An ISP gets a call from an FBI agent demanding the delivery of sensitive customer information and ordering the ISP not to tell anyone anything about the transaction—ever. Soon after, the same demand follows in the form of a letter on official FBI stationery, even though the FBI has no subpoena or judicial authorization to request the data.
Does the ISP have to turn over the data?
No, according to a federal court, which recently struck down as unconstitutional a provision of the USA Patriot Act that allows the FBI to compel delivery of sensitive customer data from ISPs and other telecommunications companies without first getting a subpoena from a grand jury.
It isnt likely that such a letter "phrased in tones sounding virtually as biblical commandment" would not make an ordinary person apprehensive and ready to obey, wrote Judge Victor Marrero of the U.S. District Court for the Southern District of New York, upon throwing out the provision.
Because such an "ominous writ" essentially coerces the recipient into complying immediately without any opportunity to challenge its validity, Marrero ruled that it violates the Fourth Amendment safeguard against unreasonable search and seizure and the First Amendment right to free speech.
The decision is the latest in a series of legal defeats the Bush administration has suffered over police powers it has assumed since the terrorist attacks of Sept. 11, 2001. The lawsuit in the case was brought by an unnamed ISP and the American Civil Liberties Union, which filed it under seal to avoid violating the gag order provision in the statute.
For network operators that strive to ensure the privacy of customers personal data, the ruling is a relief, said Russ Ferguson, CEO of the American Alliance of Service Providers, in Triangle, Va.
"If ISPs release private information about clients and the proper channels arent taken, theres the possibility of liability against the ISPs themselves," Ferguson said. "If the government really needs information, it really isnt that difficult to go through the proper legal channels to get a subpoena."
Small ISPs, which do not maintain large legal staffs, will find the decision particularly welcome, said David Simpson, attorney for the California ISP Association in San Francisco. ISPs obligations to customers and to law enforcement under the Patriot Act were, at times, confusing, leaving unclear the proper procedures, Simpson said.
"You will find that a lot of ISPs want clarity," Simpson said. "A customers relationship with its ISP is not dissimilar to its relationship with the phone company. The customer has a reasonable expectation that his information is not shared with anyone outside of a subpoena."
Noting that the case is about the interplay of two fundamental principles—values and limits—the court ruled that the government went too far in curtailing personal freedoms in the name of national security if "all but the most powerfully endowed would feel impelled to remain cowered or content. ... In general, as our sunshine laws and judicial doctrine attest, democracy abhors undue secrecy, in recognition that public knowledge secures freedom."
The courts rebuke does not prevent the FBI from obtaining sensitive data from ISPs and phone companies; it requires only that the agency first get a subpoena.
Prior to the enactment of the Patriot Act, the FBI could use NSLs (National Security Letters) to demand data from banks, credit-reporting agencies, ISPs and phone companies—but only if it had specific facts showing a reason to believe that the data pertained to a suspected spy or possible terrorist. The Patriot Act eliminated the specific factual burden on the FBI.
Last months ruling does not address banks and credit-reporting agencies, but legal experts say it calls into question the constitutionality of the NSL authority regarding those institutions as well.
The court stayed its order for 90 days, giving the government an opportunity to appeal.