Judges spar with attorneys on national security data requests

A federal appeals court will rule on the constitutionality of National Security Letters

Kurt Opsahl, deputy general counsel at the EFF, spoke with reporters following a court hearing on Oct. 8, 2014.

Kurt Opsahl, deputy general counsel at the EFF, spoke with reporters following a court hearing on Oct. 8, 2014.

Federal judges challenged attorneys on Wednesday to clarify the rationale and constitutionality of government data requests, in a line of questioning that may ultimately introduce greater transparency into what is now a tightly cloaked process.

The hearing, held in a federal appeals court in San Francisco, focused on National Security Letters, or NSLs, a type of data request commonly used by the Federal Bureau of Investigation to obtain information from companies, ostensibly for the purposes of investigating national security matters. The government issues these data requests to telecommunications and Internet providers such as Google and Verizon without any review by a court, and the letters almost always have a gag order attached to prohibit the recipients from saying much about them.

Wednesday's hearing followed a ruling last year by the U.S. District Court for Northern California, in which the judge struck down the gag orders as being unconstitutional. The plaintiff in that case, the digital rights group Electronic Frontier Foundation, represented an unnamed service provider that argued the NSL it received restricted its free speech rights and was served without adequate oversight. The government appealed the ruling, arguing that the standards around NSLs are in fact constitutional.

Wednesday's appeal hearing was held before a panel of three judges. They heard oral arguments from two attorneys: a Justice Department lawyer supporting NSLs as they stand, and an attorney from the EFF. The EFF argued NSLs are unconstitutional for several reasons and the process around them needs to be changed or eliminated.

NSLs typically seek information such as names, addresses and communications records, not the contents of messages themselves. But privacy advocates have argued this type of "non-content" data can still violate people's privacy, especially if it reveals the connections between people, which the Supreme Court has ruled is protected free speech under the First Amendment.

The gag orders also prohibit companies from saying anything about these sorts of data requests, beyond disclosing the number of requests they've received, and then only in broad ranges. This violates companies' free speech rights under the First Amendment, restricting them from entering into constructive public debate around online privacy and government surveillance, privacy advocates say.

While the government has argued that NSLs are constitutional, courts have been split on the issue. The judges in San Francisco did not issue a ruling on Wednesday, but their questions to lawyers showed they had concerns around the free speech implications of NSLs, the process under which they're disseminated, and what recourse companies have to challenge them.

One judge, Norman Randy Smith, questioned whether the law should be changed to make it easier for companies to challenge NSLs in court after they receive them. Only a handful of NSLs have ever been challenged in court, partly due to what the EFF has called a "chilling" effect that makes companies afraid to speak out. Recipients can petition a court to kill the NSL request, but typically the government files an affidavit to protect the order, and the company must wait a full year to challenge it again.

"There should be some obligation on the part of the government to end the [NSL] order" after a company challenges it, said Judge Smith. "Why is the company going to be gagged for as long as the government so desires?" he said.

All three judges asked whether the government, including the FBI, should more closely evaluate companies' objections to NSLs.

It could be weeks or months before the judges rule on the case. But when they do, the losing side may appeal the case to the U.S. Supreme Court, which might determine the fate of NSLs and perhaps other types of government data demands.

"This is the best chance yet we have in getting the laws around NSLs struck down," said Kurt Opsahl, the arguing attorney for the EFF, in an interview following the hearing.

While the sort of data collected through an NSL might serve a purpose in investigating national security matters, it should be gathered with oversight, closer to the way subpoenas and court orders are handled, he said.

Douglas Letter, the Justice Department attorney, said during the hearing that NSLs were an "extremely useful and important tool used in counter-espionage, cybersecurity and counter-terrorism investigations."

"If we don't have that tool, we'll be hamstrung in our ability to provide protection around national security," he said.

Government requests for user data have become a key issue in a larger debate around online privacy and government surveillance. Many companies, including Google, Facebook, Verizon and Microsoft, now regularly release "transparency reports," which outline the number and types of government data requests they receive and their responses to them. But the information included in those reports is limited by the restrictions the government imposes on them.

It's not just privacy advocates calling for increased transparency. Twitter sued the government this week, seeking to say more about the data requests it receives.

Congress and a presidential commission have taken steps toward reforming the laws around NSLs. One such move, the USA Freedom Act, would tighten the standards for issuing them but still let them go through without court approval. No proposal thus far has addressed all the flaws in the process, the EFF has said.

Wednesday's hearing was focused on NSLs, not data requests made under the Foreign Intelligence Surveillance Act, which target content such as actual email messages.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is zach_miners@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessecuritylegalinternetdata protectionprivacyElectronic Frontier Foundation

More about EFFElectronic Frontier FoundationFacebookFBIFederal Bureau of InvestigationFreedomGoogleIDGMicrosoftNewsNormanVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts