Targets of NSLs can't challenge them because ISPs can't tell the target about them.

A federal appeals court is giving the Federal Bureau of Investigation a big boost when it comes to secretly investigating national security affairs. The 9th US Circuit Court of Appeals on Monday upheld federal rules prohibiting companies from promptly disclosing to customers that the FBI is demanding a user's private data with a National Security Letter (NSL).

The FBI annually issues thousands of so-called NSLs to ISPs, financial institutions, and telephone companies. A judge's signature is not required, and targets of NSLs cannot challenge them because they don't know they exist.

The Electronic Frontier Foundation, on behalf of Cloudfare and CREDO Mobile, brought a challenge to the gag orders under the First Amendment. They argued that the gag orders burdened the speech of companies that receive them. A federal judge in 2013 agreed and declared NSLs unconstitutional for that reason.

Sounds of silence

In the aftermath, however, Congress and the Justice Department slightly tinkered with the gag rule. A lower court and now a federal appeals court have concluded that the revised gag rule does not infringe the First Amendment rights of companies that receive NSL user-data requests.

Under the revised silencing protocol, the FBI must review the need for the nondisclosure requirement of an NSL three years after the initiation of a full investigation and at the closure of the investigation. The bureau must terminate the nondisclosure requirement when the investigation is closed or when the "facts no longer support nondisclosure," a lower court had ruled (PDF).

A federal appeals court on Monday upheld that ruling and said that because of those alterations, the nondisclosure requirement "does not run afoul of the First Amendment" (PDF).

Because of this new disclosure policy, the public recently got one of its first glimpses of what an NSL looks like. Data sought by the government included the IP addresses of everyone a target has corresponded with and records of all their online purchases.

Andrew Crocker, a staff attorney with the Electronic Frontier Foundation, said Monday that the digital rights group was exploring its options on whether it would appeal the ruling. "Our position, in general, is when an ISP gets an NSL, they should tell the user so that they can contest that request," Crocker said in a telephone interview.

The Justice Department did not immediately comment.

Authorized investigation

With an NSL, the FBI must inform the ISP that the records sought "are relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities" and that the investigation "is not conducted solely on the basis of activities protected by the First Amendment."

Outside the national security context, government requests for user data usually require probable-cause warrants with a judge's signature. In those circumstances, the company that received the warrant generally may inform the target about the warrant so the target may challenge it in court. Under the appellate court's ruling Monday, that cannot happen with NSLs unless there is permission from the FBI or a federal court. As the case decided Monday demonstrates, any legal attempt toward acquiring that permission would necessitate legal action by the company that received the NSL.