Yesterday, the Senate failed to pass a motion to end debate and move to a final vote on a highly controversial amendment related to Internet records, which New America’s Open Technology Institute (OTI) strongly opposes. The McCain-Cornyn-Burr amendment (S. Amdt. No. 4787) would have done two things: First, it would have expanded the National Security Letter (NSL) authority under the Electronic Communications Privacy Act (ECPA) to allow the FBI to access Internet users’ electronic communications transactional records (ECTRs). Second, it would have made the “Lone Wolf” provision of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) permanent.

There have been a lot of myths and misstatements about what these authorities would do, how they have been used in the past, and how they would be used if the amendment passed. What follows are the seven biggest myths that have been spread, with a dose of reality to answer each one. 

Myth #1: ECTRs do not reveal personal information. Senator Burr assured members on the Senate floor that the amendment was “not to expand in any way, shape, or form the powers [of the FBI] or to intrude in the privacy, because there is no content collected.”

Reality: While it is true that the amendment would not permit the FBI to access communications content without court approval, it is false to suggest that this amendment would not impact privacy and that it is not an expansion of authority. ECTRs are metadata created by Internet activities. They reveal information like who you communicate with online via email, text, and chat; what accounts you have; what time and from where you use those accounts or go online in general; what websites you visit; and much more.

Every action you take online creates a transaction record that involves information which can be extremely revealing, and in some respects, can be even more revealing than the actual content that you are reading. As a result, ECTRs can reveal enough information for the FBI to develop profiles of Americans’ habits and preferences, such as those concerning individuals’ medical and mental health concerns, political leanings and religious beliefs, reading interests, and hobbies.

The FBI currently needs an order issued by a judge to access these sensitive records, precisely because they are so sensitive. This amendment would expand the NSL authority and would allow FBI agents to issue these demands, unilaterally, without any judicial approval or oversight (including after the fact).

Myth #2: The FBI cannot currently access these records for their investigations or investigate “lone wolves” under the IRTPA, but this amendment would change that and thereby prevent attacks like the one in Orlando. Senator McCain, in his press release announcing the amendment, stated that “In the wake of the tragic massacre in Orlando, it is important our law enforcement have the tools they need to conduct counterterrorism investigations and track ‘lone wolves,’ or ISIL-inspired terrorists who do not have direct connections to foreign terrorist organizations but who seek to harm Americans.”

Reality: First, it’s important to understand that there are a plethora of existing authorities under which the FBI can get court approval to obtain ECTRs. For investigations into terrorism and counterintelligence, they get orders from FISA Court judges under Patriot Act Section 215. The FBI must meet the same standard to get a 215 order from a FISC judge for ECTRs that it would need to self-certify it had met under the NSL statute: It must show that the information sought is relevant to an investigation. The McCain-Cornyn amendment would not give the FBI access to new information; the amendment would only enable the FBI to avoid any meaningful oversight of the use of those authorities — oversight that is necessary to protect against a pattern of repeated abuses of NSLs.

Second, the fact of the matter is that this amendment, had it been in place before the attack, would not have prevented the tragedy in Orlando. (Even Senator Richard Burr agrees with this assessment.) The FBI had the shooter under investigation twice. And, FBI Director Jim Comey publicly stated that the FBI did access his ECTRs: “Our investigation involved introducing confidential sources to him, recording conversations with him, following him, reviewing transactional records from his communications, and searching all government holdings for any possible connections, any possible derogatory information.”

Additionally, the FBI has never used the Lone Wolf authority in its 12 year history for any investigation, by the FBI’s own admission. Further, even if the FBI wanted to use it in its investigation of the Orlando shooter, it would not have been able to. The Lone Wolf provision, which is not due for reauthorization until 2019, applies only to non-US persons. The shooter was an American citizen. Regardless of the fact that the FBI has never used this authority in any other case, it wouldn’t have even been available to them here.

Myth #3: This is just a “typo fix.” Senator McCain echoed Comey and called his proposal a “typo fix.” Senator Burr said on the Senate floor that “this is not a new expansion. It is clearly something that continued from 1993 until 2010, six years ago, when all of a sudden a tech company looked at it and said: Boy, it is in this subpart, but it doesn’t state it in that subpart [of the law], so we are not going to provide [Internet records] for you anymore.”

Reality: Senator Burr has an interesting interpretation of history, but that is not what happened. In 1993, Americans were not using the Internet in as many ways as we do now, so the FBI couldn’t access the kinds of ECTRs that this amendment would allow. They simply didn’t exist back then.

And it was in 2008 — not 2010 — that Justice Department lawyers under President Bush, not tech companies, concluded that the NSL statute covered only what was listed and ECTRs are not. Thus, the FBI’s NSL demands for ECTRs were illegal. Nonetheless, NSLs recently released by Yahoo! show that the FBI disregarded the Justice Department’s assessment and continued to issue illegal demands for ECTRs. Additionally, NSLs are compulsory — that means that if a company receives one, it is required to respond. So, if companies have been refusing for the last six years to provide ECTRs in response to NSLs, it is highly likely that those demands were illegal.

