National Security Letters: Building Blocks for Investigations or Intrusive Tools?

  • Print

Editor’s note: ACLU lawyers Michael German and Michelle Richardson and former FBI lawyers Valerie Caproni and Steven Siegel consider the pros and cons of national security letters. Their essays can be found in Patriots Debate: Contemporary Issues in National Security Law, a book published by the ABA Standing Committee on Law and National Security that was edited by Harvey Rishikof, Stewart Baker and Bernard Horowitz. The book can be ordered online. The ABA Journal’s Patriots Debate series has been publishing advance versions of the essays appearing in the committee’s book.


A national security letter is a type of administrative subpoena used in terrorism and espionage investigations to obtain subscriber and transactional information from communications providers, financial institutions and consumer credit agencies. Such information might include a suspect’s name, address, place of employment, telecommunications toll records, financial data and credit reports, depending on the type of NSL.

It would be legally and logistically impossible for the intelligence community to monitor the content of all communications transmitted by espionage and terrorism suspects. Instead, the community frequently will focus first on “who is in contact with whom” rather than on what is being said or transmitted in order to determine how to appropriately focus investigative resources. In the case of domestic communications, this approach may include the use of pen registers and trap-trace devices, which record the numbers being dialed from a telephone and the numbers of incoming calls (but not the actual content of communications), respectively. The “who is in contact with whom” rubric applies to the Internet as well; investigators may focus first on which IP addresses are in communication with each other rather than the specific content being transmitted. This focus extends to financial commerce, too, because it would be impossible to scrutinize all financial transactions of all terrorism and espionage subjects.

In cases of terrorism or espionage, the FBI utilizes NSLs to acquire basic information about its subjects. It may start with “who is in contact with whom” and, if appropriate and if the required showing can be made, may then transition to “what are they saying and doing?” Results from NSLs provided by communications providers can assist the FBI in identifying who is communicating with whom; but like pen registers and trap-trace devices, NSLs cannot yield the contents of communications.

Many federal agencies use administrative (not court-approved) subpoenas to obtain information relating to their duties—there are more than 300 instances where the law grants such powers. NSLs are a type of administrative subpoena that can be invoked only in terrorism and espionage investigations. They can be issued by the FBI to limited types of third-party records’ custodians, and the custodians are responsible for gathering and producing responsive materials to the FBI. The custodian can object if compliance would be burdensome, and the FBI cannot simply take materials from the custodian. For that reason, NSLs should not be confused with search warrants. Search warrants are issued based on a finding of probable cause by a neutral and detached magistrate; the person on whom a search warrant is served has no option to decline to cooperate, and the entity serving the search warrant is authorized to seize material from the custodians. Moreover, the scope of a search warrant is set by the specific finding of the magistrate and can be quite broad, depending on the underlying facts. In contrast, NSLs have a strictly defined scope that has been set by Congress.

There are five types of NSLs. The first two were created by Congress in 1986—one under the Electronic Communications Privacy Act and another under the Right to Financial Privacy Act—to assist FBI foreign intelligence investigations. These statutes allow the FBI to obtain subscriber information, telephone toll records and electronic communication transaction records (from a communications service provider) and financial information and transactions, such as the identity of the owner of a bank account and items deposited to and removed from an account (from a financial institution).

In the mid-1990s, Congress authorized a third type of NSL that can be issued under the Fair Credit Reporting Act. Such records allow the FBI to discern which financial institutions are being used by a terrorism or espionage suspect. This information is necessary before an RFPA NSL can be issued to ensure the letter is being served on the correct institution. To the extent that information is unknown, authority to issue an FCRA NSL facilitated that process by allowing the FBI to compel a consumer credit agency to identify the financial institutions with which a particular person had a relationship.

Also in the mid-1990s, a fourth type of NSL was authorized via the National Security Act, for the specific purpose of investigating government employees with security clearance for leaks of classified information resulting in financial gain (i.e., espionage—this was a response to the case of Aldrich Ames).

Finally, in 2001, a fifth type of NSL was created by the USA Patriot Act, also under the Fair Credit Reporting Act. This second type of FCRA letter, which can only be used in support of a counterterrorism investigation, requires a consumer credit reporting agency to furnish consumer reports and all other information in a consumer’s file. This type of NSL is available to federal agencies authorized to conduct international terrorism investigations.

The pre-Patriot Act certification requirement for all NSLs provided that an NSL could only be issued if it sought information “relevant to an authorized foreign counterintelligence investigation,” and the requesting agency also certified that there existed “specific and articulable acts that the person or entity to whom the information sought pertained was a foreign power as defined by FISA.” In 2001, the Patriot Act amended that standard to allow an NSL to be issued if the information sought from the recipient was “relevant to an investigation to protect against international terrorism or clandestine intelligence activities” (Section 505).

The Patriot Act also expanded the types of information that could be obtained via an Electronic Communications Privacy Act NSL to include the form of payment used by the customer (Section 210). This change helped the FBI obtain information that could be used to confirm that particular communications were those of the person paying for the service, thus appropriately focusing FBI investigative resources. The Patriot Act also amended the Bank Secrecy Act to allow the Treasury Department to share financial information with intelligence agencies (Section 358). Finally, the Patriot Act forbade the issuance of an NSL in any investigation predicated solely on the exercise of First Amendment activities (Section 505).

By statute, all NSLs may carry a nondisclosure requirement, preventing the person or entity served with the NSL from telling others they had received it. For example, the ECPA statute read: “No wire or electronic communication service provider, or officer or employee or agent thereof, shall disclose to any person that the Federal Bureau of Investigation has sought or obtained access to information or records under this section.”

Although this “gag order” had been in the statutes since they were first passed, subsequent to the Patriot Act they aroused controversy. After a series of legal challenges to the nondisclosure requirement, as part of the Patriot Act Reauthorization of 2005, Congress ultimately clarified the law to make clear that it did not preclude consultation with legal counsel; the changes also created a clear avenue of appeal for those served with an NSL.

In December 2008, the 2nd U.S. Circuit Court of Appeals at New York City held that imposing on the recipient of an NSL the obligation to commence a lawsuit to gain relief from the nondisclosure requirement was unconstitutional. The court made clear, however, that if the government was willing to take on that responsibility (i.e., the government would commence an action to enforce the nondisclosure requirement rather than the recipient commencing an action to obtain relief from the nondisclosure requirement), then the legislative regime would be constitutional. Although the FBI promptly modified its NSL practice to comply with the 2nd Circuit’s decision, the statute has not been amended to conform to that decision regarding its constitutionality.



Read all the articles in the Patriot Debate series:









The Patriot Act significantly broadened the Federal Bureau of Investigation’s authority to obtain sensitive, private information about innocent Americans through national security letters. This overbroad authority, combined with the FBI’s disrespect for legal boundaries and its seeming inability to self-police, has resulted in the issuance of hundreds of thousands of NSLs, often targeting people two or three times removed from the subjects of investigations. The demonstrated abuse of privacy rights and civil liberties—and the absence of convincing evidence that NSLs are “indispensable tools” in the FBI’s national security investigations—demand serious reconsideration of this authority.

NSLs are secret demand letters issued without court approval or independent oversight to financial institutions, telecommunications and Internet service providers and credit agencies to obtain sensitive personal information such as financial records, credit reports, the phone numbers and email addresses with which a person has communicated, and possibly the websites a person visited. The Patriot Act did not create NSLs, but before the act, only senior FBI officials could authorize their use, and the law required the FBI to certify that there were “specific and articulable facts giving reason to believe” the target of the NSL was an “agent of a foreign power.” Section 505 of the Patriot Act removed both of these critical protections. First, and most problematically, it lowered the standard so that the FBI and other government agencies could obtain this sensitive data upon the assertion that the information was merely “relevant” to an investigation, even if the person whose records were sought was not suspected of doing anything wrong. Second, it permitted NSLs to be issued by FBI field offices without review by high-level FBI officials.

Three Department of Justice inspector general reports later confirmed pervasive FBI mismanagement, misuse and abuse of these Patriot Act-expanded authorities. And documents released pursuant to an American Civil Liberties Union Freedom of Information Act request revealed the FBI also helped the Department of Defense circumvent the restrictions Congress placed on its use of NSLs by issuing FBI NSLs for DOD investigations.

In 2007 the IG told the House Judiciary Committee that the FBI may have violated the law or government policies through the issuance of NSLs as many as 3,000 times since 2003, including as many as 600 “cases of serious misconduct.” An internal FBI NSL review conducted after the 2007 IG audit identified violations of law or intelligence policy that should have been reported to the president’s Intelligence Oversight Board in 9.43 percent of the NSL files examined, but the 2008 IG audit re-examined these files and found three times as many violations as the FBI did.

