art of computer hacking

We now know what the FBI can get with a National Security Letter.

For the first time this week, the American public gained access to one of federal law enforcement’s most powerful and secretive tools: a National Security Letter.

Publication of the NSL comes more than a decade after the Federal Bureau of Investigation delivered it to Calyx Internet Access in 2004 and, in doing so, demanded troves of information on customers in legally mandated secrecy and without a warrant or the involvement of a judge.

Nicholas Merrill, who was president of Calyx in 2004, revealed the full scope of the letters after a legal battle that began with a uncertain visit to the American Civil Liberties Union.

Redacted pages from Merrill's NSL

Redacted pages from Merrill’s NSL

ACLU

“Nick wasn’t sure why the FBI was demanding the information, but he knew a little about the subscriber the FBI was apparently investigating, and he doubted that the investigation was a legitimate one,” director of the ACLU Center for Democracy Jameel Jaffer explained in a recent blog post. “He wondered how it was possible that the FBI could demand such sensitive information without the involvement of any judge. And he wondered whether he was violating the gag order simply by asking us for advice.”

An unredacted court decision shows that the FBI ordered Calyx Internet Access to reveal all physical mail addresses, email addresses, Internet Protocol (IP) addresses, telephone and billing records, and anything else that could be an “electronic communications transactional record” of one customer.

The FBI did not order the revealing of the content of emails themselves.

A Justice Department inspector general report from 2007 showed the FBI issued 143,074 NSLs between 2003 and 2005, up roughly 1,650 percent from the approximately 8,500 NSLs issued before the Sept. 11, 2001, terrorist attacks.

Over the last decade, public debates over surveillance and the Patriot Act, which fueled the major increase in NSL usage, drove Merrill forward in the legal battle.

“If I hadn’t been under a gag order, I would have contacted members of Congress to discuss my experiences and to advocate changes in the law,” he wrote in an anonymous Washington Post op-ed in 2007. “The inspector general’s report confirms that Congress lacked a complete picture of the problem during a critical time: Even though the NSL statute requires the director of the FBI to fully inform members of the House and Senate about all requests issued under the statute, the FBI significantly underrepresented the number of NSL requests in 2003, 2004 and 2005, according to the report.”

“I recognize that there may sometimes be a need for secrecy in certain national security investigations,” Merrill wrote. “But I’ve now been under a broad gag order for three years, and other NSL recipients have been silenced for even longer. At some point—a point we passed long ago—the secrecy itself becomes a threat to our democracy.”

H/T ACLU | Illustration by Max Fleishman 

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.