Following an 11-year battle, Nicholas Merrill finally gets to publicly talk about the FBI's National Security Letter, which demanded he hand over a wide swath of private information about one of his ISP customers.

Larry Loeb, Blogger, Informationweek

December 2, 2015

4 Min Read
<p align="left">(Image: nikauforest/iStockphoto)</p>

8 iPhone Security Apps To Keep Your Data Safe

8 iPhone Security Apps To Keep Your Data Safe

8 iPhone Security Apps To Keep Your Data Safe (Click image for larger view and slideshow.)

Nicholas Merrill, founder of a small ISP, disclosed publicly on Monday how broadly the FBI has secretly issued National Security Letters (NSLs) that allow the collecting of data about US citizens without a warrant or judicial oversight.

Merrill's disclosure -- which follows an 11-year legal battle -- is made even more chilling when one considers that an NSL almost always comes with a built-in gag order. This order prevents the recipient from disclosing the letter to its target, or to the public.

That unrestrained gagging was central to the decision by a federal district court to invalidate the gag order in full.

U.S. District Judge Victor Marrero on Aug. 28 found that "the non-disclosure requirement enforced against him [Merrill] was overly broad and could not be supported by a 'good reason.' "

[Read The NSA, Surveillance, And What CIOs Need To Know.]

There was a stay on the order for 90 days to allow for an appeal. Since there was none, as of this week, Merrill is free to speak about the case.

He told Reuters that Judge Marrero's ruling is significant "because the public deserves to know how the government is gathering information without warrants on Americans who are not even suspected of a crime."

The NSL became part of the USA Patriot Act in the wake of the Sept. 11, 2001 terror attacks. According to a Justice Department inspector general report, the FBI issued 143,074 NSLs between 2003 and 2005. Merrill's case marks the first time an NSL gag order has been lifted in full, according to a Yale Law School blog post.

"For more than a decade, the government has refused to allow Mr. Merrill and other NSL recipients to tell the public just how broadly the FBI has interpreted its authority to surveil individuals' digital lives in secret using NSLs," the blog noted. 

Merrill's legal journey began in 2004 when the FBI issued him an NSL targeting one of the customers of his ISP, Calyx Internet Access, in New York. The FBI subsequently dropped the demands, but Merrill fought the gag order attached to the NSL.

"The FBI has interpreted its NSL authority to encompass the websites we read, the Web searches we conduct, the people we contact, and the places we go. This kind of data reveals the most intimate details of our lives, including our political activities, religious affiliations, private relationships, and even our private thoughts and beliefs," Merrill told Ars Technica

According to court documents, the FBI was asking for:

  • DSL account information

  • Radius log

  • Subscriber name and related subscriber information Account number

  • Date the account opened or closed

  • Addresses associated with the account

  • Subscriber day/evening telephone numbers

  • Screen names or other on-line names associated with the account

  • Order forms

  • Records relating to merchandise orders/shipping information for the last 180 days

  • All billing related to account

  • Internet service provider (ISP)

  • All e-mail addresses associated with account

  • Internet Protocol (IP) address assigned to the account

  • All website information registered to the account

  • Uniform Resource Locator (URL) address assigned to the account

  • Any other information which you consider to be an electronic communication transactional record

In 2007, Merrill wrote an anonymous op-ed piece for the Washington Post in which he accused the FBI of withholding documents. "The inspector general's report confirms that Congress lacked a complete picture of the problem during a critical time [re-authorization of the Patriot Act]: Even though the NSL statute requires the director of the FBI to fully inform members of the House and Senate about all requests issued under the statute, the FBI significantly underrepresented the number of NSL requests in 2003, 2004 and 2005, according to the report," he wrote.

President Obama's Intelligence Review Group in 2013 noted that there are about 60 NSLs issued per day.

NSLs are routinely sent to major tech firms such as Facebook and Microsoft.

Perhaps sensing that the tide is turning against the government, President Obama told the Justice Department to amend the gag order in January 2014 so that it is not permanent.

**New deadline of Dec. 18, 2015** Be a part of the prestigious InformationWeek Elite 100! Time is running out to submit your company's application by Dec. 18, 2015. Go to our 2016 registration page: InformationWeek's Elite 100 list for 2016.

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights