
Secret FBI Subpoenas Scoop Up Personal Data from Scores of Companies - tysone
https://www.nytimes.com/2019/09/20/us/data-privacy-fbi.html
======
jenvalentino
Hi. I'm the reporter on this story. Thanks for discussing it!

I thought it might be helpful for me to make a couple points.

First, national security letters have been around, AND controversial, for
years now. A number of tech companies have fought the gag orders. The news
here is really that we are seeing for the first time which other specific
companies get a lot of these — especially banks, credit agencies and so forth,
which have all been silent on the subject.

Second, @hammock is correct to say that these are not approved by a judge. Nor
are they grand jury subpoenas. They are administrative subpoenas, but unlike
other administrative subpoenas, almost all of these come with stringent, long-
term gag orders. So, they're a pretty special type of subpoena, not one with
which everyone is familiar.

Thanks again for reading.

~~~
drewmol
Fwiw, it was the PATRIOT Act, passed shortly after the events of 9/11/2001,
that allows for these administrative subpoenas and gag orders and removed any
effective judicial oversight. Many of those provisions in the act were set to
expire and those expirations were extended by both president Bush and Obama.
IIRC the AG or their subordinates have to notify the judiciary of these
subpoenas but can issue a gag order along with the disclosure effectively
removing any judicial oversight.

~~~
jdc
A little more background on administrative subpoenas:

We Don't Need No Stinking Warrant: The Disturbing, Unchecked Rise of the
Administrative Subpoena ([https://www.wired.com/2012/08/administrative-
subpoenas](https://www.wired.com/2012/08/administrative-subpoenas))

------
situational87
We can't keep pretending this is still a Democracy when we have a completely
unaccountable NSA/CIA/FBI that seems to repeatedly hide their mistakes and the
dubious legality of their sources & methods behind the classification and
national security walls.

~~~
cronix
It was very eye opening to me when I had a conversation with a family member
who is retired CIA/NSA/Rand. Not a low level person. I was asking them about
when President Clinton asked about the UFO's, and why the president was not
told the answers he was seeking. Their reply: the presidency is not the
highest security clearance and the president does not have a right to know
everything. I wonder if that's what the founders had in mind when they formed
our government. And what happens when those people disagree with whoever is in
office? They control what the president knows, as they are the ones who brief
him, and only what "they" think is appropriate. They decide.

~~~
dx87
Your family members were lying to you if they said that the president doesn't
get to see whatever classified material they want. The president doesn't even
have a security clearance like everyone else requires, they get to see
whatever they want and can declassify anything they want.

~~~
DanielBMarkham
Both of you are correct.

Technically, the president can classify or de-classify anything they'd like to
at any time. He is the sole and only person in charge of the branch of
government responsible for this.

Practically, over many years presidents have delegated this authority all over
the place, and in such byzantine ways that most of the folks in
compartmentalized projects wouldn't know that he had the authority -- and even
if they did, they could just point to various laws and signing letters that
make it less than clear how a president would go about declassifying anything.

So yeah, in theory POTUS could take an afternoon off, walk down the street
into a government building and declassify whatever he wants. That's why we
fight so much over who gets the job: the illusion that these powers are
present. In reality, however, if he could get the SS to allow him to take a
walk (unlikely), he'd be stopped at the door of wherever he went (both by his
own and that department's security services), and then the red tape nightmare
would begin. By the time it was all over he'd be better off staying home and
watching daytime TV.

For what it's worth, and I hate using movies as historical examples, in the
movie Nixon there was a great scene where Nixon went in the middle of the
night to talk to protesting students. He wanted the war to end too, didn't
they know that?

It was contentious, but then one kid got it and said it aloud, something like
"You don't have the power to stop it either, do you?"

Nixon looked completely defeated at that moment. Seconds later he was dragged
off by his security staff.

Without getting into the veracity of that exchange, the gist of it is
something we see confirmed over and over again in the historical record: large
groups of administrators simply cannot be governed and instructed by one
person, no matter what the documents technically look like. It's system itself
that does the work and enforces the norms, whether it's General Electric or
the NIS

------
mLuby
A gag order can be reasonable: "give us what you have on user John Smith
birthday 1/1/1950 but don't tell him anything" makes sense if you're, say,
investigating a criminal ring John is part of.

What is _unreasonable_ is that companies can't reveal they've been gagged, or
what type of data they were compelled to reveal, even after the fact.
Companies should be allowed to say "we have disclosed access logs, location
history, searches, encrypted backups for 1-50 accounts in response to lawful
request from law enforcement." And they should be able to disclose the letter
after an investigation has closed (whether it resulted in legal action against
the individual or not).

