At last week’s Senate Intelligence Committee hearing on Worldwide Threats, FBI Director James Comey reiterated his call for a major expansion of the FBI’s surveillance authorities, but disingenuously downplayed it as fixing a “typo” in the law. In fact, Comey’s proposed fix, which he calls one of the FBI’s top legislative priorities, would be a major expansion of surveillance authority, and a major hit to Americans’ privacy and civil liberties. It would grant the FBI access to a range of revealing and personal details about Americans’ online communications — what are called Electronic Communications Transactional Records (ECTR), in legalese — without court approval.
Through Comey’s “ECTR fix,” the FBI would have the unilateral authority to obtain information from phone and Internet companies about your online communications such as logs of emails you send and receive, cell site data (including your location information), and lists of websites you visit. The FBI wants to get this information using National Security Letters (NSLs), which are demands for information issued directly by local FBI offices without any court approval or supervision.
Under current law, the FBI can only use NSLs to get information pertaining to a customer’s “name, address, length of service, and local and long distance toll billing records of a person or entity.” By contrast, if the FBI wants to compel a company to hand over the much more revealing private information that is included in ECTRs, they currently can’t use NSLs — instead, they have to get a court order after convincing a judge that they have a factual basis for demanding those records. Therefore, the FBI’s proposal that Congress add ECTRs to the NSL statute is far from a typo fix, and would instead be a major expansion of FBI’s authority to conduct surveillance with virtually no oversight and no accountability.
If it isn’t already clear that the FBI’s ECTR “fix” is primed for abuse, one need only look at the history of NSLs. Since the passage of the Patriot Act in 2001, the FBI has massively overused and abused NSLs more than almost any other surveillance authority. NSLs have been used for bulk collection, which is why the USA Freedom Act explicitly prohibits their use for this purpose going forward. In 2004, agents issued nine demands that forced companies to hand over the private information of 11,000 customers. That’s not to mention the other 56,498 NSLs they issued that year. Additionally, the FBI improperly issued NSLs for ECTRs. This practice stopped in 2008 when Justice Department lawyers concluded that the NSL statute covered only what was listed — again, ECTRs are not. Thus, the FBI’s NSL demands for ECTRs were illegal.
By 2010, the Obama administration had started quietly lobbying Congress to amend the law to expand it to include ECTRs. There was little appetite for granting this new surveillance authority before the Snowden revelations, and there was even less after. The administration’s requests went ignored, including in last year’s USA Freedom Act, though we do know that an ECTR “fix” was in the mix when the final bill was being negotiated — and now it’s back again.
Comey is continuing to push for this expansion, and he may be starting to get Congress’ attention. In the last two or so months, the Chairman of the Senate Judiciary Committee, Sen. Chuck Grassley, and Sen. Tom Cotton, a member of the Intelligence Committee, each gave Comey a platform to lobby for this expansion at open hearings. Even more worrisome, Intelligence Committee Chairman Sen. Richard Burr and Cotton each had bills last year that would have addressed the FBI’s desired “fix.”
No one knows whether or not Congress will take up Comey’s proposal anytime soon. We do know that where the FBI is concerned, they generally don’t stop pushing for what they want until they get it. Even if it takes decades, they tend to wait for an opportune moment to push their agenda over the finish line or they simply wear Congress down until it gives them what they want. We saw this with the Patriot Act, which was largely drafted, debated, and rejected in the ’80s and ’90s, and only became law in response to 9/11. We saw it with the debate around encryption that we thought was settled during the Crypto Wars of the ’90s, but which the FBI recently reignited with unsubstantiated claims that it is “going dark.” Over the last few years, we’ve also seen efforts by the FBI to force an update to CALEA, the law that requires telecommunications companies to be wiretap-able, and similar pushes for mandatory data retention by phone or Internet companies. When it comes to getting changes to the law that it wants, the FBI plays a long game — and it’s been talking about the ECTR issue for a long time.
Comey was clear at last week’s hearing that getting an ECTR “fix” is still one of the FBI’s top legislative priorities. The privacy community, and lawmakers who value privacy, should heed that warning. We can’t afford to dismiss his comments just because the issue doesn’t seem urgent. Unless we push back against Comey now, before you know it, the long slow push for an ECTR fix may just be unstoppable.