(MintPress) – A small telecommunications company is being sued by the Justice Department for what experts say is a vindictive challenge to a company that is questioning National Security Letters (NSLs). The Wall Street Journal identified the company as Credo, a Northern California company that has stood up against the type of subpoena used by the Federal Bureau of Investigation (FBI).
NSLs are a form of subpoena of information that requires no probable cause or judicial oversight. In the Internet age, these types of subpoenas are often served with the intent of detailing online interactions from a particular Internet Service Provider (ISP) address, such as email contacts, web sites visited and phone numbers dialed.
In the case involving Credo, the telecom reportedly challenged the FBI’s authority to subpoena information without a court order when it was asked to provide information on an undisclosed number of customers.
The challenges to the NSL made by Credo are allowed under the federal law that governs the use of NSLs, according to Wired. But the FBI is suing Credo over the challenge, and while details behind the lawsuit are vague, Matt Zimmerman, an attorney for the Electronic Frontier Foundation (EFF), which is representing Credo, said the FBI is simply displaying a show of power in light of being challenged.
“It’s a huge deal to say you are in violation of federal law having to do with a national security investigation,” says Zimmerman. “That is extraordinarily aggressive from my standpoint. They’re saying you are violating the law by challenging our authority here.”
Keeping quiet
NSLs also come with a gag order rule, meaning that companies forced to disclose information are prevented from telling anyone that they even received an NSL.
According to the Electronic Privacy Information Center (EPIC), the FBI made 16,511 NSL requests in 2011 for information pertaining to 7,201 different U.S. persons. Those numbers are significantly lower than the 24,287 NSL requests pertaining to 14,212 people in 2010.
The American Civil Liberties Union (ACLU) has said the FBI’s free-wheeling use of NSLs is ripe for abuse. The civil liberties group also noted that after provisions of the PATRIOT Act passed in 2001, relaxing the restrictions on the FBI and its use of NSLs, the number of letters served increased dramatically. From 2003-2006 alone, nearly 200,000 NSLs were disseminated. Despite the figures above, only two communications companies have challenged the NSL process.
“Through NSLs the FBI can compile vast dossiers about innocent people and obtain sensitive information such as the web sites a person visits, a list of email addresses with which a person has corresponded, or even unmask the identity of a person who has posted anonymous speech on a political website,” the ACLU said in a statement.
The case of Calyx
The highest profile case of NSLs came in 2010, after an initial gag order was implemented on Nicholas Merrill, president of Calyx, an ISP in New York. The ISP was served as an NSL in 2004 in regards to one of its customers. Merrill challenged the order, and eventually found himself in a lawsuit with the FBI.
The FBI ultimately dropped its request of information from one of Merrill’s clients, but the gag order was kept on Merrill for six years before it was lifted. Merrill was legally restricted from telling anyone, including his family, about the incident and that he had received an NSL.
“After six long years of not being able to tell anyone at all what happened to me – not even my family – I’m grateful to finally be able to talk about my experience of being served with a national security letter,” Merrill said in a 2010 statement. “Internet users do not give up their privacy rights when they log on, and the FBI should not have the power to secretly demand that ISPs turn over constitutionally protected information about their users without a court order. I hope my successful challenge to the FBI’s NSL gag power will empower others who may have received NSLs to speak out.”
During his time under the gag order, Merrill was even prevented from accepting a courage award from the ACLU because he could not identify himself as someone who received an NSL.
Merrill speculated that his company, like many other ISPs, had “thousands and thousands” of records on each client that the FBI could subpoena without giving a reason. While the practice of NSLs continues today, a 2007 inspector general’s report, the first of its kind for NSLs, showed that the FBI had failed to adequately justify its need for many of the cases in which information was sought through ISPs.
The report also showed that around 60 percent of a sample of NSLs showed that the FBI did not comply with Justice Department rules and that 22 percent potentially involved unauthorized collections of information.
Merrill has since created the Calyx Institute, a nonprofit organization dedicated to educating on issues such as technology and privacy. The organization also provides legal advocacy and defense for those also looking to challenge the use of NSLs.
“At some point – a point we passed long ago – the secrecy itself becomes a threat to our democracy,” Merrill wrote in a 2007 Washington Post piece. “In the wake of the recent revelations, I believe more strongly than ever that the secrecy surrounding the government’s use of the national security letters power is unwarranted and dangerous. I hope that Congress will at last recognize the same thing.”
The ACLU has been behind other lawsuits that involve NSLs as well, notably one that involves the digital library, Internet Archive. In 2007, Internet Archive was served an NSL ordering information be handed over about one of its users, including the users’s name, address and online communication records.
The ACLU backed the Internet Archive and challenged the constitutionality in court. Before a ruling was made, the FBI withdrew the NSL in a settlement.
“The Archive is very protective of its patrons’ privacy. The only identifying information the Archive collects is the unverified email address supplied by the patron,” the ACLU wrote in regards to the case. “The Archive does not collect the IP addresses used to submit files to the collections; nor does it collect the IP addresses of those reading, listening or watching its collection.”