The IG audits also confirmed that 40,000-50,000 NSLs were issued every year during the mid-2000s, and in 2006 a majority of them were directed against people in the U.S. This sort of broad, suspicionless collection of private data about innocent Americans is the logical result of destroying the requirement of a factual nexus between an NSL and terrorist activity. And permitting the NSLs to be issued at the field office level removed the opportunity for centralized administrative oversight, making abuse more likely to occur, and less likely to be discovered by FBI managers.

With no internal controls and with complete disregard for the law, FBI agents soon ignored the minimal process involved in issuing NSLs and instead issued “exigent letters,” falsely claiming emergencies to obtain records without legal process. These illegal requests—sometimes just a phone number written on a Post-it note—were often given to the telecommunications companies with the promise that an NSL or grand jury subpoena would follow, but more often than not these promises went unfulfilled. Some agents found even Post-it notes too burdensome and instead asked company employees to just pull up a person’s phone records so they could peek over their shoulder to see whether a formal request such as an NSL was worthwhile.

There are also demonstrated problems with how the FBI handles data it receives in response to an NSL. Rather than using NSLs as an investigative tool, as Congress clearly intended by only allowing them to be used when the information sought was relevant to an ongoing investigation, the FBI was using NSLs for mass data collection. The IG found FBI agents often carelessly uploaded information produced in response to NSLs into FBI databases without reviewing it to evaluate its importance to the investigation or even to ensure the proper data was received. As a result, information received in error was improperly retained and illegally shared throughout the intelligence community.

The IG detailed several incidents where the FBI collected private information regarding innocent people not relevant to any authorized investigation, entered it into FBI case files, and/or uploaded it into FBI databases—simply because the FBI agents requested records for the wrong telephone numbers or for the wrong time periods. In two other incidents, information for individuals not relevant to FBI investigations was uploaded into FBI databases, even though the FBI case agent had written on the face of the documents: “Individual account records not relevant to this matter. New subscriber not related to subject. Don’t upload.” Similarly, agents consistently failed to report or recognize when they received information from NSL recipients that was beyond the scope of the NSL request. Agents self-reported the overproduction of unauthorized information in only four of the 557 instances the IG identified.

Congress foresaw some of these information-sharing and accuracy problems. In 2006, it voted to reauthorize other portions of the Patriot Act that were scheduled to expire. That legislation required the attorney general and director of national intelligence to study whether minimization requirements were feasible in the context of NSLs. The report was due in February 2007, and to date there is still no public information confirming that this report was ever sent to Congress, or even written. However, during the Patriot reauthorization efforts of 2009-2011, members of Congress did state that some sort of internal minimization procedures were voluntarily adopted. Without public oversight, the effectiveness of these internal procedures in protecting the rights of innocent Americans remains in doubt. As the NSL saga reveals, internal controls unchecked by independent oversight are insufficient to prevent abuse.

In addition to the overbroad scope of NSLs, there are constitutional problems with the nondisclosure or “gag” orders that accompany the overwhelming majority of NSLs. NSLs generally contain language prohibiting recipients from telling anyone besides a lawyer or the people necessary to comply with the NSL that they received it, much less what it requested. Because the letters go to the service provider, bank or other third-party record holder, the target of the NSL—the individual whose records are sought or obtained—is never notified of the NSL or told that sensitive, personal information was disclosed.

The ACLU successfully challenged the constitutionality of the Patriot Act’s original gag provisions, which imposed a categorical nondisclosure order on every NSL recipient. In response, in 2006 Congress limited these gag orders to situations where an FBI special agent in charge certifies that disclosure of the NSL request might result in danger to the national security, interference with an FBI investigation or danger to any person. Despite these revisions, the 2008 IG audit revealed that 97 percent of the NSLs issued by the FBI for the remainder of 2006 incorporated gag orders. The ACLU challenged the gag order as rewritten and won again. The 2nd Circuit in Doe v. Holder held the gag unconstitutional because it put the burden on the recipient to prove that lifting the gag would not harm national security. To be consistent with the First Amendment, the court shifted the onus to the government to demonstrate to a court a risk to national security whenever an NSL recipient notified the government that he or she wanted to challenge the gag. While the Obama administration testified before Congress that it was implementing its gag orders consistent with this opinion, there is no public information to support this claim. The ACLU filed a FOIA request to obtain more information.

