Few Companies Fight Patriot Act Gag Orders, FBI Admits

Photo: Chotda/Flickr

Since the Patriot Act broadly expanded the power of the government to issue National Security Letters demanding customer records, more than 200,000 have been issued to U.S. companies by the FBI. But the perpetual gag orders that accompany them are rarely challenged by the ISPs and other recipients served with such letters.

Just how rare these challenges are became more evident following the recent release of a 2010 letter from the Justice Department to a federal lawmaker.

In December 2010 in a letter (.pdf) from Attorney General Eric Holder to Senator Patrick Leahy (D-Vermont), the FBI asserted that in February 2009 it began telling recipients they had a right to challenge the built-in gag order that prevents them from disclosing to anyone, including customers, that the government is seeking customer records. That policy was mandated by a 2008 appellate court decision, which found that the never-ending, hard-to-challenge gag order was unconstitutional.

Holder noted, however, that in the year and 10 months since the FBI started notifying recipients of this right, only a small handful had asserted that right.

“Thus far, there have been only four challenges to the non-disclosure requirement,” Holder wrote, “and in two of the challenges, the FBI permitted the recipient to disclose the fact that an NSL was received.”

This contradicts a statement made by an FBI spokeswoman in March when Threat Level asked for statistics on the number of times that National Security Letter gag orders had been challenged.

Spokeswoman Kathleen Wright said at the time in an e-mail, “There are no stats” available for the number of challenges, and, “There has been one instance where a NSL nondisclosure order was lifted voluntarily by the FBI.”

NSLs have been used since the 1980s, but the usage ballooned after 9/11 and the passage of the U.S. Patriot Act, which gave the FBI increased authority to issue them and expanded the kinds of records that could be obtained with them.

NSLs are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more.

NSLs are a powerful tool because they do not require court approval, and they come with a built-in gag order. An FBI agent looking into a possible anti-terrorism case can essentially self-issue the NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation.

The gag orders raise the possibility for extensive abuse of NSLs under the cover of secrecy. And, in fact, in 2007 a Justice Department Inspector General audit found that the FBI had indeed abused its authority and misused NSLs.

The FBI has sent out nearly 300,000 NSLs since 2000, about 50,000 of which have been sent out since the new policy for challenging NSL gag orders went into effect. Last year alone, the FBI sent out 16,511 NSLs requesting information pertaining to 7,201 U.S. persons.

Holder’s letter was released to the American Civil Liberties Union last month as part of a year-old Freedom of Information Act request that the ACLU filed with the Justice Department in March 2011.

Since Holder wrote the letter, the number of gag order challenges has risen to at least five. In March, Threat Level reported that an unnamed company had challenged a National Security Letter it had received earlier this year.

The latest challenge occurred sometime around the end of January, when an unknown provider of communication services in the United States — possibly a phone company, or perhaps even Twitter — got a letter from the FBI demanding it turn over information on one, or possibly even hundreds, of its customers.

The company, identified only as a corporation “with employees dispersed across the world” that offers electronic communication services to customers and account holders, was told to hand over “electronic communications transaction” records of an unidentified target or targets. The NSL specifically excluded the contents of the communications – instead seeking transactional records, which in the case of an email provider would include who emails were sent or received from and for an ISP, the records of what websites a person visited and IP addresses assigned to the customer.

The FBI instructed the company to never disclose the existence of the demand to anyone – in particular, the target of the investigation.

The NSL indicated that the company had 10 days to challenge the gag order if it intended to do so. The company did so via fax, telling the Bureau that it wanted to tell its customer that he or she was being targeted, which would give the customer a chance to fight the request in court. The Justice Department then took the issue to federal court, where it filed a request for a court order to force the company to adhere to the gag order.

In its petition, the government asserted that disclosure of the fact or contents of its NSL “may endanger the national security of the United States” and urged the court to issue an order binding the company to the nondisclosure provision, or be in violation of federal law and face contempt charges.

The documents in the case were redacted to hide the identity of the company and the target of the investigation, and subsequent filings in the case have been sealed at the government’s request.

