SAN FRANCISCO (CN) – The FBI gave 126 companies permission to disclose details of warrantless demands for customer data, but only a handful have spoken up about the government’s use of the secretive surveillance tool, according to an analysis of newly released data.
The data was obtained by the Electronic Frontier Foundation following a two-year legal battle over records related to the FBI’s compliance with required periodic reviews of national security letter (NSL) gag orders. NSLs are secret government demands for customer records, issued through an administrative subpoena without a court order.
Earlier this year, U.S. District Judge Vince Chhabria ordered the Justice Department to disclose the names of companies that had NSL gag orders lifted. He rejected arguments that such information would endanger national security or help criminals evade justice.
Following Chhabria’s order, the Justice Department agreed to reveal how many NSL gag orders it reviewed from February 2016 to September 2017, along with how many gag orders were terminated or continued, the names of companies freed from gag orders, and how many gag orders were lifted for each company.
Credit rating agencies and phone service providers topped the list of companies with the most NSL gag orders lifted. Equifax and AT&T had 54 lifted gag orders each, more than any other company. They were followed by Experian with 53, TransUnion with 49, T-Mobile with 49, and Verizon with 43.
Although Verizon and T-Mobile publish transparency reports showing a range of how many NSLs they receive every six months, none of those six telecom and credit rating firms have ever released copies of demands for customer data after gag orders were lifted. If released, the letters would likely be redacted to protect private customer information.
Published demand letters reveal what kind of information, such as usernames, locations, IP addresses and phone numbers, was sought by the government. It also helps further the goals Congress intended when it passed a 2015 law requiring periodic reviews of NSL gag orders, according to EFF attorney Aaron Mackey.
“The objective of Congress was to have people speak more,” Mackey said. “These companies aren’t holding up their end of the bargain by disclosing this information and giving the public information on how these tools can be used.”
Between 2015 and 2017, the government issued more than 37,000 national security letters seeking customer records from companies.
The use of NSL gag orders has been the subject of extensive debate and legal challenges for years. In 2013, a federal judge declared the use of gag orders unconstitutional. That decision was later reversed after Congress amended the process for reviewing gag orders in 2015.
The Ninth Circuit then upheld the use of nondisclosure directives in 2017, finding the reformed process for reviewing gag orders withstood the “strict scrutiny” requirement for prior restraints on speech. A request for an en banc rehearing in that case is still pending.
Under FBI procedures adopted in line with the USA Freedom Act of 2015, the bureau must review the need to keep gag orders in place at three intervals: when each letter is issued, three years after each issuance, and when an investigation is closed.
The 2015 law allows companies to disclose a range of how many NSLs they receive, such as 0-499, but companies may not disclose the exact number received or details on the type of information sought by the FBI until the gag orders are lifted.
No credit ratings agencies have published transparency reports showing how many NSLs they received. Experian and Equifax did not respond to requests for comment about their privacy policies and whether they inform customers that the government sought their information once gag orders are lifted.
A TransUnion spokesman said the company “has not disclosed the receipt of any National Security Letters.”
Technology companies, such as Google, Facebook and Twitter, tend to be more transparent in reporting information about the warrantless demands for customer data.
Twitter announced in 2017 it was notifying two users about FBI demands for their account data after gag orders were terminated. An in-house lawyer for Twitter stated at the time that the FBI sought “a large amount of data,” but Twitter only provided “a very limited set of data” consistent with federal law and interpretive guidelines issued by the U.S. Justice Department.
Google published 11 redacted copies of national security letters in 2016 and 2017, including demands for “the name, address, length of service, and electronic communications transactional records for all services” of a specific Google user.
Facebook released 13 NSLs last year. Earlier this month, the social media giant reported that government demands for user data have reached an all-time high with 128,617 requests, including non-NSL requests, in the first half of 2019. That is a 212% increase from the same period in 2015 when Facebook received 41,214 demands for user data.
According to Mackey, the fact that the FBI reviewed 11,874 gag orders and only lifted 760, or 6.4%, indicates the review process is not working as Congress intended.
“The law still gives FBI discretion on whether to keep the gags orders in place indefinitely,” Mackey said.
The U.S. Justice Department, which agreed to pay EFF $75,800 in attorneys’ fees to settle the FOIA litigation, did not immediately respond to an email request for comment Friday.