The administration and Congress aren’t done with NSLs. In 2010, the Obama administration secretly requested that Congress expand its authority to collect a broad, undefined category of information called “electronic communication transactional records,” which would allow the FBI to collect sensitive data, like Internet use records, with NSLs. Despite debating the reauthorization of the Patriot Act off and on for two years from 2009 to 2011, the administration never once asked for this authority publicly, thereby preventing any meaningful debate about such a substantial expansion of authority.

Expanding the scope of NSLs is the last thing Congress should be considering as the executive branch’s unilateral judgment of when and whether to gather this sort of First Amendment-sensitive information is already suspect. The IG’s 2008 audit included an episode in which the FBI applied to the Foreign Intelligence Surveillance Court for a Section 215 order, only to be denied on First Amendment grounds. Section 215 orders are sought to obtain any tangible things relevant to a foreign intelligence investigation, including the records that can be obtained using an NSL. However, Section 215 orders require judicial approval and NSLs do not. In the cited example, the FISA court denied the FBI’s request for this order twice, finding that “the facts were too ‘thin’ and [the] request implicated the target’s First Amendment rights.” Rather than re-evaluating the underlying investigation based on the court’s constitutional concerns, the FBI circumvented the court’s authority and continued the investigation anyway, using the broader unchecked authority provided in the NSL statutes in issuing three NSLs that were predicated on the same information contained in the unconstitutional Section 215 application. We also know from one of the few unmasked NSL recipients that NSLs have been used to collect sensitive First Amendment activity in the past. Our client Doe—now publicly identified as Nick Merrill, the former operator of a small Internet service provider—believes that his NSL targeted someone because of his or her political speech on the Internet.

Ultimately, the NSL statute must be amended. While some of the management issues uncovered by inspector general audits in the late 2000s may have been addressed, the fundamental problem remains the FBI’s overbroad authority to obtain sensitive information relating to innocent people unilaterally without court review and without demonstrating any nexus to terrorism. This imprudently low standard remains an open door to abuse.


Congress first granted the Federal Bureau of Investigation the authority to use National Security Letters in 1986. This authority ensured that the FBI would have the necessary tools to investigate threats to the national security posed by terrorists and spies because Congress had, at the same time, enacted statutory privacy protection to certain classes of records held by third-party businesses. Congress then understood a principle that remains true to this day: To appropriately and efficiently investigate threats to the national security, the FBI needs the ability to gather very basic information about individuals, including information about their finances, where they live and work, and with whom they are in contact, without alerting the targets that it is doing so.

The NSL authority is now and always has been quite limited. First, unlike grand jury subpoenas that can be used to collect any nonprivileged document from any person or entity, the FBI can use NSLs only to obtain a very narrow range of information from a very narrow range of third-party businesses: NSLs can be used to obtain transactional information from wire or electronic communications service providers (e.g., telephone companies and Internet service providers); financial institutions (e.g., banks and credit card issuers); and credit reporting agencies. Other documents that can be critical to a national security investigation (e.g., hotel records, employment records) cannot be obtained using an NSL. Second, unlike grand jury subpoenas that can be issued in any sort of criminal case, NSLs can only be used during duly authorized national security investigations. Finally, unlike grand jury subpoenas that can be issued by any assistant U.S. attorney or Department of Justice prosecutor, no matter how junior or inexperienced, NSLs can only be issued with very high-level FBI approval.

Although the NSL authority is quite limited, NSLs are nevertheless critical tools that enable FBI investigators to gather the sort of basic information needed as the “building blocks” of national security investigations. It is not an exaggeration to say that virtually every significant national security investigation, whether of an individual suspected of planning to wreak havoc through an act of terrorism or of an individual suspected of spying on the United States for the benefit of a foreign nation, requires the use of NSLs for at least some critical information.

The arguments posited by the ACLU’s Mike German and Michelle Richardson are the ones that have been raised consistently by critics of NSLs, and they must be considered against the backdrop of the importance of the tool and its limited scope. They assert that the standard required to issue an NSL is too low; the Department of Justice’s inspector general found that the FBI misused NSLs; and the so-called gag order is constitutionally objectionable. None of these arguments withstands scrutiny.

As noted in the German-Richardson essay, before enactment of the Patriot Act, an NSL could only be issued if the FBI could certify that there were “specific and articulable facts giving reason to believe” that the target of the NSL (i.e., the person about whom information was sought) was an “agent of a foreign power.” The Patriot Act changed the standard so that an NSL can now be issued so long as the information sought is “relevant” to an authorized national security investigation. Although the German/Richardson essay argues that this change in standard was problematic, it does so without providing any context. While reasonable people may disagree about the appropriate standard, a rational debate cannot occur in a vacuum.

