For well over a decade, the FBI has issued secretive compel notices on communications providers to request data about users suspected of criminal activity. Dubbed National Security Letters (NSLs), they come with an everlasting gag order and do not need to be approved by a judge.
Yet now, after spreading inaccurate legal advice for roughly a year, the US law enforcement agency is reportedly being forced to re-issue thousands of these letters because it failed to inform firms served with an order the law around challenging them had changed.
The news came to light following a landmark appeal by the Internet Archive, which was on the receiving end of an NSL back in August. Upon analysis, the website found the notice contained significant misinformation about how to contest the order.
As explained by the Electronic Freedom Foundation (EFF) in a blog post, the NSL failed to explain changes to the law that discarded old rules saying firms could only make one challenge a year. In 2015, Congress updated this to allow multiple requests to take place.
The EFF, which helped challenge the spy notice, published the Internet Archive's response to the FBI saying it did not hold the requested information and pointing out the legal problems. The agency acknowledged the mistake and said it would now start to inform other firms of the error.
"This means that potentially tens of thousands of providers that received NSLs between June 2015 and November 2016 may have been deterred from petitioning a court for the right to go public," the EFF said in its release.
Brewster Kahle, founder of the Internet Archive, said: "The free flow of information is at the heart of the Internet Archive's work, but by using national security letters in conjunction with unconstitutional gag orders, the FBI is trying to keep us all in the dark.
"That secrecy helped conceal that the FBI was giving all NSL recipients bad information about their rights. So we especially wanted to make this NSL public to give libraries and other institutions more information and help them protect their users from any improper FBI requests."
Vulnerable to errors of law
Thousands of communications providers likely received the same false information, the EFF said, adding the FBI issued about 13,000 NSLs in 2015. Exact figures remain misty, but the Intercept has reported the agency consistently sends out over 10,000 a year. At its peak, 2004-2005, the agency was spewing out roughly 50,000 annually.
"The opaque NSL process – including the lack of oversight by a court – makes it very vulnerable to errors of law," said EFF staff attorney, Andrew Crocker. "Add to that the routine use of gags and enforced secrecy, and those errors become difficult to find and correct.
"We are grateful to the Internet Archive for standing up to the FBI and shining some light on this error. We hope that others who receive the correction will also step forward to have their gags lifted and shine more light on these unconstitutional data collection tools."
It has been a busy week for the EFF. On 30 November, a mobile provider called Credo – with the help of the campaigning group – was able to confirm it was part of an ongoing battle with the FBI over gag orders attached to a series of NSLs it received back in 2013.
Meanwhile, in June this year, technology giant Yahoo revealed details about its own scrapes with the FBI over NSL-related demands for user data – showing it previously demanded a users' account numbers, IP addresses, postal details, email accounts, billing records, internet screen names, telephone numbers and more.
The use of the controversial compel notices expanded rapidly following the introduction of the US Patriot Act in the aftermath of 9/11. John Pistole, a former deputy director of the FBI, said in March 2007 the agency was sending out 40,000 to 60,000 NSLs a year.