Myth #4: NSLs are issued in a very targeted fashion. Senator Cruz defending his vote for the amendment, saying “[t]oday, I joined with Sen. McCain in voting to allow the FBI to obtain Internet search data of specifically-identified suspected terrorists.”

Reality: Unfortunately, the NSL statute is not so precise. The statute allows FBI agents to make demands for specific records so long as they self-certify that the records are relevant to an investigation. There is no requirement in the law that the subject of the records be suspected of terrorism; they merely need to be somehow relevant to a terrorism or counterintelligence investigation — investigations that are generally extremely broad in scope and duration. The result of this standard means that in the last two years alone (see here and here), the FBI has collected records concerning 80,000 accounts using 29,218 NSLs, and in the last 10 years, it issued over 300,000 NSLs. This is also an authority that comes with a long history of abuse, including issuing NSLs to engage in bulk collection, not to mention the continued illegal requests for ECTRs.

Myth #5: Judicial approval and oversight is unnecessary and makes the FBI’s process to access ECTRs too long and onerous. Senator McCain quoted FBI Director Comey, who said, “Nobody I’ve heard thinks [judicial oversight is] necessary. It would save us a tremendous amount of work hours if we could fix that without any compromise to anyone’s civil liberties or civil rights.”

Reality: While an Inspector General report did suggest that, on at least one occasion, the issuance of an 215 order of ECTRs took several weeks, the delay was due, at least in part, to the judge determining that additional privacy procedures were necessary to protect the privacy and civil liberties of Americans whose sensitive information might be caught up in the FBI’s collection. What’s more, the report states that FBI agents concluded the additional privacy procedures “introduced ‘investigative value.’” So clearly there is some need for judicial oversight of these authorities.

Additionally, if there is an emergency and the court process would take too long, the law has an emergency exception — one of the reforms passed in the USA Freedom Act — where the Attorney General can issue the 215 order for ECTRs immediately, and seek court approval shortly thereafter. Not wanting to do the extra paperwork that it takes to get a court’s permission is not a good enough reason for Congress to grant the FBI the authority to unilaterally demand Americans’ browsing history and other Internet records.

NSLs, on the other hand, are not subject to any judicial approval or oversight, and as discussed in response to Myth 4, they have been the subject of tremendous abuse. Even the most recent Inspector General report on NSLs found that, among other abuses, NSL’s internal record-keeping, auditing, and controls are not up to par, and result in problems like requesting and collecting “the information of someone other than the intended target of the NSL.” In total, since the passage of the Patriot Act in 2001, there have only been three Inspector General reports on NSLs (in 2007, 2008, and 2014), all of which identified serious problems with abuse and oversight.

Myth #6: If someone has issued an NSL for your records, you’ll find out about it. The constitution guarantees a Fifth Amendment right to “due process,” which means, among other things, that if the government has seized your belongings or records, or otherwise obtained the contents of your communications (e.g., in a wiretap), you will be provided with notice of that search so that you have the opportunity to “be heard” (i.e., you can contest its validity).

Reality: When NSLs are issued, they are universally accompanied by non-disclosure orders, also known as gag orders, like the ones Google, Yahoo!, Facebook, and Microsoft have contested in court, and some of the gag orders that are the subject of Microsoft’s current litigation. The gag order makes it illegal for the recipient of an NSL (like an e-mail service provider) to disclose the letter’s existence to the target of the NSL, or to anyone else who is not necessary to assess its legality or to process it (e.g., the company’s general counsel or a technical expert). There is no notice requirement associated with the issuance of an NSL, which means that the government is not required to notify the target of the investigation. Thus, a target may never find out that they are believed to be “relevant” to an investigation.

Some argue that more information is accessible through administrative subpoenas that are used in criminal investigations and that those do not require notice either. However, the proposed amendment goes far beyond what those subpoenas allow. Additionally, terrorism and counterintelligence investigations are generally much broader in scope and longer in duration than are the criminal investigations for which administrative subpoenas are used. Because there are far fewer prosecutions resulting from terrorism and national security investigations than from criminal investigations, it is likely that the subjects of administrative subpoenas find out about the collection through discovery far more often than do the subjects of NSLs.

Myth #7: Anyone who opposed this amendment can go home, kick their feet up, and celebrate, because they won!

Reality: That’s not exactly how the Senate works. Groups, individuals, and companies who oppose this amendment absolutely won this round. But Senator McConnell switched his vote to “no” at the very end, which might have surprised some viewers. But he did so in order to immediately move that the amendment be reconsidered in the future.

It is entirely possible that Senator McConnell will bring this amendment up for a vote again today, if he thinks the motion for cloture will pass. And it might, so it’s important that, as John Oliver explained earlier this month, if you care about a policy issue — like opposing the expansion of NSL authorities to include ECTRs — you have to call your Senator about this today. But you should probably also call tomorrow, the next day, and so on too, until they know that you will always show up to defend your rights.