use of National Security Letters to obtain information from the media. The disclosure to EPIC includes a revised policy that followed criticisms of government surveillance of journalists. In an earlier amicus brief, EPIC recommended enhanced oversight of National Security Letters. (Mar. 4, 2019)
  • Federal Court Lifts Gag Order on National Security Letter Recipient: For the first time, a federal court has lifted a national security letter gag order, allowing an Internet Service Provider to publish the FBI's demands for records of user web browsing history, IP addresses, online purchases, and location information. The FBI issues thousands of NSLs each year, forcing companies to disclose troves of consumer records without probable cause. Recipients are preventing from acknowledging these warrantless searches. EPIC filed an amicus brief in In re National Security Letter, arguing that NSL gag orders frustrate the public's right to know about government surveillance programs. (Dec. 1, 2015)
  • EPIC Supports Challenge to National Security Letter "Gag Orders": EPIC has filed an amicus curiae brief in In re National Security Letter, a case challenging the government's bulk collection of customer records without judicial approval. Under the current law, companies are not even allowed to discuss these subpoenas or reveal information about the number of NSLs they receive each year. EPIC argued in its friend of the court brief that this "gag order" provision frustrates the public's right to know about a far-reaching government surveillance program. EPIC routinely provides information to the public about government surveillance programs, but is unable to inform the public about NSL surveillance because of the provision now under review by a federal appeals court. For more information, see EPIC: In re NSL and EPIC: National Security Letters. (Apr. 1, 2014)
  • 2012 Democrat Platform Endorses Internet Privacy: The 2012 Democratic National Platform supports the administration’s Internet Privacy Bill of Rights to protect consumer privacy. Separate provisions in the platform call for privacy protections for broadband deployment, intellectual property enforcement, and cybersecurity laws; the Democratic platform opposes voter identification laws. However, the platform is silent on the Fourth Amendment, and retreats from the 2008 Democratic platform that opposed surveillance of individuals that were not suspected of a crime. In 2008, Candidate Obama promised to "strengthen the privacy protections for the digital age and to harness the power of technology to hold government and business accountable for violations of personal privacy.” The 2012 Republican Platform was released last week. The Libertarian and Green Party platforms are also available. For more information, see EPIC: Privacy and Consumer Profiling, EPIC: Voter Photo ID and Privacy, EPIC: National Security Letters, and EPIC: Cybersecurity Privacy Practical Implications. (Sep. 4, 2012)
  • 2011 FISA Orders Up, National Security Letters Down, No Surveillance Request Denied: According to the 2011 Foreign Intelligence Surveillance Act (FISA) Report the Justice Department submitted 1,745 applications to the Foreign Intelligence Surveillance Court, a 10.5% increase over 2010. Of the 1,745 FISA search applications, 1,676 concerned electronic surveillance. The FISA court did not deny any applications, though it did modify 30 applications. Also in 2011, the FBI made 16,511 National Security Letter requests for information pertaining to 7,201 different U.S. persons. This is a substantial decrease from the 24,287 national security letter requests concerning 14,212 U.S. persons in 2010. The annual report on FISA, released by the Department of Justice, is far less extensive than the annual wiretap report, produced by the Administrative Office of the US Courts. EPIC has recommended greater accountability for the FISA Court. For more information, see: EPIC: Foreign Intelligence Surveillance Act Court Orders 1979-2011 and EPIC: Foreign Intelligence Surveillance Act. (May. 4, 2012)
  • Senator Leahy Urges Attorney General to Implement Patriot Act Reforms: Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) has sent a letter to Attorney General Eric Holder regarding key privacy safeguards for the PATRIOT Act. The Senate Judiciary Committee passed the PATRIOT Act Sunset Extension Act earlier in the year, which included many reforms, but the full Senate did not act on the measure Because the administration supported the reforms within the bill, Sen. Leahy advised the Attorney General that he can voluntarily adopt many of the reforms even without Congressional action. Senator Leahy expressed particular concern about the possible misuse of National Security Letter authority. Attorney General Holder will appear before the Senate Judiciary Committee on Wednesday, April 14, 2010 for an oversight hearing. For more information, see EPIC: National Security Letters. (Apr. 14, 2010)
  • Inspector General Finds "Egregious Breakdown" in FBI Oversight: The Department of Justice Office of the Inspector General has issued a report on the FBI's use of "exigent letters" and other means to obtain telephone records from three unnamed phone companies. The 300-page report concludes that many of the FBI's practices "violated FBI guidelines, Department policy," and the Electronic Communications Privacy Act. The report also found that "the FBI sought and acquired reporters' telephone toll billing records and calling activity information" through improper means. The report concludes that "the FBI's initial attempts at corrective action were seriously deficient, ill-conceived, and poorly executed" and makes several recommendations for improvement. In a 2007 letter to the Senate Judiciary Committee, EPIC recommended that the FBI's National Security Letter authority be repealed. For more information, see EPIC National Security Letters. (Jan. 21, 2010)
