The Pentagon, the CIA, and National Security Letters
posted by Daniel Solove
From the New York Times:
The Pentagon and to a lesser extent the CIA have been using a little-known power to look at the banking and credit records of hundreds of Americans and others suspected of terrorism or espionage within the United States, officials said Saturday.
The C.I.A. has also been issuing what are known as national security letters to gain access to financial records from American companies, though it has done so only rarely, intelligence officials say.
I blogged about National Security Letters (NSLs) before here. NSLs authorize the FBI to demand information from various businesses, such as financial institutions or ISPs. Compliance is mandatory. There are several NSL provisions in various federal statutes:
1. Electronic Communications Privacy Act, 18 U.S.C. § 2709 (FBI can compel communications companies to disclose customer information)
2. Right to Financial Privacy Act, 12 U.S.C. § 3414(a)(5) (FBI can compel financial institutions to disclose customer information).
3. Fair Credit Reporting Act, 15 U.S.C. § 1681u (FBI can compel credit reporting agencies to disclose records on individuals).
My understanding of the NSL provisions has been that they only authorize the FBI to issue the letters. I wasn’t aware that the CIA or Pentagon could also use these provisions.
According to the article:
The F.B.I., the lead agency on domestic counterterrorism and espionage, has issued thousands of national security letters since the attacks of Sept. 11, 2001, provoking criticism and court challenges from civil liberties advocates who see them as unjustified intrusions into Americans’ private lives.
But it was not previously known, even to some senior counterterrorism officials, that the Pentagon and the Central Intelligence Agency have been using their own “noncompulsory” versions of the letters. Congress has rejected several attempts by the two agencies since 2001 for authority to issue mandatory letters, in part because of concerns about the dangers of expanding their role in domestic spying. . . .
In the NSL provisions mentioned above, they specifically mention the FBI, not other government entities. The Right to Financial Privacy Act, § 3414(a)(1) exempts government authorities investigating terrorism or engaging in intelligence activities from the general requirements of the statute, but it doesn’t provide the authority to issue NSLs, which is granted solely to the FBI in § 3414(a)(5). Likewise, the NSL provision of the Electronic Communications Privacy Act, 18 U.S.C. § 2709 only mentions the FBI. What is the legal authority that allows the CIA and Pentagon to issue NSLs? Hopefully, somebody can point to a part of the law I’m missing.
Perhaps the CIA and Pentagon are issuing letters that simply resemble NSLs. But unlike NSLs, such letters wouldn’t be able to mandate cooperation. The article does say that the CIA and Pentagon have been issuing “using their own ‘noncompulsory’ versions of the letters.” So perhaps these letters aren’t technically NSLs. Nevertheless, it would be quite problematic if the letters were issued under the guise of an NSL and failed to indicate that cooperation was voluntary. On the facts given, we have no idea what these particular letters said or looked like.
But the article goes on to contain a discussion of NSL legal provisions and to quote unnamed government lawyers interpreting NSL provisions to allow the CIA and Pentagon to issue them:
Government lawyers say the legal authority for the Pentagon and the C.I.A. to use national security letters in gathering domestic records dates back nearly three decades and, by their reading, was strengthened by the antiterrorism law known as the USA Patriot Act.. . . .
Military officials say the Right to Financial Privacy Act of 1978, which establishes procedures for government access to sensitive banking data, first authorized them to issue national security letters. The military had used the letters sporadically for years, officials say, but the pace accelerated in late 2001, when lawyers and intelligence officials concluded that the Patriot Act strengthened their ability to use the letters to seek financial records on a voluntary basis and to issue mandatory letters to obtain credit ratings, the officials said.
The Patriot Act does not specifically mention military intelligence or C.I.A. officials in connection with the national security letters.
Some F.B.I. officials said they were surprised by the Pentagon’s interpretation of the law when military officials first informed them of it. “It was a very broad reading of the law,” a former counterterrorism official said.
So now I’m quite confused. Are these NSLs or not? If so, what is the legal authority for the CIA and Pentagon to issue them?
Related Posts:
1. Solove, National Security Letters (Nov. 2005)
2. Solove, More on National Security Letters (Nov. 2005)
January 14, 2007 at 2:44 am
Posted in: Privacy (National Security)
Print This Post
Responses (5)
Bruce Boyden - January 14, 2007 at 10:37 am
Interesting. 3414(a)(1) provides:
So if the Defense Dept. and CIA are in fact authorized to conduct investigations of, or intelligence or counterintelligence analyses related to, international terrorism in the U.S. (are they?), then the limits imposed on government requests for records by the rest of the RFPA don’t apply. The pre-RFPA law, under U.S. v. Miller, was that it was not a Fourth Amendment violation to collect such information from banks.
Of course merely having the authority to investigate is only one side of the coin; the banks have to actually comply. That could explain the references to “voluntary” compliance. 3414(a)(5)(A) makes compliance with a 3414(a)(1) request mandatory, but only in the context of a “request for a customer’s or entity’s financial records made pursuant to this subsection by the Federal Bureau of Investigation.” The rest of 3414(a)(5) then goes on to place limits on the FBI’s authority to make such requests, such as that the “investigation of a United States person is not conducted solely upon the basis of activities protected by the [F]irst [A]mendment . . . .” Perhaps the intent was that only the FBI could make such requests, whether compulsory or not — but then subparagraphs 3414(a)(1)(A) and (B) are a bit puzzling, as they appear to make the RFPA not applicable to non-FBI agencies. Alternatively, perhaps the idea was that only the FBI’s requests were compulsory, and that’s why the limits were placed on the FBI but not other agencies. As a third theory, maybe 3414(a) as a whole has been entirely mucked up by amendments and it’s indeterminate what the interrelationship is supposed to be. (a)(1)(C), quoted above, was added in 2001 by the Patriot Act; (a)(5) was tacked on in 1986, and not part of the original RFPA. A look at the 1986 amendment legislative history might be helpful.
There’s a record-keeping requirement for general 3414(a)(1) requests in 3414(a)(4), but no explicit command (unlike 3414(a)(5)(C) for the FBI) that it be disclosed to Congress.
Bruce Boyden - January 14, 2007 at 11:08 am
P.S. 15 U.S.C. § 1681v provides similar authority for non-FBI agencies under the FCRA, only in that case disclosure by the consumer reporting agency is mandatory (”a consumer reporting agency shall furnish a consumer report”).
Tracy Johnson - January 15, 2007 at 10:00 am
Is this a result of last night’s episode of ‘24′ ? (Although they did FBI letters in the show.)
Crystal - January 15, 2007 at 12:50 pm
I wish they would spend a little time looking at thee Bush financial transactions ( all Of them. Daddy, and the sons). It would also be refreshing and enlightening for them to review Jim Baker and Dick Cheny’s financial records for the past 30 years.
James Maxwell - March 17, 2007 at 9:34 pm
See Flowers v. USA presently before the U.S. Supreme Court#06-918 Military v.the right to finncial privacy act. The 9th Circuit in its opinion Flowers v. Dept of Army, et al. decided military personnel cannot sue under the RFPA.
Leave a Reply