Gagging orders in the FBI's National Security Letters are all above board and constitutional, a California court has ruled.
These security letters are typically sent to internet giants demanding information on whoever is behind a username or email address. Crucially, these requests include clauses that prevent the organizations from warning specific subscribers that they are under surveillance by the Feds.
Cloudflare and Credo Mobile aren't happy with that, and – with the help of rights warriors at the EFF – challenged the gagging orders. Despite earlier successes in their legal battle, the 9th US Circuit Court of Appeals ruled [PDF] on Monday that the gagging orders do not trample on First Amendment rights.
“We are disappointed in the Ninth Circuit’s decision and are considering our options for next steps,” Credo CEO Ray Morris told The Register in a statement. “At CREDO, we know what an uphill battle challenging these gag orders can be, and feel that the court missed an opportunity to protect the First Amendment rights of companies that want to speak out in the future.”
The FBI dishes out thousands of National Security Letters (NSLs) every year; they can simply be issued by a special agent in charge in a bureau field office, and don’t require judicial review. They allow the Feds to obtain the name, address, and records of any services used – but not the contents of conversations – plus billing records of a person, and forbid the hosting company from telling the subject, meaning those under investigation can’t challenge the decision.
It used to be the case that companies couldn’t even mention the existence of the NSL system for fear of prosecution. However, in 2013 a US district court in San Francisco ruled that such extreme gagging violated the First Amendment. That decision came after Google, and later others, started publishing the number of NSL orders that had been received, in defiance of the law.
In 2015 the Obama administration amended the law to allow companies limited rights to disclose NSL orders, and to set a three-year limit for the gagging order. It also set up a framework for companies to challenge the legitimacy of NSL subpoenas, and it was these changes that caused the appeals court verdict in favor of the government.
Cloudflare’s general counsel Doug Kramer told The Register that his organization has taken up the case on First Amendment principles and that he was “disappointed the Ninth Circuit ruled the current practice sufficient.” The biz has just put up a post explaining its position.
“Although decisions by a federal court and a new statute since that time have improved the NSL process, we think there is additional work to be done.” Cloudflare is now deciding whether or not to appeal the case to a higher court.
It’s not all bad news
While the ruling is an undoubted setback, it’s not the end of the world. Several other cases are ongoing challenging the gag order by Twitter and Microsoft, and the very fact that companies can challenge NSL subpoenas is something of a step forward.
“While we’re still considering our options, we’re not done challenging National Security Letters,” Andrew Crocker, staff attorney at the EFF, told The Reg. “It’s only by legal challenges like this that we got the right to even name the companies involved in the case.”
He pointed out that for decades, the FBI had been free to use NSL data without the process even being mentioned and that, while the 2015 legal revisions appear to have convinced the court in this ruling, the letter of the law also opens up interesting possibilities for future cases.
Under the 2015 legislation, companies that receive an NSL can invoke a “reciprocal notice,” which is a right to request judicial review of the gag orders accompanying the subpoena. This means the FBI has to bring its case in front of a judge within 30 days and justify the request for data.
It’s a low-cost way to force the FBI to justify its orders and has already had some successes, notably in the Cloudflare and Credo case. In January just such a reciprocal notice meant that the FBI withdrew the NSL subpoena that caused the original court case and didn’t collect any data from Cloudflare.
“We’ve been encouraging companies to invoke this right, and Apple, Dropbox and Adobe have all been doing so,” Crocker said. “We don’t think the law goes far enough, but these changes only exist because the legal cases were taken up.” ®
Sponsored: Ransomware has gone nuclear