The Department of Justice released a report Thursday that reviewed the FBI's use of national security letters in 2006 and the steps the FBI has taken to correct problems identified in last year's report on the use of NSLs. The report acknowledged that the bureau had made some limited progress in reforming the NSL process, but warned that more changes were still needed.

A national security letter is a controversial legal device that allows the FBI to demand certain kinds of business records about Americans without judicial oversight. They are typically delivered to telephone companies, Internet service providers, and financial institutions. The letters have been in use since the 1980s, but their use was dramatically expanded by the Patriot Act in 2001. The Patriot Act allows the government to threaten recipients of the letters with criminal prosecution if they reveal to anyone that they have received the letters. On a few occasions, this "gag order" provision has been successfully challenged in court, but ignoring a gag order still carries legal risks.

In his first report on NSLs, released in March 2007, Inspector General Glenn Fine inspected a few hundred NSLs issued by the FBI between 2003 and 2005 and found dozens that had been issued "improperly." Given that a total of 143,000 NSLs were issued during that period, the results suggested that hundreds, and probably thousands, of improper NSLs were issued from 2003 to 2005.

Last week's report extended that analysis to 2006. The FBI issued more than 48,000 NSLs during 2006. The OIG found that NSL abuses continued in 2006, and that "the FBI sought or obtained records or other information on thousands of telephone numbers outside the normal approval process, some of which were associated with improper NSLs, exigent letters, and other informal requests." It also warned that due to deficiencies in the FBI's internal tracking system, reports to Congress have understated the use of NSLs by the FBI. Last week's report did not cover the use of "exigent letters," the legally dubious practice of asking businesses to voluntarily turn over their customers' private records before receiving a legally binding NSL. Exigent letters will be the subject of a follow-up report to be released in the coming months.

"Significant progress"

The FBI has taken pains to emphasize that the 2006 abuses occurred before the release of the original OIG report a year ago. In the last year, the FBI has taken steps to prevent further abuses. The bureau has created an Office of Integrity and Compliance to ensure compliance with legal requirements regarding the use of NSLs. It has issued new legal guidance for FBI agents to follow. It has also instituted mandatory training sessions for FBI personnel. The OIG report praised these steps as "significant progress" toward reducing the abuse of national security letters. But it also found that the FBI needed to do much more to ensure that the abuses do not recur.

For example, in last year's report, the inspector general recommended that the FBI implement a system to tag information derived from national security letters so they could be distinguished from data gathered using ordinary investigative activities. That would assist FBI agents in ensuring that information ostensibly obtained for anti-terrorism or counter-espionage purposes is not used for ordinary criminal investigations. But an FBI working group concluded that such tagging would be burdensome and would provide few privacy benefits. Last week's report disagreed, urging the FBI to "give additional consideration" to the issue.

The report faulted the FBI for assigning only 14 personnel to its Office of Integrity and Compliance. At this staffing level, the report warned, the office "appears to serve as a coordinator rather than an entity with sufficient independent resources and a capability to identify and assess compliance risks." Inadequate staffing would mean that most oversight would consist of each department evaluating its own activities.

This danger is illustrated by the internal review of NSL usage that the FBI conducted in response to last year's OIG report. Fine found that the FBI's internal auditors tended to "understate the severity" of problems with the use of NSLs by categorizing them as "administrative errors." These included hundreds of cases where inadequate record-keeping had made it impossible to determine whether the law had been followed. The FBI's audit was also far more likely to fault third parties for NSL problems than was Fine: The FBI found that 1 percent of NSL requests had problems attributable to the actions of the FBI, while 8 percent had problems attributable to errors on the part of the NSL recipient. In contrast, Fine's audit found that 4 percent of NSLs had errors by FBI personnel, while only 3 percent had problems attributable to the recipient.

The importance of judicial oversight

These results suggest that procedural reforms within the FBI will never be sufficient to ensure that the law is followed. FBI personnel will inevitably be biased in favor of their fellow FBI officials. The creation of the FBI's Office of Integrity and Compliance is especially ironic because the federal government already has an "integrity and compliance" unit. It's called the judicial branch. Rather than trying to create a separate system of checks and balances within the FBI, the feds should take advantage of the system of checks and balances we already have. Administrative reforms are no substitute for genuine judicial oversight. Regardless of the number of layers of review, the sophistication of the FBI's tracking system, or the amount of time its personnel spend in training, there will always be a temptation to cut corners unless the issuance of NSLs is subject to scrutiny from outside the FBI hierarchy.

We are only now learning about NSL abuses that occurred in 2006. This suggests that we won't learn about 2007 abuses until 2009, and abuses happening today won't be revealed until 2010. After-the-fact investigations and procedural reforms are no substitute for case-by-case judicial oversight. Once abuses have occurred, there isn't a lot that can be done about them. Only by having a judge review each and every national security letter—before it's issued—can we be confident that the abuses identified in recent OIG reports will not recur in the future.