Accountability for ‘Exigent Letter’ Abuse At Last?

Posted by Julian Sanchez

It is more than three years since the Office of the Inspector General first brought public attention to the FBI’s systematic misuse of the National Security Letter statutes to issue fictitious “exigent letters” and obtain telecommunications records without due process. Nobody at the Bureau has been fined, or even disciplined, for  this systematic lawbreaking and the efforts to conceal it. But the bipartisan outrage expressed at a subcommittee hearing of the House Judiciary Committee this morning hints that Congress may be running out of patience—and looking for some highly-placed heads to roll. Just to refresh, Committee Chairman John Conyers summarized the main abuses in an opening statement:

The IG found that more than 700 times, such information was obtained about more than 2,000 phone numbers by so-called“exigent letters” from FBI personnel. In some cases, the IG concluded, FBI agents sent the letters even though they believed that factual information in the letters was false. For more than 3,500 phone numbers, the call information was extracted without even a letter, but instead by e‐mail, requests on a post‐it note, or “sneak peaks” of telephone company computer screens or other records…. In one case, the FBI actually obtained phone records of Washington Post and New York Times reporters and kept them in a database, leading to an IG conclusion of “serious abuse” of FBI authority and an FBI public apology.

It’s probably actually worse than that: Since these letters often requested a “community of interest” analysis for targeted numbers, the privacy of many people beyond the nominal targets may have been implicated—though it’s hard to be sure, since the IG report redacts almost all details about this CoI mapping.

Read the rest of this post »

A Bizarre Privacy Indictment

Posted by Jim Harper

Page one of today’s Washington Times—above the fold—has a fascinating story indicting the White House for failing to disclose that it will collect and retain material posted by visitors to its pages on social networking sites like Facebook and YouTube. The story is fascinating because so much attention is being paid to it. (It was first reported, as an aside at least, by Major Garrett on Fox News a month ago.)

The question here is not over the niceties of the Presidential Records Act, which may or may not require collection and storage of the data. It’s over people’s expectations when they use the Internet.

Marc Rotenberg, president of the Electronic Privacy Information Center, said the White House signaled that it would insist on open dealings with Internet users and, in fact, should feel obliged to disclose that it is collecting such information.

Of course, the White House is free to disclose or announce anything it wants. It might be nice to disclose this particular data practice. But is it really a breach of privacy—and, through failure to notify, transparency—if there isn’t a distinct disclosure about this particular data collection?

Let’s talk about what people expect when they use the Internet and social networking sites. Though the Internet is a gigantic copying machine, some may not know that data is collected online. They may imagine that, in the absence of notice, the data they post will not be warehoused and redistributed, even though that’s exactly what the Internet does.

There can be special problems when it is the government collecting the information. The White House’s “flag@whitehouse.gov” tip line was concerning because it asked Americans to submit information about others. There is a history of presidents amassing “enemies” lists. But this is not the complaint with White House tracking of data posted on its social networking sites.

People typically post things online because they want publicity for those things—often they want publicity for the fact that they are the ones posting, too. When they write letters, they give publicity to the information in the letter and the fact of having sent it. When they hold up signs, they seek publicity for the information on the signs, and their own role in publicizing it.

How strange that taking note of the things people publicize is taken as a violation of their privacy. And failing to notify them of the fact they will be observed and recorded is a failure of transparency.

America, for most of what you do, you do not get “notice” of the consequences. Instead, in the real world and online, you grown-ups are “on notice” that information you put online can be copied, stored, retransmitted, and reused in countless ways. Aside from uses that harm you, you have little recourse against that after you have made the decision to release information about yourself.

The White House is not in the wrong here. If there’s a lesson, it’s that people are responsible for their own privacy and need to be aware of how information moves in the online environment.

DoJ Fails to Report Electronic Surveillance Activities

Posted by Jim Harper

Unlike with wiretaps, law enforcement agents are not required by federal statutes to obtain search warrants before employing pen registers or trap and trace devices. These devices record non-content information regarding telephone calls and Internet communications. (Of course, “non-content information” has quite a bit of content – who is talking to whom, how often, and for how long.)

The Electronic Privacy Information Center points out in a letter to Senate Judiciary Committee Chairman Patrick Leahy (D-VT) that the Department of Justice has consistently failed to report on the use of pen registers and trap and trace devices as required by law:

The Electronic Communications Privacy Act requires the Attorney General to “annually report to Congress on the number of pen register orders and orders for trap and trace devices applied for by law enforcement agencies of the Department of Justice.” However, between 1999 and 2003, the Department of Justice failed to comply with this requirement. Instead, 1999-2003 data was provided to Congress in a single “document dump,” which submitted five years of reports in November 2004. In addition, when the 1999-2003 reports were finally provided to Congress, the documents failed to include all of the information that the Pen Register Act requires to be shared with lawmakers. The documents do not detail the offenses for which the pen register and trap and trace orders were obtained, as required by 18 U.S.C. § 3126(2). Furthermore, the documents do not identify the district or branch office of the agencies that submitted the pen register requests, information required by 18 U.S.C. § 3126(8).

EPIC has found no evidence that the Department of Justice provided annual pen register reports to Congress for 2004, 2005, 2006, 2007, or 2008. “This failure would demonstrate ongoing, repeated breaches of the DOJ’s statutory obligations to inform the public and the Congress about the use of electronic surveillance authority,” they say.

It’s a good bet, when government powers are used without oversight, that they will be abused. Kudos to EPIC for pressing this issue. Senator Leahy’s Judiciary Committee should ensure that DoJ completes reporting on past years and that it reports regularly, in full, from here forward.