  • House Members Introduce PATRIOT and FISA Reform Bills: Representatives Conyers, Nadler, and Scott introduced two bills today that would amend the PATRIOT Act and the Foreign Intelligence Surveillance Act. The Patriot Amendments Act of 2009 will enhance reporting and judicial oversight of law enforcement powers, including the National Security Letter process. The FISA Amendments Act of 2009 will place new limits on the government's ability to collect and store Americans' communications without a warrant and repeals retroactive immunity. For more information, see EPIC FISA, EPIC PATRIOT Act. (Oct. 20, 2009)
  • PATRIOT Act Revisions Introduced in Senate: Today, Sen. Russ Feingold (D-WI) and seven cosponsors introduced the Judicious Use of Surveillance Tools In Counterterrorism Efforts (JUSTICE) Act. The bill would amend the PATRIOT Act, the FISA Amendments Act, and other surveillance and intelligence laws. Among other changes, the JUSTICE Act would reform the National Security Letter process, revise the guidelines for business records orders, eliminate the catch-all provision for "sneak-and-peek" searches, and add new safeguards for FISA roving wiretaps. The JUSTICE Act would also repeal retroactive immunity for telecommunications companies, and is supported by many civil liberties organizations. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters. (Sep. 17, 2009)
  • Senators Consider PATRIOT Act Reforms: Senators Russ Feingold (D-WI) and Dick Durbin (D-IL) are drafting legislative reforms to revise the USA PATRIOT Act. The USA PATRIOT Act allows authorities to conduct surveillance without judicial review through the use of National Security Letters. The Senators asked the Attorney General and the Chairmen of the Senate Judiciary and Intelligence Committee to consider two previous bills that add protections to PATRIOT ACT. Pursuant to a EPIC lawsuit, a federal judge had ordered the Justice Department to provide for independent judicial inspection of documents relating to warrantless wiretapping. For more information, see EPIC USA PATRIOT Act, EPIC FISA, EPIC Wiretapping, and EPIC National Security Letters. (Aug. 7, 2009)
  • Inspector General Finds Continuing Abuses of Patriot Act Powers.For the fourth consecutive year, the Inspector General found (pdf) privacy breaches by FBI agents using National Security Letters, which permit the FBI to compel the disclosure of records held by banks, telephone companies, and others without judicial oversight. A second report (pdf) found abuses of Patriot Act Section 215 orders that allow the FBI to demand business records and other "tangible things" from any company or individual. "[W]e found that the FBI had issued [NSLs] for information about [redacted] after the FISA court, citing First Amendment concerns, had twice declined to sign Section 215 orders in the same investigation," the Inspector General said. Sen. Patrick Leahy, Chairman of the Judiciary Committee, plans an oversight hearing. "Legislative action may be necessary to correct these abuses. I intend to seek accountability and advertence to the rule of law," he said. EPIC has recommended (pdf) reforms to the NSL authority. (March 14, 2008)
  • FBI Issues Revised National Security Letter Guidelines. The FBI has sent to its field agents updated guidelines (pdf) for the use of National Security Letters (NSLs). The new guidelines prohibit the use of exigent letters, but continue other practices permitted by the Patriot Act. These other practices include field offices being able to issue NSLs as opposed to the pre-Patriot Act system of only headquarters issuance. FBI field offices also continue issuing NSLs under the lowered standard of "relevance to an ongoing investigation" permitted by the Patriot Act. (June 13, 2007)
  • EPIC Calls for Repeal of Misused Patriot Act Powers. In a letter to the Senate Judiciary Committee, EPIC recommended that Congress repeal the National Security Letter authority. (Mar. 21, 2007)
  • Report Finds FBI Misused PATRIOT Act Powers. The Department of Justice Inspector General has determined that the FBI abused the National Security Letter authority established by the Patriot Act. With a National Security Letter, the FBI can demand information from companies and individuals without any court approval. The Inspector General found unreported violations of law in 22% of the cases examined and also that the FBI did not report the actual number of Security Letters to Congress as required by law. The FBI acknowledged today that there has been "inadequate auditing and oversight" of National Security Letter authority. (Mar. 9, 2007)
  • EPIC FOIA Documents Show Possible Patriot Act Abuses. Documents (pdf, 3.1 mb) obtained by EPIC under the Freedom of Information Act describe thirteen cases of possible FBI misconduct in intelligence investigations. The documents were released by the Bureau in response to an EPIC open government request (pdf) for information about the FBI's use of provisions of the PATRIOT Act. EPIC has written a letter (pdf) to the Senate Judiciary Committee highlighting the need for the Attorney General to report to Congress on potentially unlawful intelligence investigations. (Oct. 24, 2005)

Overview: What Does an NSL Do?

What Types of Information Can Be Obtained by NSLs?

  • Telephone and E-mail Records: "Toll records," a historical record of calls made and received from land lines, cell phones, and other sources, of a specified phone number, as well as billing records associated with that number. E-mail records, including e-mail addresses and screen names associated with the requested account and the e-mail addresses and screen names who have contacted that account. Also includes billing records and methods of payment for each account.
  • Financial Records: Financial information, including open and closed checking and savings accounts, from banks, private bankers, credit unions, thrift institutions, brokers and dealers, investment bankers and companies, credit card companies, insurance companies, travel agencies, casinos, and others. For a full list, see 31 U.S.C. § 5312(2).
  • Credit Information: Full credit reports, names and addresses of all financial institutions at which the consumer has maintained an account, and identifying information of a consumer (limited to name, address, former addresses, and past and current employers).

Court Challenge: In Re National Security Letter

The case was filed in the Northern District of California and was decided on March 14, 2013. Judge Illston's opinion held that the nondisclosure provisions burdened speech beyond that allowable in the Constitution—because the government could not show that a blanket prohibition on disclosure of receipt of a National Security Letter furthered the government's interest in national security, the provisions were not sufficiently narrowly tailored. Judge Illston additionally held that the standards of review in the National Security statute impermissibly limited a court's ability to review nondisclosure orders. On May 6, 2013, attorneys for the Department of Justice, Attorney General, and FBI appealed the court's order. The case is In re Nat'l Sec. Letter, 930 F. Supp. 2d 1064. For more information, see EPIC: In Re National Security Letter.

NSL "Gag Order" Provisions

The four NSL statutes all include "gag order" provisions barring those who receive NSLs from disclosing the fact that they have received such a letter (even to the consumer whose records are being sought) and from disclosing the records provided. The Patriot Act did not alter these provisions. An op-ed explaining one NSL recipient's experience with the gag order entitled My National Security Letter Gag Order appeared in the Washington Post on March 23, 2007. A more recent New Yorker article also described the experience of receiving a National Security Letter, What It's Like to Get a National Security Letter.

The American Civil Liberties Union (ACLU) has challenged the gag order provisions in two cases, Doe v. Ashcroft and Doe v. Gonzales. In both cases, the judges ruled that the gag orders were unconstitutional on both Fourth and First Amendment grounds. See the ACLU's pages on Doe v. Ashcroft and Doe v. Gonzales for more information.

The Patriot Reauthorization Act of 2005 modified some of the gag order provisions. An NSL recipient may now disclose the fact that they received an NSL in connection with seeking legal advice or complying with the NSL. NSL recipients were also given the ability to challenge, in federal court, compliance with the NSL and the gag order provisions. Additionally, the government was given the ability to seek judicial enforcement of NSLs in non-compliance situations.

Office of the Inspector General Report, March 9, 2007

Under the Patriot Reauthorization Act of 2005, the Department of Justice Office of the Inspector General (OIG) is required to review "the effectiveness and use, including any improper or illegal use, of national security letters issued by the Department of Justice." The OIG released its first report, covering calendar years 2003 through 2005, on March 9, 2007. The report detailed significant violations of law and regulations by the FBI in its use of its national security letter authority.

The FBI is required to report to Congress on the number of NSLs issued; the OIG found that the FBI underreported this number. The OIG review looked at 77 case files containing 293 NSLs from four separate FBI field offices issued in the 2003-2005 period. This review found that there were 17% more NSLs in the sample of case files than in FBI reporting databases. Delays in data entry also caused about 4,600 NSLs to not be reported to Congress. The OIG concluded that the FBI database significantly understates the number of NSL requests issued, and that Congress has been misinformed about the scale of the usage of the NSL authority.

The report further stated that violations are supposed to be self-reported by the FBI to the Intelligence Oversight Board. During the 3-year period in question, the FBI self-reported 26 violations out of the 140,000 NSLs issued. The OIG, however, found 22 potential violations out of the sample of 293 NSLs it reviewed. The OIG has stated that there is no indication that the 293 NSLs it reviewed are not representative of all of the NSLs issued, thus indicating that the FBI is failing to self-report a very significant number of violations.

The OIG also found over 700 "exigent letters," which are not authorized by statute and some of which appear to have been issued when no exigency or emergency existed. These letters requested records from telephone companies and promised that proper subpoenas had been submitted or would follow. However the OIG found no confirmation that subpoenas, NSLs, or other proper process did follow or had in fact been submitted.

In response to the OIG report, FBI Director Robert Mueller testified before the Senate Judiciary Committee on March 27, 2007. In his opening statement, Committee Chairman Patrick Leahy stated that the FBI's "pattern of abuse of authority and mismanagement causes me and many others on both sides of the aisle to wonder whether the FBI and Department of Justice have been faithful trustees of the great trust that the Congress and American people have placed in them to keep our nation safe while respecting the privacy rights and civil liberties of all Americans." Senator Arlen Specter, the ranking Republican member on the committee, stated that "the question is emerging as to whether the FBI is up to the enormous task that we have asked it to perform," pointing out that "every time we turn around, there is another, very serious, failure on the part of the bureau."

NSL Statistics

The first Inspector General's report detailed the FBI's use of NSLs from 2003 to 2005. All of the below statistics were taken from this report.

  • Total number of NSL requests from 2000 (prior to passage of the Patriot Act): about 8,500.
  • Total number of NSL requests from 2003-2005 (after passage of the Patriot Act): 143,074.
    • 2003: 39,346
    • 2004: 56,507
    • 2005: 47,221
  • Percentage of NSL requests generated from investigations of U.S. Persons:
    • 2003: about 39%
    • 2004: about 51%
    • 2005: about 53%
  • Type of investigation connected to NSL requests (2003 through 2005):
    • Counterterrorism: 73.6%
    • Counterintelligence: 26%
    • Foreign Cyber Investigations: 0.4%

Inspector General Reports

  • 2007 Report. Office of the Inspector General, A Review of the Federal Bureau of Investigation's Use of National Security Letters, March 2007.
  • 2008 Report. Office of the Inspector General, A Review of the Federal Bureau of Investigation's Use of National Security Letters: Assessment of Corrective Actions and Examination of NSL Usage in 2006, March 2008.
  • 2010 Report. Office of the Inspector General, A Review of the Federal Bureau of Investigation's Use of Exigent Letters and Other Informal Requests for Telephone Records, January 2010.
  • 2014 Report. Office of the Inspector General, A Review of the Federal Bureau of Investigation's Use of National Security Letters: Assessment of Progress in Implementing Recommendations and Examination of Use in 2007 through 2009, August 2014.

Legal Authority for NSL Power

The FBI's authority to issue NSLs dates back to 1986, when an amendment to the Right to Financial Privacy Act was passed permitting the FBI to obtain financial records in foreign counterintelligence cases. Since then, Congress has enacted a number of laws authorizing the FBI to obtain, without judicial oversight, certain types of information in terrorism, espionage, and classified information leak investigations. Among these laws are four statutory provisions that authorize the FBI to use NSLs to obtain customer transactional information from communications companies, financial institutions, and consumer credit agencies. The Patriot Act expanded these four existing statutes, and added a fifth NSL authority. The five sources of the FBI's NSL power are:

  1. The Right to Financial Privacy Act (RFPA), 12 U.S.C. § 3414. As originally enacted in 1978, the RFPA required that before a disclosure of personal financial information was made to law enforcement, government agencies must have provided individuals with advance notice and have given the individual an opportunity to challenge the request. A 1986 amendment to the RFPA created an exception to this advance notice requirement by authorizing the FBI to obtain financial records in foreign counterintelligence cases in cases where the agency had "specific and articulable facts giving reason to believe that the customer or entity whose records are sought is a foreign power or an agent of a foreign power." These requirements were changed upon enactment of the Patriot Act; the FBI may now obtain financial records if the information is sought for foreign counterintelligence purposes, as long as the investigation is not based on conduct protected by the First Amendment. Congress again amended the RFPA in 2003 to expand the definition of "financial institutions" to which NSLs could be issued. The statute now covers large casinos, insurance companies, automobile dealerships, credit unions, real estate companies, and travel agencies.
  2. The Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2709. The ECPA allows the FBI to obtain telephone and e-mail information by issuing a NSL. This includes historical information on telephone calls made and received from a specified number, and billing records associated with a number. It also includes e-mails, screen names, and billing records for electronic communication services. Lastly, it includes subscriber information associated with an individual's phone or e-mail account.
  3. The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681u. The FCRA, as amended in 1996, authorizes the FBI to issue NSLs to obtain a consumer's credit history information, including the names and addresses of all financial institutions at which the consumer maintains or has maintained an account. The FBI may also request a consumer's identifying information, limited to name, address, former addresses, and both current and past employers.
  4. Patriot Act amendment to the Fair Credit Reporting Act, 15 U.S.C. § 1681v. This new national security letter authority authorizes the FBI (and any government agency authorized to conduct international terrorism investigations) to obtain a consumer's full credit report and "all other" information in a consumer's file for international terrorism investigations.
  5. The National Security Act, 50 U.S.C. § 436. The National Security Act, amended to include NSL authority after the 1994 espionage investigation of former CIA employee Aldrich Ames, authorizes NSLs to be issued in association with investigations of improper disclosure of classified information by government employees. This authority is rarely used by the FBI. The NSLs can cover financial records and information, including consumer reports.

The USA PATRIOT Act's Impact on NSL Authority

The FBI's NSL authority was significantly expanded by the Patriot Act. Section 505 of the Patriot Act expanded the FBI's authority by:

  • Lowering the threshold for situations in which NSLs may be issued. Previously, the FBI may only have used NSLs to request information if it had "specific and articulable facts giving reason to believe that the customer or entity whose records are sought is a foreign power or an agent of a foreign power." The Patriot Act eliminated this requirement, and now NSLs may be issued to request information that is merely "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities," provided that such an investigation of a U.S. person is not based on activities protected by the First Amendment. As a consequence, the FBI may use NSLs to request information about persons who are not subjects of national security investigations, so long as the information requested is "relevant" to such an investigation.
  • Expanding approval authority beyond senior FBI Headquarters officials. Special Agents in charge of the FBI's 56 field offices may now sign NSLs.
  • Amending the Fair Credit Reporting Act to add a new NSL authority. This new authority authorized the FBI and any other government agency authorized to conduct international terrorism investigations to issue NSLs to obtain full consumer credit reports in international terrorism investigations.

FBI Guidelines regarding NSLs

The FBI is subject to two sets of guidelines, one for foreign intelligence and international terrorism investigations ("National Security Investigation (NSI) Guidelines"), and one for general crimes, racketeering and domestic terrorism ("Criminal Guidelines"). In October 2003, the Attorney General made significant changes to the NSI, permitting NSLs to be issued during preliminary investigations. Under the previous guidelines, NSLs could only be issued during full investigations with limited exceptions.

Legislative Proposals to Address NSL Issues

Legislation reintroduced by Representative Jane Harman (D-CA) on March 28, 2007, would have returned the threshold for when a NSL may be issued back to the pre-Patriot Act standard of requiring that the FBI show a specific connection to a terrorist or foreign power before an NSL could be issued. The bill also would have required the approval of a Foreign Intelligence Surveillance Court judge or designated United States Magistrate Judge prior to the issuance of a national security letter, created an electronic filing system for NSL applications, and required the FBI to destroy information obtained through NSLs once it is no longer needed. The bill would further have increased Congressional oversight of the FBI's use of NSLs. For more information, see the Library of Congress page on the bill.

Company Transparency Reports

  • LinkedIn, LinkedIn Transparency Report, 2014. LinkedIn's National Security Request range (which can include NSLS or FISA orders) for July--December 2013 are 0-249, with the same numbers of accounts impacted.
  • Verizon, First Verizon Transparency Report, 2014. Verizon's NSL ranges for 2013 are 1000-1999 and Verizon stated, "We are not permitted to disclose the exact number of National Security Letters that were issued to us, but the government will allow us to provide a broad range."
  • Yahoo, US Transparency Report Yahoo Transparency Report, September, 2013. Yahoo expressly notes that "The U.S. Government does not permit us to disclose additional details regarding the number of requests, if any, under national security authorities at this time, or even to separate them in aggregate from other requests. Additionally, the government would not authorize us to separate NSLs from other government data requests or to express the NSLs that we have received, if any, as a range from 0 to 1,000—even though the government allowed other providers to do so in the past. We strenuously disagree with the government's position and will continue to advocate for greater transparency regarding requests made under national security authorities. If we succeed in persuading the U.S. Government to allow greater transparency, we will disclose additional details in future reports, and we will also update this report with more details related to national security requests as permitted."
  • Microsoft, First Microsoft Transparency Report, 2013. Microsoft's NSL ranges for 2009 and 2012 are 0-999 NSL requests received and for the years 2010 and 2011, Microsoft received between 1,000-1,999 NSL requests. See National Security Letter Requests a new addition to transparency reports from Google, Microsoft for a breakdown in chart form of both reports.
  • Google, First Google Transparency Report, March, 2013. Google gets permission from the U.S. Government to publish the range of times it has received National Security Letters, becoming the first company ever to do so. The NSL ranges are all from 0-999 for the years 2009-2012.

FOIA Documents

Resources

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security