The Office of the Inspector General (“OIG”) recently issued a 199-page report detailing the FBI’s use, and abuse, of national security letters (“NSLs”) to obtain information in the name of national security. The report cites repeated failures by the FBI to follow even the abbreviated procedures available under the current NSL regime for seeking customer and consumer records from communications providers, financial institutions, and credit agencies. The report reveals that the FBI’s failure both to provide consistent guidance regarding NSLs and adhere to internal oversight procedures has led to problems ranging from minor technical deficiencies in NSLs to the issuance of NSLs without proper authorization.

NSLs are comparable to administrative subpoenas. They allow the FBI and other government agencies responsible for foreign intelligence investigations to seek information, such as telephone billing records, financial records, and electronic communications transactional records, without first obtaining a court order. But the FBI cannot obtain the contents of communications through NSLs.

Although many people associate NSLs with the passage of the Patriot Act in October 2001, NSLs existed at least as far back as the 1970s in the form of narrow exceptions to consumer privacy laws which permitted the FBI to secretly peruse the records of suspected foreign agents. The Patriot Act only expanded the government’s preexisting authority to obtain information using NSLs. It did so by lowering the relevance threshold that the government must meet to seek information under the NSL regime so that a request must only be relevant to an investigation to protect against international terrorism or foreign spying. The information need not pertain to a foreign power or its agents. In addition, the Patriot Act expanded NSL issuance authority from FBI headquarters to special agents in charge of the FBI field offices.

Four federal statutes, the Right to Financial Privacy Act, the Electronic Communications Privacy Act (“ECPA”), the Fair Credit Reporting Act, and the National Security Act, give the federal government the right to issue five kinds of NSLs. As a result of earlier criticism and two court cases challenging the constitutionality of NSLs, Congress amended the NSL provisions when the Patriot Act was reauthorized in March 2006. The reauthorization amendments allow judicial review of NSLs and modified nondisclosure provisions that previously cast doubt upon an individual’s ability to even consult legal counsel regarding a request.

The FBI’s use of NSLs to obtain personal facts about individuals has grown dramatically since the September 11, 2001 terrorist attacks and the subsequent passage of the Patriot Act. The FBI now issues more than 30,000 NSL requests a year. The OIG identified 143,074 requests from 2003 to 2005. The overwhelming majority of these requests sought telephone toll billing records, subscriber information, or electronic communication transactional records pursuant to the ECPA’s NSL provisions. But the FBI also requested customer records from banks and other financial institutions, consumer credit reports, and other information pursuant to the various statutory NSL provisions.

According to the OIG report, FBI personnel view NSLs as “indispensable investigative tools that serve as the building blocks in many counterterrorism and counterintelligence investigations.” The information obtained using NSLs is used to support applications for electronic and other forms of surveillance; develop communication or financial links between subjects of investigations; provide evidence to expand ongoing investigations or initiate new ones; and corroborate information obtained using other investigative techniques. But the lack of oversight regarding NSLs raises significant privacy concerns.

The OIG identified numerous instances of “improper or illegal use” of NSLs. The FBI’s abuses included issuing NSLs without proper authorization or for information other than that which had been authorized; making improper requests under the statutes listed in the NSLs; unauthorized collection of phone or Internet records; failing to follow internal policies designed to ensure adequate oversight; and collecting customer records pursuant to “exigent letters” without first issuing an NSL. And in some instances the FBI improperly obtained personal records through informal contacts without even issuing the required NSL. The report also found many improper data entries in the FBI’s NSL tracking database. The OIG attributed many of the FBI’s missteps to “confusion about the authorities available under the various NSL statutes” and FBI agents’ unfamiliarity with NSL constraints.

Attorney General Gonzales responded to the OIG’s report during his keynote speech at the International Association of Privacy Professionals Privacy Summit in Washington, DC on March 9, 2007. Gonzales told the audience that “failure to adequately protect information privacy is a failure to do our jobs . . . there is no excuse for the mistakes that have been made, and we are going to make things right as quickly as possible.” Gonzales and FBI Director Robert Mueller have vowed to review what went wrong and implement measures to improve oversight of the NSL process, President Bush has pledged swift action, and members of Congress have promised to conduct hearings on the matter. Sen. Patrick Leahy (D-Vt.) said at a press conference, “[NSLs] are a powerful tool, and when they are misused they can do great harm to innocent people.”