~~~
cameldrv
Yes, a gag order can be reasonable. Wiretaps with warrants usually have them.
IMO, there should be no gag order, and the subject of the subpoena should be
required to be notified and allowed to challenge the subpoena if it is issued
without a judge.

Gag orders should be allowed, but only if signed off on by a judge, and only
for a reasonable amount of time to complete an investigation. If the
government gets your information, and decides not to bring charges, you should
have the right to know about that at some point.

~~~
GhettoMaestro
> If the government gets your information, and decides not to bring charges,
> you should have the right to know about that at some point.

Disagree. There are numerous cases where it takes multiple investigations to
"get" a career criminal (think organized crime). If each batch of subpoenas or
sealed warrants were exposed even when there is no charge this time, that
gives said suspect a very nice opportunity to clean up loose ends.

TLDR: If people know they are being actively looked at they will attempt to
destroy/suppress/hide evidence.

~~~
kerkeslager
> Disagree. There are numerous cases where it takes multiple investigations to
> "get" a career criminal (think organized crime). If each batch of subpoenas
> or sealed warrants were exposed even when there is no charge this time, that
> gives said suspect a very nice opportunity to clean up loose ends.

Subpoenas are only supposed to be issued if there's a reasonable belief that
the subpoena will find evidence of criminal activity. In theory, subpoenas
_should_ find evidence most of the time--if subpoenas frequently don't turn up
evidence, then subpoenas are being issued without the proper burden of proof
being met.

For this reason I strongly disagree that we should build any policy around the
idea that subpoenas won't turn up evidence of wrongdoing on a regular basis.
This just encourages law enforcement to go on fishing expeditions, instead of
doing proper, evidence-based police work. If law enforcement know the person
will be notified of the subpoena after some time, then they'll be incentivized
to only apply for subpoenas that are sensible and strategic, rather than
applying for frivolous subpoenas that don't turn up anything.

~~~
GhettoMaestro
I see your point. It opens a door for a lot of bullshit.

Really, I suppose I am advocating less for secret subpoenas and more for
secret warrants. If someone really has a reason to keep something concealed in
the interest in justice, then they should have no problem with a Judge signing
off on it, under seal of course.

And if the secret warrant is a part of a series against a suspect, again I
think a reasonable Judge could be convinced of the necessity of keeping the
ongoing investigative activities concealed for the time being.

------
xfitm3
I spent a long time in the hosting industry, most of which was in early 00s.
When the feds couldn't get a court to order to hand over data we simply sold
the data to them. They paid, quite handsomely at times.

~~~
Accujack
This is pretty telling of the present state of U.S. law... there's no law
against this (even today).

The existing laws that protect privacy and what can be done with information
companies collect have _never_ been updated post computer revolution... the
same generation that was in power before then is still in power, and they've
never had any interest in changing that.

The US government started failing a long time ago, and everyone in that
generation is either part of the problem or unwilling to admit it IS a
problem.

------
hammock
NSLs are not subpoenas. They are "administrative subpoenas," the difference
being that they are not issued by a court and have no review or oversight by
any judge or court officer. They are about as much a subpoena, as the FISA
"court" is a court of law.

~~~
Merrill
>"In most instances, a subpoena can be issued and signed by an attorney on
behalf of a court in which the attorney is authorized to practice law. If the
subpoena is for a high-level government official (such as the Governor, or
agency head), then it must be signed by an administrative law judge. In some
cases, a non-lawyer may issue a subpoena if acting on his or her own behalf
(known as pro se representation)."

[https://litigation.findlaw.com/going-to-court/what-is-a-
subp...](https://litigation.findlaw.com/going-to-court/what-is-a-
subpoena.html)

A judge's approval is not needed. The attorney (e.g. a prosecuting attorney)
is the "court officer".

~~~
hammock
You missed the point. Your citation refers to a traditional subpoena, which I
was saying is distinct from these "subpoenas." NSLs are not issued by
prosecuting attorneys.

~~~
Merrill
>However, the most commonly used type of NSL can be issued directly by the FBI
Director, an Assistant Director, and also by all FBI Special Agents in Charge,
who are commanding officers stationed across the country at FBI field offices.

[https://www.eff.org/issues/national-security-
letters/faq#3](https://www.eff.org/issues/national-security-letters/faq#3)

Most of these, and certainly the Director, are also attorneys. At least James
Comey was. Plus they have FBI staff attorneys to consult with. Practically
speaking, how does this differ from the local prosecutor issuing a subpoena?
The local country prosecutor is essentially part of law enforcement and
reports up to the AG in the executive branch of government. The local county
prosecutor has dozens of detectives working for her.

------
Merrill
Subpoenas have been used frequently for decades to request "records kept in
the ordinary course of business". The only thing different in this case seems
to be that there is a perpetual gag order. But if the local prosecutor
subpoenas your phone records because you are being investigated for bribing an
athletic coach at a university, I don't think the phone company will tell you
about it.

~~~
sneak
The major thing that is different is that no judge or court is involved -
these are issued by the requesting organization directly with no oversight.

------
nullc
The use of administrative subponeas with effectively limitless gags is very
concerning, but I also feel that the attention is somewhat misplaced.

The US government receives far more private data about people from companies
selling it or simply giving it away, than they get via administrative
subpoena. The practice of paying for requested data also makes companies
complicit in these orders, when they are issued-- they're a revenue center.

Without stronger laws barring the collection of data and providing stiff civil
or even criminal penalties for disclosure (including to the government) the
bulk of the situation will not be much improved.

------
olliej
Seriously, we need to kill off this warrant workaround that the US gov has
decided is valid.

Almost every product you buy now ends up sending your data to some company,
and the government has decided that means you have no expectation of privacy,
which is clearly nonsense.

------
andrerm
And don't forget FBI is the one pushing against encryption

~~~
inscionent
The Justice Department as a whole has this agenda under Barr, not just FBI.

------
fulldecent2
I am surprised that more NSLs have not been leaked or "hacked".

Just store the NSLs next to your user data so that when it gets stolen and
published then your NSL is published as well.

------
sroussey
I really got worried when I stopped getting these and other subpoenas from 3
letter agencies. I knew we had to beef up our server defenses. :/

------
stjohnswarts
I am the odd duck libertarian who believes we need a minimum income welfare
safety net and health care as a right. However, I scoff at giving the
government more power in the areas of surveillance and police power. I just do
not understand people backing up the government in taking away civil rights
and personal freedom in the name of "making us safer". Honestly we are far
safer than even as recent as the 90s, let alone the 1890s. People will always
find things to clutch their pearls over, and it's all relative.

------
no_opinions
Based on what I read online in discussions and in the news, there's little
nuance into the circumstances around the data retrieval:

\- Is it related to someone stealing classified information, spying / or spy
cell, or could be planning a terrorist attack? In that case, they may be more
sophisticated, or the investigation shifts to preventing something from
occurring in the future, or its a matter of trying to figure out what a cell
of foreigners from Russia/etc. are trying to get.

\- Is it something related to a drug investigation? If it's involving drugs,
countries everywhere have roving wiretap abilities because druglords use
burner phones, and like above, they go to great lengths to hide / mask what
they're doing as if it's legitimate business.

\- Is it related to any other criminal investigation? Police has more ability
to intercept communications than civilians. There is a whole world _inside_
here of nuances. An example in USA is subpoena'ing email records where
unopened email is treated as abandoned, they don't require a search warrant.
Not that there's many cases prosecuted relying on abandoned email retrieved
that'd be thrown out if the law changed :P

\- Protect/regulation around data of medical (HIPAA in US, I think GDPR in
EU), children (COPPA in US)

\- Normal consumer privacy protections (GDPR in EU)

Here's an example of Germany's constitution (Article 10 [Privacy of
correspondence, posts and telecommunications] ,
[https://www.bundesregierung.de/breg-en/chancellor/basic-
law-...](https://www.bundesregierung.de/breg-en/chancellor/basic-law-470510)):

> (1) The privacy of correspondence, posts and telecommunications shall be
> inviolable.

But, then it says:

> (2) Restrictions may be ordered only pursuant to a law. If the restriction
> serves to protect the free democratic basic order or the existence or
> security of the Federation or of a Land, the law may provide that the person
> affected shall not be informed of the restriction and that recourse to the
> courts shall be replaced by a review of the case by agencies and auxiliary
> agencies appointed by the legislature.

The above basically gets you what most countries have anyway, so maybe it
wouldn't address the concerns people have. _If_ there was a constitutional
check for privacy over the wire/data in the cloud it'd be upheld at the
judicial level to check the executive / legislative branch. However, there'd
still be mechanisms where the government can access data, one way or another.
It'd probably end up having the phraseology around them narrowly tailored,
there'd be less swept in when decisions are in a gray area.

~~~
wsy
The citation from Germany's constitution is a bit misleading. In Germany, law
enforcement warrants must be signed by a judge (in urgent cases, a prosecutor
can sign them, and they have to be confirmed soon afterwards by a judge).
There is an exception for communication interception by the intelligence
services: those warrants must be confirmed by the G-10 committee which is
organized like a court, but directly appointed by parliament. The main
differences to the US system are strict separation between law enforcement and
intelligence services, and direct oversight of the latter by the parliament.