First, the German/Richardson essay characterizes the information that can be obtained with an NSL as “sensitive, private information.” A person not steeped in the intricacies of the law might infer from that assertion that an NSL can be used to obtain private diaries or psychiatric records or attorney-client privileged information—data that really is both sensitive and intensely private. The reality is far different. None of the information that can be obtained with an NSL is constitutionally protected. As noted above, the only information that can be obtained is information about who is in communication with whom (not the content of the communication); information contained in credit card and bank records; and information aggregated by credit reporting agencies. The unifying feature of all that data is that it has been shared with a third-party (e.g., the person on the other end of the telephone line, the clerk in the store who processes a credit card purchase, the teller who processes the checks deposited in a bank account). As the Supreme Court made clear in United States v. Miller (1976), there is no reasonable expectation of privacy in such data. Moreover, the overwhelming majority of NSLs are issued to obtain information that virtually no one considers “private” or sensitive: subscriber information for telephone numbers.

Second, putting aside the hyperbole about the inherent sensitivity of the information, to consider whether the NSL standard is too low, one must consider whether the standard required in a national security investigation is in sync or out of sync with the standard that exists to get the exact same information in other contexts. The fact is that information obtainable with an NSL is also obtainable with a grand jury subpoena in any criminal investigation and with an administrative subpoena in narcotics investigations. Although such investigations are obviously important, their purpose is to investigate crimes that generally pose far less danger to public safety and the national security than is posed by the targets of national security investigations. The standard for issuance of a grand jury or administrative subpoena is that the information sought must be relevant to the crime being investigated. It would be exceedingly odd public policy to make it harder for investigators who are investigating threats to the national security to get basic transactional data than it is for investigators who are investigating routine federal crimes to get the exact same information.

German and Richardson assert that three Department of Justice’s inspector general reports “confirmed pervasive FBI mismanagement, misuse and abuse” of the NSL authority. In fact, one IG report in 2007—five years ago—found significant weaknesses in the FBI’s internal controls over the use of NSLs. Significantly, it did not find misuse in the sense of the FBI using NSLs maliciously or inappropriately to obtain records that were not relevant to an authorized FBI investigation. Indeed, the then-inspector general testified that the IG “did not find that that FBI agents sought to intentionally misuse the national security letters or sought information that they knew they were not entitled to obtain through the letters.” Instead, the IG found that in approximately 7.5 percent of NSLs that it sampled (22 of 293), there was some sort of error in either the issuance of the NSL or the handling of the data received. Of those errors, however, almost half (10 out of 22) were third-party errors—that is, the recipient of the NSL provided information that had not been sought by the FBI. Excluding third-party errors, the actual rate of FBI error was approximately 4 percent (12 out of 293). Of the 12 FBI errors, the overwhelming majority (10 out of 12) were nonsubstantive errors (e.g., the NSL used certification language slightly different from the statutory requirement [although the meaning was the same]) and only 2 (0.6 percent of all NSLs sampled) had substantive errors (i.e., one NSL sought information not appropriately obtainable with an NSL and one NSL was issued after the preliminary investigation to which it related had “lapsed”). While the FBI error rate was unacceptably high, one must question whether two substantive errors out of 293 NSLs can fairly be characterized as “pervasive.”

The IG’s second report on this topic was issued the following year, and it concluded that the FBI had made substantial strides in improving its processes and internal controls regarding the use of NSLs. IG Glenn Fine testified that the “review of the FBI’s corrective actions concluded that the FBI and the department have evidenced a commitment to correcting the serious problems we found in our first NSL report and have made significant progress in addressing the need to improve compliance in the FBI’s use of the NSLs.”

The IG’s final report was not about NSLs at all but about “exigent letters.” These were devised and used primarily by a single unit at FBI headquarters to obtain telephone records without issuance of an NSL. While the practice originated in response to legitimate emergencies during which the FBI can obtain telephone records without any legal process, the practice morphed into an inappropriate substitute for required legal process (either a grand jury subpoena or an NSL) when there was no emergency.

While the German-Richardson essay focuses on the negative findings of the IG, it studiously avoids discussing the actual controls that are in place—and have been in place since shortly after the 2007 IG report—to avoid the sort of errors discovered by the IG. Those controls are important because they collectively operate to ensure that the FBI is using the NSL authority responsibly and appropriately, and in a way that is subject to audit and review.