The public has been made aware of only a handful of NSLs handed out over the last decade, and only because they became public after the recipients launched legal battles opposing them. As a result of these battles, courts have chipped away at the gag order requirement as a violation of the First Amendment.

Before a federal appeals court struck down some of the gag provisions of NSLs, ISPs and other companies that wanted to challenge the orders had to file suit in secret in court – now companies can simply notify the FBI in writing that they oppose the gag order.

In 2007 the Internet Archive challenged an NSL it received seeking information about one of the online library’s registered users. The Electronic Frontier Foundation challenged the constitutionality of the NSL, which ultimately resulted in the FBI rescinding the NSL and agreeing to unseal the records in the court battle. It was the first extensive look the public got at the nature of the NSL process.

In 2010, Nicholas Merrill won a six-year battle to lift a gag order in relation to an NSL that he received in 2004 when he was owner of a small ISP called Calyx Internet Access. Merrill and the ACLU filed a legal challenge under the name “John Doe,” since they weren’t allowed to identify Merrill or the name of his ISP. The ACLU asserted that customer records were constitutionally protected information.

In December 2008, the Second Circuit Court of Appeals ruled that some of the gag provisions in NSLs were unconstitutional — in part because they limited judicial review of the gag orders and forced courts to defer to the government’s assertions about the necessity of a gag order, and in part because they thwarted the ability of recipients to challenge the gag order. The case was sent back to the U.S. District Court for the Southern District of New York, forcing the government to justify the constitutionality of the gag order imposed on Merrill.

The ACLU worked hard to negotiate a partial gag-lift with the government that allowed Merrill to finally identify himself in 2010, while still keeping the details of the NSL he had received secret. In return, Merrill and the ACLU agreed to drop their appeal of the case.

The case helped expose the secrecy around NSLs and resulted in some First Amendment progress for entities receiving such requests — Congress amended the law to allow recipients to challenge NSLs and gag orders, and the FBI must now also prove in court that disclosure of an NSL would harm a national security case.

Number of NSLs Issued by the FBI

2000 8,500
2001 Unknown
2002 Unknown
2003 39,346
2004 56,507
2005 47,221
2006 49,425
2007 16,804
2008 24,744
2009 14,788
2010 24,287
2011 16,511
Total 289,633

(Source: DoJ reports)

California, Congress Move to Keep Facebook Passwords Private From Employers

California’s Assembly passed legislation Thursday that would forbid employers or prospective employers from demanding access to employees’ personal, private online lives, such as their Facebook accounts.

The development comes a day after Sen. Richard Blumenthal (D-Connecticut) and Reps. Martin Heinrich (D-New Mexico) and Ed Perlmutter (D-Colorado) proposed similar legislation on the federal level. The idea is a response to a handful of reports of employers demanding such access.

California’s bill, if ultimately adopted, would follow a Maryland law approved last month preventing employers from demanding passwords as a condition of employment. At least three other states are mulling similar bills.

The federal legislation, which would be binding on all of the states, was pushed by the American Civil Liberties Union, which said its time has come.

“It’s an issue. It’s clearly happening,” Christopher Calabrese, the ACLU’s legislative counsel, said in a telephone interview Thursday. “I feel confident we have to start drawing the line somewhere. This is a pretty good line to draw.”

The federal measures, which have not been to committee, have a few loopholes. They do not cover students nor do they protect university or other students from their administrators.

It’s no trivial matter of what private data could be gathered by an employee giving up a Facebook password. Accessing somebody’s Facebook account would grant them the rights to see all of their private Facebook text messages, pictures and even Facebook e-mails. The same kind of information is held by Google Plus, which is part of a Google package of online services that includes e-mail, voicemail, texting, documents and even private blogs.

Facebook had made a public splash announcing that employer-password requests are a violation of its Statement of Rights and Responsibilities, which widely bans sharing or soliciting Facebook passwords.

Facebook’s chest-thumping aside, the social-networking site in 2010 settled a privacy lawsuit for $9.5 million while denying it illegally breached the privacy of its users under its now-defunct Beacon program. That mostly abandoned system published what Facebook users were buying or renting from Blockbuster, Overstock and other locations without their permission.

Reports of employers demanding passwords have been sporadic, and don’t appear to be a common practice yet.

In June 2009, the city of Bozeman, Montana, made headlines when it was revealed that its job application forms asked for usernames and passwords for the job seekers’ accounts on “social networking,” including everything from Facebook and Twitter to YouTube and Google. Earlier this year, the American Civil Liberties Union took aim at the Maryland Department of Corrections after it asked a Maryland man for his Facebook credentials during a recertification interview. And the Calgary Herald reported on a similar incident in Canada.

Photo: Scott Beale/Flickr

Unwanted Apps in Google Play Pose as Fake AV

In recent years one of the most prevalent malware threats for PCs (and lately Mac users) is fake-antivirus software, which pretends to be a legitimate security program. Its real purpose is to charge victims a fee to remove a nonexistent threat. The same threat has now been ported to mobile devices. In some cases we see the same or similar behavior: getting revenue from users via SMS messages to a premium-rate number or malware that poses as security software to encourage users to install a malicious app (such as Android/Zitmo.F).

Recently 17 suspicious applications, uploaded by the developer thasnimola, were found in the official Google Play market:

Most of them use a shield as an icon to show that they could be related to “protection” software but some of them also use non-AV names and descriptions with popular keywords like “free,” “Video Downloader,” “Call recorder,” and “sms” to attract users’ attention and encourage the installation of the app. One interesting app is Top Free, which claims “Fast and lightweight malicious app protection for your phone.” Looking at this one further, it is clear that Top Free pretends to be AV software because it uses the screenshots of legitimate AV software as its own:

Some of them also use an “Antivirus FREE” banner on the app’s web page:

However, unlike fake-antivirus software threats for PCs and Macs, these applications do not gain revenue from users by detecting nonexistent Android malware. Instead, these apps make money using a more legitimate method: advertisements. All the suspicious apps were created using the same free online service used to create the Android/DIYDoS hack tool. For this reason the behavior is nearly same: When the application is executed, a WebView component shows the contents of a URL that is stored in an XML file inside the res/raw folder:

One difference between these apps and Android/DIYDoS is that these include an advertisement module–provided by the online service–that creates the applications which send sensitive device information (IMEI, GPS coordinates) to a remote server:

Here is the complete list of the unwanted applications that we reported to Google:

App Name Package Installs (Google Play)
love sms com.wDictionarye 100-500
jokes com.wcopywap2 100-500
video convertor com.whackmanmobisms 100-500
send free sms com.wPhotoscapeyy 100-500
sms sender com.wcopywap6 100-500
top free com.wcopywap4 100-500
friendship sms com.wvideodown2 100-500
hissam sms collections com.wcall 100-500
top free sms com.wcopywap5 10-50
sms free com.wSpokenEnglisheee 10-50
free message sender com.wcopywapphoto 10-50
shayaries com.wTabla 1-5
sms com.whissamsmscollections 1-5
sms collections com.wChromea 1-5
free call recorder com.wfreecallrecorder N/A
youtube video downloader com.wvideo9 N/A
free sms com.whissamsmscollections2 N/A


All of these have already been removed from Google Play. If you have enabled  detection for potentially unwanted programs (PUPs, our default setting), then McAfee Mobile Security for Android will detect these apps as Android/DIYAds.

Apple Releases Multiple Security Updates

Apple has released security updates for Apple OS X and Safari to address multiple vulnerabilities for the following products:

  • Safari 5.1.7 for Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion Server v10.7.4, OS X Lion v10.7.4, Windows 7, Vista, XP SP2 or later
  • OS X Lion v10.7.4 and Security Update 2012-002 for OS X Lion v10.7 to v10.7.3, OS X Lion Server v10.7 to v10.7.3, Mac OS X v10.6.8, Mac OS X Server v10.6.8

Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, operate with elevated privileges, cause a denial-of-service condition, or perform a cross-site scripting attack.

US-CERT encourages users and administrators to review Apple articles HT5281 and HT5282 and apply any necessary updates to help mitigate the risks.

This product is provided subject to this Notification and this Privacy & Use policy.