Get started Bring yourself up to speed with our introductory content.

FAQ: Can businesses fight secret surveillance information requests?

U.S. surveillance laws state companies can fight data requests in court. But do businesses really have any leeway when challenging these orders?

Companies have the option of challenging information request orders approved by the Foreign Intelligence Surveillance Court (FISA Court) and through National Security Letters issued by the FBI, but they can't be blamed if they think resistance is futile. Since the terrorist attacks of Sept. 11, 2001, the government has claimed ever-expanding power to access confidential information. The opportunity to check such power is hobbled by the secretive nature of the FISA Court, while the ability to challenge search and surveillance orders is diminished by the gag orders that accompany them.

In June 2013, a series of National Security Agency (NSA) documents leaked to news outlets by a former NSA contractor Edward Snowden revealed that the government's interpretations of its domestic surveillance powers are even more expansive than originally believed. Under the FISA Amendments Act (FAA) of 2008, the NSA is authorized to conduct warrantless surveillance on U.S. soil as long as the targets were not Americans. NSA documents leaked by Snowden, however, revealed that under the FAA, the government has engaged in warrantless monitoring of Americans' international phone, email and text communications.

This FAQ is part of SearchCompliance's IT Compliance FAQ series.

How prevalent are the secret search and surveillance orders that federal authorities use to demand customer information from private sector companies?

Prior to the Sept. 11, 2001, terrorist attacks, the U.S. government could only obtain a secret order for domestic spying from the FISA Court if it showed probable cause that the target had a connection to a foreign government, entity or terrorist group. But with the enactment of the 2001 Patriot Act, authorities gained expanded power to conduct searches and secret surveillance on U.S. soil without a warrant.

In 2010 alone, federal authorities made 1,579 applications to the FISA Court for search and surveillance orders, according to the Department of Justice. Of the applications seeking authority for electronic surveillance, none were denied by the court. During that same year, the government applied for approval to seek business records 96 times, and the court denied none of these applications either.

A National Security Letter (NSL) is a letter from a government agency, usually the FBI, demanding information related to national security. National Security Letters have been issued much more frequently than FISA Court orders: In 2010, for example, the FBI issued 24,287 NSLs that demanded data on 14,211 different U.S. persons. Between 2003 and 2006, the bureau issued more than 200,000 NSLs.

Related content
DOJ letter outlines electronic surveillance for foreign intelligence requests

National Security Agency collects millions of Verizon customer's phone records

Why would a company not automatically comply with a secret search or secret surveillance order?

When customer records are demanded via FISA Court order or a National Security Letter rather than a warrant, there is little recourse against privacy violations. During one 12-month period, there were 2,776 incidents of NSA privacy violations, according to an internal NSA audit leaked by Snowden to The Washington Post in August 2013. Most of these violations involved spying on targets in the United States, including Americans.

A company that receives a search or surveillance order approved by the FISA Court has at its disposal an "explicit statutory mechanism" for challenging the legality of the order, according to an Aug. 29, 2013, declassified opinion by FISA Court Judge Claire Eagan. FISA Court orders, according to Eagan, can be reviewed by the FISA Court of Review and ultimately by the U.S. Supreme Court.

Despite the explicit statutory mechanism for challenging FISA Court orders, no recipient of an order to hand over bulk telephone metadata has ever filed such a statute.

The difficulty in challenging FISA Court orders begins with the gag orders that accompany them. When Congress gave federal authorities expanded domestic spying powers in the 2001 Patriot Act, it also restricted the ability of the orders' recipients to discuss them.

Related content
Audit finds NSA broke privacy rules thousands of times annually

FISA Court Judge Claire Eagan's declassified opinion regarding an "explicit statutory mechanism"

Do businesses have to comply with information requests outlined in National Security Letters?

The FBI has issued hundreds of thousands of NSLs with accompanying gag orders since Congress passed the Patriot Act. In a case filed by the Electronic Frontier Foundation, however, Judge Susan Illston of the U.S. District Court for the Northern District of California found that the gag orders accompanying NSLs are unconstitutional.

The "pervasive use of nondisclosure orders, coupled with the government's failure to demonstrate that a blanket prohibition on recipients' ability to disclose the mere fact of receipt of an NSL is necessary to serve the compelling need of national security, creates too large a danger that speech is being unnecessarily restricted," Illston wrote in her March 12, 2013, decision. She ordered the FBI to quit issuing NSLs and to stop enforcing the accompanying gag orders. The government appealed the ruling May 6.

Some business owners, including former Calix Internet Access owner Nicholas Merrill, have expressed allegiance to their customers' privacy rights as well as their own right to free speech when confronted with a warrantless demand for data. In 2004, Merrill resisted an NSL and turned to the American Civil Liberties Union to help challenge an NSL in court.

Yahoo is one company known to have objected to a FISA Court order, according to a classified document published in 2013 by The New York Times. The court rejected Yahoo's challenge, writing that the government's "efforts to protect national security should not be frustrated by the courts."

Related content
The New York Times: Under secret court ruling, tech companies put in a bind

NSL gag orders deemed unconstitutional

How difficult is it to challenge a National Security Letter?

Merrill's experience illustrates the enormous difficulty of challenging an NSL. Rather than comply with an FBI demand for confidential customer's information absent a warrant, Merrill closed down his small Internet service provider business and filed a lawsuit with the ACLU's assistance.

"Living under the gag order has been stressful and surreal," Merrill wrote in an anonymous op-ed published in The Washington Post March 23, 2007. "Under the threat of criminal prosecution, I must hide all aspects of my involvement in the case -- including the mere fact that I received an NSL -- from my colleagues, my family and my friends. When I meet with my attorneys, I cannot tell my girlfriend where I am going or where I have been. I hide any papers related to the case in a place where she will not look. . . . At some point -- a point we passed long ago -- the secrecy itself becomes a threat to our democracy."

After a court battle, the government settled with Merrill in August 2010. He was then permitted to reveal himself publicly in connection with the case. In an editorial published Oct. 25, 2011, he revealed himself as the author of the 2007 Washington Post op-ed. He and the other parties are still not permitted to discuss the facts surrounding the NSL, however.

As a result of the case, the FBI is now required to notify NSL recipients that they have the right to challenge the letters in court.

Related content
Merrill's 2007 Washington Post op-ed: My National Security Letter Gag Order

Electronic Frontier Foundation: NSLs are "frightening and invasive"

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Dig Deeper on Industry-specific requirements for compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Would your organization consider fighting a warrantless information request from the federal government?