First, by statute the FBI can only use NSLs in predicated national security investigations. The attorney general has established the standards that must be met in order to commence a predicated national security investigation, and the predication for every full investigation of a U.S. person must be submitted to the Department of Justice for review. The authority to conduct national security investigations is further controlled through internal FBI policy that establishes internal controls regarding opening predicated investigations.

Next, since June 2007 the FBI has had clear policies in place regarding virtually every aspect of issuing an NSL. NSLs may only be issued by a few high-ranking officials at FBI headquarters and by special agents in charge of FBI field offices. The policy and procedures set forth clearly the standards that must be met before an NSL can be issued and mandate that the factual basis for the issuance of the NSL be documented in the file. FBI policy requires an FBI attorney to review every NSL before it may be authorized and clearly articulates the parameters for that review.

Except in very limited circumstances, which generally account for fewer than 30 NSLs per year, NSLs must be created using an automated workflow system that minimizes the potential for error and helps ensure that statutory and policy requirements are met. As noted above, many of the errors detected by the IG in 2007 were nonsubstantive errors, such as citing the wrong statute, misquoting the required certification language, or omitting a step in the review process. The automated system ensures against such errors, automatically ensuring that each required review occurs and automatically ensuring the language in the NSL is uniform and legally correct. Finally, the automated system requires that documents received in response to an NSL are reviewed to minimize the impact of overproduction (production of material not called for by the NSL) and other third-party errors.

The FBI mandates that all employees who may play a role in issuance of an NSL take training to ensure that they understand the rules. The FBI’s Office of the General Counsel has created standardized training that is presented live and via a Web-based training system. No person who is authorized to sign NSLs may do so until he or she has certified the receipt of that required training.

The FBI and DOJ have robust after-the-fact oversight to ensure compliance with the law, policies and procedures. Attorneys from the DOJ and FBI conduct audits of NSL usage in more than half of the FBI’s field offices each year. Reports from these audits are presented to Justice’s assistant attorney general for national security, the FBI’s general counsel and the special agent in charge of the field office that was audited, among others, so that any issues identified can be appropriately addressed. The FBI’s Inspection Division also conducts an annual audit of NSL usage. The results of that audit are reported to the GC and the FBI’s deputy director, among others. Employees who make certain errors that are detected during the Inspection Division process or through other means lose the authority to approve NSLs until they complete remedial training and attest that they understand the rules for NSL issuance.

In short, the FBI has taken numerous steps to improve compliance on the front end of the NSL process and to conduct rigorous self-evaluations after the fact to ensure strict compliance with the various statutes and policies that govern the use of this important tool.

By statute, the recipient of an NSL can challenge it if responding would be unreasonable, oppressive or otherwise unlawful. The FBI ensures that all recipients are aware of their ability to challenge the NSL by informing them of that right on the face of the NSL itself. Similarly, for any NSL that includes a nondisclosure order, the NSL notifies the recipient that, should they desire to disclose the fact that they received an NSL, they can either commence an action to set aside the nondisclosure requirement or notify the FBI of their desire to disclose. The NSL further informs the recipient that if the FBI wishes to maintain the secrecy of the NSL in the face of the recipient’s desire to disclose it, the FBI will bear the burden of commencing a judicial proceeding in which it will be required to demonstrate the need for secrecy to a federal judge. If the FBI fails to do so, then the recipient will be free to disclose the NSL. That notification was added to all NSLs in February 2009, based on the decision of the 2nd Circuit in Doe v. Mukasey (2008) that such a procedure was necessary for the nondisclosure provision of the NSL statute to pass constitutional muster.

As the DOJ inspector general noted in his 2008 report on the FBI’s use of NSLs, the vast majority of NSLs (approximately 97 percent) include nondisclosure requirements. That statistic is not particularly surprising since NSLs can only be used to investigate national security cases—cases where the risk from premature disclosure can be particularly grave. For example, a terrorist target upon learning of an investigation could take steps to expedite his plans of mayhem, to eliminate individuals who are believed to be cooperating with the government or to destroy critical evidence. Or diplomatic relations could be gravely harmed if a foreign government were to learn that the FBI had obtained telephone records associated with its officials who are in the United States. In short, there are good and sufficient reasons why the FBI generally wishes to keep the existence of an NSL secret; nevertheless, there is now a clear and constitutional process that any NSL recipient can follow if it wishes to make a disclosure.

We should note that after approximately three years of including in NSLs the provision for disclosure (during which time the FBI issued well in excess of 50,000 NSLs) no recipients have notified the FBI that they wish to make a disclosure.

Although NSLs will no doubt remain the national security tool that critics love to hate, when one focuses on reality rather than hyperbole, it is clear that the NSL is a constitutional tool that is reasonably used and is necessary in national security investigations to maintain the safety and security of the American people.


During the original Patriot Act debates, Attorney General John Ashcroft called librarians opposing the legislation “hysterical,” and now Valerie Caproni and Steven Siegel argue that criticism of NSLs is “hyperbole.” Caproni and Siegel repeat the FBI’s previous assertions that NSLs are “critical tools” in the government’s national security arsenal, but there is no public data to support this statement and, despite Caproni and Siegel’s denials, there is ample evidence that this overbroad authority has been abused, as any unchecked power usually is.

The founders designed our constitutional system of government to prevent abuse of power through checks and balances between the branches and robust procedural protections where the government attempts to deprive an individual of his rights. Indeed, the most fully developed processes for the protection of civil rights exists within the criminal justice system, which makes the Caproni-Siegel comparison of NSLs to grand jury subpoenas most misplaced.

The grand jury, made up of ordinary citizens, is designed to serve as an independent check on law enforcement authority by protecting people against unfounded charges. As the United States Attorneys’ Manual notes, the grand jury’s power is limited by its narrow function of determining whether to bring an indictment for a criminal violation, which reduces the risk of unnecessary, suspicionless data collection. And in grand jury proceedings, the role of prosecutors—who are bound by the ethical obligations of their profession—is also a curb against law enforcement overreach. None of these protections exist with NSLs or other surveillance tools geared toward intelligence collection rather than criminal prosecution. The FBI has the sole discretion to issue NSLs with virtually no independent oversight. Moreover, a grand jury’s indictment only starts the criminal justice process, after which additional rights attach and affirmative discovery obligations are imposed on the government. The government’s obligation to disclose sources and methods of evidence-gathering during trial is likewise a deterrent to improper collection, as the exclusionary rule compels suppression of illegally obtained evidence. The secrecy required in grand jury proceedings is designed to protect the privacy of the witnesses and individuals investigated, not to hide the government conduct from independent oversight and public accountability, as is the case with intelligence tools like NSLs. Victims of NSL abuse have no way of knowing their rights have been violated, and no remedy.

The truth is that NSLs are intrusive tools. While the Supreme Court did fail to protect personal data held by third parties in 1976, as Caproni and Siegel point out, Congress then stepped in to protect financial, credit and communications records, which most Americans consider sensitive and private information. The pre-Patriot NSL authorities Caproni and Siegel mention were limited to collecting information about suspected foreign agents or international terrorists. The Patriot Act expansion of NSL authorities allows the collection of data about any American the FBI deems “relevant” to an espionage or terrorism investigation, with no independent review. And given the technological advancements that have occurred since the Supreme Court’s 1976 decision, which now leave vast amounts of personal information unprotected on third-party servers, trusting the government to be judicious with its access to such data through NSLs or other tools is even more misplaced.

Caproni and Siegel also note that NSL recipients rarely challenge the government’s demands, which isn’t surprising given that NSLs seek records pertaining to someone other than the recipient. When the entities that hold private information show as little interest in protecting it as the government, everyone should worry. And it’s interesting that in the three cases in which NSL recipients challenged these demands, the government withdrew the NSL requests rather than defend them in court, thereby mooting challenges to the underlying statute and throwing into doubt the government’s justification for making these requests in the first place.

Finally, consider the FBI’s continuing minimization of the abuse discovered by the inspector general. The FBI’s own audit found legal violations in 9.43 percent of its NSL files, and the IG later determined that the FBI underreported the number of NSL violations by a factor of three. These figures justify calling the abuse pervasive, and denying their importance only raises further skepticism that Americans can trust government agents with such unfettered power. The IG did indeed say the FBI made strides toward reform in 2008, but concluded that “it is too soon to definitively state whether the new systems and controls developed by the FBI and the department will eliminate fully the problems with the use of NSLs.”


Even though national security letters cannot be used to obtain constitutionally protected information, Michael German and Michelle Richardson attempt to bolster their argument—or merely inflame the reader—against NSLs by casting the issue in constitutional terms. They imply that NSLs are used by the government to deprive citizens of their rights, even while admitting that the Supreme Court has ruled that the information that can be obtained with an NSL is not constitutionally protected. A critical reader may ask why they feel the need to couch the argument in this way.

The reality is that NSLs can only be used to obtain limited information that is held by third parties. In this regard, NSLs are a more limited tool than grand jury subpoenas, which can be issued based on the same relevance standard but can be used to obtain a much broader range of information. (NSLs are similar to administrative or grand jury subpoenas but can only be used to acquire specific categories of third-party records, such as telephone toll records, credit reports and bank records.) German and Richardson argue that the comparison to grand jury subpoenas is misplaced because the role of the grand jury and the ethical obligations of the assistant United States attorneys collectively serve as effective controls on the use of grand jury subpoenas; they argue that such checks do not exist for NSLs.

In practice, as they surely know, the grand jury itself plays little, if any, role in issuing subpoenas, and its function of determining whether to return a true bill of indictment follows—rather than precedes—the government’s decision to issue grand jury subpoenas (to obtain third-party documents). The decision to issue a grand jury subpoena is typically made by a line prosecutor in conjunction with a line law enforcement agent; involvement by higher-level prosecutors at the Department of Justice or higher-level agents at the investigating agency is the exception, not the rule. Moreover, there is virtually no after-the-fact review of the issuance of a grand jury subpoena by a prosecutor’s supervisors or by the DOJ to ensure that the information sought was, in fact, relevant to the underlying investigation and otherwise properly handled.

In contrast, contrary to the assertion by German and Richardson that NSLs are issued without effective oversight, all NSLs must be approved and signed by a high-ranking FBI employee (a special agent in charge in a field office; deputy assistant director or above at headquarters), and since 2007, all NSLs must also be approved by an FBI attorney who is bound by the same ethical obligations as AUSAs. In addition, there is significant after-the-fact oversight of NSLs by the Department of Justice’s inspector general and National Security Division, which includes a review of the factual predicate for issuing an NSL and a review of how the responsive materials were handled. Finally, Congress receives semiannual and annual reports regarding the use of NSLs and has been briefed numerous times on their use.

For the last five years, since the inspector general’s 2007 report on NSLs, scrutiny of the use of the letters has increased to include many of the controls discussed above. Although German and Richardson claim that that there is “ample evidence this overbroad authority has been abused, as any unchecked power usually is,” they provide no evidence from recent years to support that assertion. They refer instead to the DOJ IG’s 2008 report, which examined the FBI’s use of NSLs in 2006—six years ago and prior to substantial changes being made in the control environment for NSLs. Even then, they stretch the actual findings. They assert that the FBI audit found “legal violations in 9.43 percent of its NSL files.” In fact, the FBI audits found potential violations in 9.43 percent of its files. Many of those potential violations involved third-party errors, not FBI errors. In any event, those findings are, five years later, largely irrelevant. FBI reviews subsequent to the changes adopted after the 2007 IG report have consistently found error rates below 1 percent. That progress is consistent with the DOJ IG 2008 report in which the IG acknowledged that the FBI and Justice are committed to correcting the problems identified in the 2007 IG report and “have made significant progress in addressing the need to improve compliance in the FBI’s use of NSLs.”

National security investigations are generally conducted in secret, and secrecy can spawn concern about unchecked power. There is always room for debate, and advocates like German and Richardson serve an important role in ensuring the public is aware of the tools being used in the national security arena and in articulating the risks associated with the use of such tools. The public debate surrounding the FBI’s use of NSLs generated substantial changes in the FBI’s internal processes and procedures, and led to important changes in the law—changes that have enhanced privacy protections and have done so without hobbling the FBI’s important national security work.

Before joining the ACLU, Michael German was a special agent from 1988 to 2004. He taught counterterrorism at the FBI National Academy and worked undercover against white supremacist and militant groups. Michelle Richardson is an ACLU legislative counsel who monitors the Patriot Act, the Foreign Intelligence Surveillance Act and similar security issues. Before joining the ACLU in 2006, she served for three years as counsel to the House Judiciary Committee.

Valerie Caproni, now deputy general counsel of Northrop Grumman Corp., worked for the U.S. attorney’s office supervising cases involving organized crime, narcotics, white-collar crime and civil rights. She left to work for the Securities and Exchange Commission, but was later appointed FBI general counsel, where she helped transform the agency after 9/11 to perform domestic intelligence. Steven Siegel, who also works for Northrop Grumman, was a state and federal prosecutor before joining the FBI, where he was involved in counterterrorism and national security issues.

Give us feedback, share a story tip or update, or report an error.