Cloudflare, a provider of web performance and security services, revealed that it received a National Security Letter (NSL) in 2013 and that it was only now legally allowed to talk about it. The Electronic Frontier Foundation (EFF) helped Cloudflare fight the NSL, which it believes is an unconstitutional authority often abused by the government.
The Many Problems With NSLs
An NSL is an administrative subpoena served by the government that doesn’t require a judge’s approval. The problem with this is that judges are meant to ensure that the government can’t abuse its power by going around and searching everyone’s homes or personal files whenever it feels like it. NSLs are written into the Patriot Act in such a way that allows them to bypass judges and operate in almost total secrecy.
An even bigger problem with NSLs is that the government can–and usually does–also serve a gag order along with it. Therefore, the company or person receiving the NSL can’t talk about it, ensuring that the order stays secret.
Another problem with NSLs is that the gag orders are typically for an indefinite amount of time unless they are challenged in court, which most companies or people are unlikely to do. So far, the FBI has served hundreds of thousands of NSLs, and only a handful of them have been made public after many years of court battles.
The USA Freedom Act passed required the FBI to regularly review which NSL gag orders are no longer necessary, but there’s no additional oversight, which means the FBI can keep the vast majority of gag orders in place.
Cloudflare received an NSL in February, 2013, and after asking the EFF to join its court battle, it succeeded in getting the gag order removed. Shortly after Cloudflare started its lawsuit, the FBI withdrew its information request, so the customer information sought by the FBI was never shared. The gag order remained in place, however, likely so Cloudflare would never make the episode public.
This shows once again how trivial it is for the FBI to abuse NSLs and gag orders. If the information the FBI requested under secret order was so vital to its investigation, then it wouldn’t have given up so easily.
Microsoft’s recent lawsuit against the government showed that almost half of the data requests made to the company were accompanied by gag orders. This makes it seem like the government serves gag orders mainly because it can, and not because doing so is a necessity.
According to Cloudflare, a few months after the FBI served it the NSL, the company tried to convince a key Congress staff member working on counter-terrorism and judicial issues, who remained unnamed, that NSLs are unconstitutional. However, because of the gag order, Cloudflare’s counsel couldn’t actually tell the Congress staff member that the company had already received an NSL.
As such, the staff member continued to believe that an NSL couldn’t even be served to Cloudflare because the services it offers wouldn’t fall under the NSL statute. Clearly, the staffer was either wrong, or they were right and the FBI misinterpreted what the NSL statute allows it to do. Either way, Cloudflare was served with an NSL that it should never have received, according to the staffer.
Because NSLs are almost always accompanied by gag orders and because virtually no one takes on the U.S. government to challenge them, that also means the FBI can choose to misinterpret the statute whenever it wants. When someone does challenge an NSL, the FBI can just withdraw it, as it did with Cloudflare, and hope that the company or individual drops the case altogether.
Cloudflare said that it’s now able to publish a more accurate transparency report and it hopes this case will help change the minds of policymakers about the constitutionality and potential for abuse of NSLs by the U.S. government.