T he FBI routinely uses secret orders known as national security letters to demand information that recipients might not actually have to give up, internal documents indicate. The letters are among the FBI’s most potent instruments, because they function like subpoenas without requiring the approval of a judge. Internal guidelines suggest that the bureau has been using them to pursue sensitive electronic data and phone records — despite the fact that such attempts overstep the bureau’s legal authority.

The Intercept obtained the FBI’s rules for national security letters as they are spelled out in two different guides: a document detailing current guidelines for agents using the letters and an uncensored 2011 version of the FBI’s main operating manual, the Domestic Investigations and Operations Guide, or DIOG. Both documents are marked “unclassified” or “for official use only.” The first document has not been previously released. The DIOG has been made public only in heavily redacted form.

The FBI issues thousands of NSLs each year. They are controversial in part because they carry the force of law but are created entirely outside the judicial system: To issue one, an FBI official just needs to attest that the information sought is relevant to a national security investigation. The letters have also been criticized because they are shrouded in secrecy. Companies that receive them are for the most part forbidden from notifying their customers or the public. The government has fought to keep even basic rules governing them secret.

The FBI’s internal guidelines suggest that the bureau uses the letters to demand sensitive information on email transactions — even though the Justice Department has specifically advised the FBI that it does not have the authority to use the letters this way. The documents also indicate that the FBI can use national security letters to surveil a “community of interest” by obtaining information from a business about a customer and every person that customer has contacted. This is a controversial practice that the bureau once halted amid scrutiny. But the documents reveal that a secretive unit that mines phone records can still initiate such requests.

Last June, Congress narrowly rejected a proposal to allow the FBI to use the letters to demand information like browsing history, email headers (not including subject lines), and, depending on your reading of the bill, possibly even some social media information. An amendment to a criminal justice funding bill making that change fell just two votes short of passage.

Even so, the newer document on NSL policy contains a reference to a “model NSL” the FBI uses to request “email transactional” data from companies and other organizations — despite the fact that the organizations are not obligated to provide such information.

The bureau has long used NSLs to obtain basic subscriber information from telecom companies. The Electronic Communications Privacy Act lists four types of information the bureau is allowed to obtain, including the name of the owner of an account, how long that person has owned it, the person’s address, and toll billing records, which show phone numbers called, the date and time of each call, and the length of each call. Several years ago, the FBI began using the letters to ask for email headers and internet browsing records — assuming that such queries were consistent with the bureau’s right to procure “basic subscriber information.” To that end, the bureau requested a broad category of information it sometimes refers to as “electronic communication transactional records.”

In 2008, Department of Justice lawyers clarified that the FBI didn’t actually have the legal authority to demand that technology companies hand over records outside of the four types listed. However, as The Intercept previously reported, the FBI disagreed with that conclusion and asked for such material anyway in a 2013 NSL it sent to Yahoo.

Some large companies like Facebook and Yahoo have refused to provide email and browsing data in response to such NSLs, but FBI agents may have expected that other companies, especially small ones, would be too ignorant or weak to fight back.

“The government’s position is: We can ask for anything analogous to toll billing records” — such as email and browsing data — “and if the providers are dumb enough to give it to us, that’s not our problem,” said Chris Soghoian, a technologist formerly with the American Civil Liberties Union.

The FBI guide to NSLs obtained by The Intercept references a set of “model NSLs” for agents to choose from; among the options are “email transactional NSL,” along with model letters for more conventional requests: “telephone subscriber NSL” and “telephone toll billing record NSL.”

“The existence of a standard form in the FBI’s NSL system suggests that this is not one or two agents that are misreading the statute, it’s policy,” said Soghoian of the “email transactional NSL.”

The 2011 DIOG obtained by The Intercept does delineate a few “sorts of records” that couldn’t be obtained through an NSL, at least in 2011, including social media friend lists and virtual property owned on platforms like Second Life. But neither guide specifies exactly how it defines toll billing records, which are expressly allowed, or “electronic transactional” data, the umbrella term that often appears in the letters.

Even when not explicitly asking for email or electronic transaction records, the FBI implies that toll billing records might include such data, said Al Gidari, a prominent national security attorney who has worked on NSL cases in the past. The language of the letters is ambiguous and “leaves the impression that the provider better think broadly about what a toll record is as opposed to ‘Hey, it’s up to you as to what you give us,’” Gidari said.

The Department of Justice’s inspector general found widespread misuse of NSLs at the FBI in the early 2000s, and the model letters in this case were, ironically, actually part of an effort to reform the NSL process. The idea was that an automated system for generating and submitting NSLs would prevent agents from issuing improper requests for information. In the case of “email transactional” NSLs, however, automation appears to have systematized the bureau’s contentious reading of the law.