By Kim Zetter
August 10, 2010 |
The owner of an internet service provider who mounted a high-profile court challenge to a secret FBI records demand has finally been partially released from a 6-year-old gag order that forced him to keep his role in the case a secret from even his closest friends and family. He can now identify himself and discuss the case, although he still can’t reveal what information the FBI sought.
Nicholas Merrill, 37, was president of New York-based Calyx Internet Access when he received a so-called “national security letter” from the FBI in February 2004 demanding records of one of his customers and filed a lawsuit to challenge it. His company was a combination ISP and security consultancy business that was launched in the mid-90s and had about 200 customers, Merrill said, many of them advertising agencies and non-profit groups.
Despite the fact that the FBI later dropped its demand for the records, Merrill was prohibited from telling his fiancée, friends or family members that he had received the letter or that he was embroiled in a lawsuit challenging its legitimacy. He occasionally showed up for court hearings about the case, but sat silently in the audience with other court observers. In 2007, he was prevented from publicly accepting an award for his courage from the American Civil Liberties Union, because he was not allowed to identify himself as the plaintiff in the case.
U.S. District Judge Victor Marrero in New York finally released Merrill partially from the gag order (.pdf) on July 30, which Merrill revealed publicly only on Monday.
“After six long years of not being able to tell anyone at all what happened to me – not even my family – I’m grateful to finally be able to talk about my experience of being served with a national security letter,” Merrill said in a statement. “Internet users do not give up their privacy rights when they log on, and the FBI should not have the power to secretly demand that ISPs turn over constitutionally protected information about their users without a court order. I hope my successful challenge to the FBI’s NSL gag power will empower others who may have received NSLs to speak out.”
A national security letter is an informal administrative letter the FBI can use to secretly demand customer records from ISPs, financial institutions, libraries, insurance companies, travel agencies, stockbrokers, car dealerships and others. NSLs have been used since the 1980s, but the Patriot Act, passed after the September 11, 2001 terrorist attacks, and a subsequent revision in 2003 expanded the kinds of records that could be obtained with an NSL.
With an NSL, the FBI does not need to seek a court order to obtain such records, nor does it need to prove just cause. An FBI field agent simply needs to draft an NSL stating the information being sought is “relevant” to a national security investigation.
The letters come with a life-long gag order, so businesses that receive such letters are prohibited from revealing to anyone, including customers who may be under investigation, that the government has requested records of transactions. Violation of a gag order can be punishable by up to five years in prison.
The gag orders raise the possibility for extensive abuse of NSLs, under the cover of secrecy. Indeed, in 2007, a Justice Department Inspector General audit found that the FBI, which issued almost 200,000 NSLs between 2003 and 2006, had abused its authority and misused NSLs.
In Merrill’s case, although the letter’s gag order “was totally clear that they were saying that I couldn’t speak to a lawyer” about it, he immediately contacted his personal attorney, and together they went to the ACLU in New York, which agreed to represent him.
“My gut feeling is I’m an American,” Merrill said, in an interview with Threat Level on Tuesday. “I always have a right to an attorney. There’s no such thing as you can’t talk to your attorney.
“I kind of felt at the beginning, so few people challenge this thing, I couldn’t just stand by and see, in my opinion, the basic underpinnings of our government undermined,” he continued. “I was taught about how sophisticated our system of checks and balances is . . . and if you really believe in that, then the idea of one branch of government just demanding records without being checked and balanced by the judicial just is so obviously wrong on the surface.”
Merrill and the ACLU filed the lawsuit under the name “John Doe,” challenging the legality of the letter and asserting that customer records were constitutionally protected information. Merrill said the NSL, which listed 16 categories of records, including e-mail and billing records, was “very broad.”
“It was kind of open ended,” he said. “It went through a list of things and then said ‘and anything else.’ The implication was just send us everything and the kitchen sink.”
Merrill wouldn’t say how many records he had that were relevant to the request but said in general, “In the most broad understanding of what is electronic communication transaction records, I probably had like thousands and thousands of records on each client, if you consider that you host things and you’re using software that creates log files. . . . ISPs have a lot of records on every client typically. They may have records of every time you posted something, of every web site you visited.”
Over the years the case progressed, Merrill was careful not to disclose his identity. At one point he attended a packed hearing — filled with law school students and media — but he was careful not to speak with anyone.
Friends began to question whether he was John Doe when he was publicly identified with a second case involving a grand jury subpoena from the Secret Service for customer records related to the news site IndyMedia. In that case, no gag order was imposed. Merrill said he was forced to lie when asked about John Doe or simply refused to answer.
“It put me in a very difficult position,” he said.
In 2007, the ACLU granted “John Doe” a liberty award, along with four Connecticut librarians who also filed a legal challenge over NSLs. Because of the gag order against Merrill, the ACLU had to present his award to an empty chair.
In December 2008, the Second Circuit Court of Appeals ruled that some of the NSL gag provisions were unconstitutional, in part because they limited judicial review of the gag orders and forced courts to defer to the government’s assertions about the necessity of a gag order and also thwarted the ability of recipients to challenge a gag order. The case was sent back to the U.S. District Court for the Southern District of New York, forcing the government to justify the constitutionality of the gag order imposed on Merrill.
In June 2009, the government introduced secret evidence to the court to justify continuing the gag order, claiming that if information were revealed about the letter it would harm an ongoing investigation. Merrill and his attorneys were prevented from learning the specifics of the evidence in order to refute it. The government was then ordered by the court to produce an unclassified summary of its evidence.
The ACLU worked hard to negotiate a partial gag-lift with the government that allowed Merrill to finally identify himself, while still keeping the details of the letter secret. In return, Merrill and the ACLU agreed to drop their appeal of the case.
Although the case helped expose the secrecy around NSLs and resulted in some First Amendment progress for entities receiving such requests — Congress amended the law to allow recipients to challenge NSLs and gag orders, and the FBI must now also prove in court that disclosure of an NSL would harm a national security case — the fight over NSLs is not over. The Obama administration has been seeking to expand the FBI’s power to demand internet activity records of customers without court approval or suspicion of wrongdoing. If granted, the data sought without a court order could expand to include web browser and search history, and Facebook friend requests.
“Even though this case has resulted in significant improvements to NSL procedures, innocent Americans’ private records remain too vulnerable to secret and warrantless data collection by the FBI,” said Melissa Goodman, staff attorney with the ACLU National Security Project in a statement. “At a minimum, the FBI should have to show individual suspicion before it issues an NSL for an individual’s personal information and invades Americans’ right to privacy and free speech on the Internet.”
The FBI’s use of national security letters to get information on Americans without a court order increased from 16,804 in 2007 to 24,744 in 2008. The 2008 requests targeted 7,225 U.S. people.
In the 2007 inspector general’s report, investigators found that the FBI had failed to adequately justify some letters, had evaded limits on (and sometimes illegally issued) NSLs to obtain phone, e-mail and financial information on American citizens, and had under-reported the use of NSLs to Congress.
About 60 percent of a sample of the FBI’s NSLs did not conform to Justice Department rules, and another 22 percent possibly violated the statute because they made improper requests of businesses or involved unauthorized collections of information.
Subsequently, the number of NSLs issued in 2007 dramatically dropped from 49,000 to 16,000, but has rebounded in recent years.
Merrill’s experience with the case has prompted him to launch a non-profit, the Calyx Institute, aimed at educating the technology and telecommunications industry and developing best practices and tools for safeguarding the privacy of customers.
“I feel there’s a lot of work to be done,” he said. “The case has made me realize that just one or two people standing up can have a great effect. I either want to inspire others to follow the example . . . or develop technology that makes it more difficult for people to be snooped on.”