Limiting the feds' snooping

Recent developments could portend the demise of National Security Letters, which allow the FBI to get private customer information without a judge's approval

For the first time, Microsoft and Google have publicly revealed roughly how often they have been issued National Security Letters (NSL), which allow the Federal Bureau of Investigation to get private customer information without a judge's approval. It highlights why the letters, created in their current form by the Patriot Act, should be done away with -- and a recent court ruling may lead the way to doing just that.

The Patriot Act allows the FBI to issue NSLs to companies seeking a customer's "name, address, length of service, and local and long distance toll billing records" without a judge's prior approval. An FBI agent only needs to say that the request is "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities." A superior at the FBI must approve each request, but otherwise, there's no oversight.

The law has a gag provision that bans the company from saying anything about NSLs, not even so much as acknowledging that it has received one. That provision is invoked if the FBI deems that the disclosure would be a "danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person."

Again, there's no oversight.

In early March, under a deal with the Obama administration, Google became the first company to publicly reveal anything about the NSLs it has received from the FBI. Under the deal, it can disclose a range of the number of NSLs, but not the precise number. Still, the disclosure is revealing. In a " transparency report," Google said the company had received between 0 and 999 NSLs each year for 2009, 2010, 2011 and 2012.Those requests covered between 1,000 and 1,999 accounts each year, except for 2010, when they covered between 2,000 and 2,099.

Several weeks after Google released its report, Microsoft followed suit. Microsoft has been targeted more heavily than Google -- in 2009 it received between 0 and 999 NSLs for between 2,000 and 2,999 accounts; in 2010 it received between 1,000 and 1,999 NSLs for between 5,000 and 5,999 accounts; in 2011 it received between 1,000 and 1,999 NSLs for between 3,000 and 3,999 accounts; and in 2012 it received between 0 and 999 NSLs for between 1,000 and 1,999 accounts.

Both companies should be commended for bringing these numbers to light, because it reminds people how this portion of the Patriot Act endangers their liberties. Even at the low range, those numbers show that a great number of people in the U.S. have been subjected to intrusive prying by the government without their knowledge.

March proved to be a good month for privacy advocates, because in the middle of the month -- between the release of Google's and Microsoft's reports -- federal district court Judge Susan Illston ruled that NSLs are an unconstitutional violation of the First Amendment. She said that the requirement that companies couldn't report that they had received NSLs was "impermissibly overbroad," and pointed out that 97% of the more than 200,000 NSLs issued to date were accompanied by gag orders.

Her ruling doesn't go into effect immediately; she gave the Obama administration 90 days to appeal it.

The White House shouldn't appeal. NSLs clearly violate the Constitution. Outlawing them won't affect national security, because the FBI and government agencies can still quickly get information they need, as long as it's truly justified. They'll only have to ask a judge. Before the Patriot Act, that's the way things worked -- with proper oversight.

There's no reason to believe they can't work that way again, effectively and constitutionally.

Preston Gralla is a contributing editor for and the author of more than 45 books, including Windows 8 Hacks (O'Reilly, 2012). See more by Preston Gralla on

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecurityfbiprivacy

More about FBIFederal Bureau of InvestigationGoogleMicrosoftO'ReillyReillyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Preston Gralla

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts