Since the Patriot Act broadly expanded the power of the government to issue National Security Letters demanding customer records, more than 200,000 have been issued to U.S. companies by the FBI. But the perpetual gag orders that accompany them are rarely challenged by the ISPs and other recipients served with such letters.

Just how rare these challenges are became more evident following the recent release of a 2010 letter from the Justice Department to a federal lawmaker.

In December 2010 in a letter (.pdf) from Attorney General Eric Holder to Senator Patrick Leahy (D-Vermont), the FBI asserted that in February 2009 it began telling recipients they had a right to challenge the built-in gag order that prevents them from disclosing to anyone, including customers, that the government is seeking customer records. That policy was mandated by a 2008 appellate court decision, which found that the never-ending, hard-to-challenge gag order was unconstitutional.

Holder noted, however, that in the year and 10 months since the FBI started notifying recipients of this right, only a small handful had asserted that right.

“Thus far, there have been only four challenges to the non-disclosure requirement,” Holder wrote, “and in two of the challenges, the FBI permitted the recipient to disclose the fact that an NSL was received.”

This contradicts a statement made by an FBI spokeswoman in March when Threat Level asked for statistics on the number of times that National Security Letter gag orders had been challenged.

Spokeswoman Kathleen Wright said at the time in an e-mail, “There are no stats” available for the number of challenges, and, “There has been one instance where a NSL nondisclosure order was lifted voluntarily by the FBI.”

NSLs have been used since the 1980s, but the usage ballooned after 9/11 and the passage of the U.S. Patriot Act, which gave the FBI increased authority to issue them and expanded the kinds of records that could be obtained with them.

NSLs are written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers, such as subscriber information, phone numbers and e-mail addresses, websites visited and more.

NSLs are a powerful tool because they do not require court approval, and they come with a built-in gag order. An FBI agent looking into a possible anti-terrorism case can essentially self-issue the NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation.

The gag orders raise the possibility for extensive abuse of NSLs under the cover of secrecy. And, in fact, in 2007 a Justice Department Inspector General audit found that the FBI had indeed abused its authority and misused NSLs.

The FBI has sent out nearly 300,000 NSLs since 2000, about 50,000 of which have been sent out since the new policy for challenging NSL gag orders went into effect. Last year alone, the FBI sent out 16,511 NSLs requesting information pertaining to 7,201 U.S. persons.

Holder’s letter was released to the American Civil Liberties Union last month as part of a year-old Freedom of Information Act request that the ACLU filed with the Justice Department in March 2011.

Since Holder wrote the letter, the number of gag order challenges has risen to at least five. In March, Threat Level reported that an unnamed company had challenged a National Security Letter it had received earlier this year.

The latest challenge occurred sometime around the end of January, when an unknown provider of communication services in the United States — possibly a phone company, or perhaps even Twitter — got a letter from the FBI demanding it turn over information on one, or possibly even hundreds, of its customers.

The company, identified only as a corporation “with employees dispersed across the world” that offers electronic communication services to customers and account holders, was told to hand over “electronic communications transaction” records of an unidentified target or targets. The NSL specifically excluded the contents of the communications – instead seeking transactional records, which in the case of an email provider would include who emails were sent or received from and for an ISP, the records of what websites a person visited and IP addresses assigned to the customer.

The FBI instructed the company to never disclose the existence of the demand to anyone – in particular, the target of the investigation.

The NSL indicated that the company had 10 days to challenge the gag order if it intended to do so. The company did so via fax, telling the Bureau that it wanted to tell its customer that he or she was being targeted, which would give the customer a chance to fight the request in court. The Justice Department then took the issue to federal court, where it filed a request for a court order to force the company to adhere to the gag order.

In its petition, the government asserted that disclosure of the fact or contents of its NSL “may endanger the national security of the United States” and urged the court to issue an order binding the company to the nondisclosure provision, or be in violation of federal law and face contempt charges.

The documents in the case were redacted to hide the identity of the company and the target of the investigation, and subsequent filings in the case have been sealed at the government’s request.

The public has been made aware of only a handful of NSLs handed out over the last decade, and only because they became public after the recipients launched legal battles opposing them. As a result of these battles, courts have chipped away at the gag order requirement as a violation of the First Amendment.

Before a federal appeals court struck down some of the gag provisions of NSLs, ISPs and other companies that wanted to challenge the orders had to file suit in secret in court – now companies can simply notify the FBI in writing that they oppose the gag order.

In 2007 the Internet Archive challenged an NSL it received seeking information about one of the online library’s registered users. The Electronic Frontier Foundation challenged the constitutionality of the NSL, which ultimately resulted in the FBI rescinding the NSL and agreeing to unseal the records in the court battle. It was the first extensive look the public got at the nature of the NSL process.

In 2010, Nicholas Merrill won a six-year battle to lift a gag order in relation to an NSL that he received in 2004 when he was owner of a small ISP called Calyx Internet Access. Merrill and the ACLU filed a legal challenge under the name “John Doe,” since they weren’t allowed to identify Merrill or the name of his ISP. The ACLU asserted that customer records were constitutionally protected information.

In December 2008, the Second Circuit Court of Appeals ruled that some of the gag provisions in NSLs were unconstitutional — in part because they limited judicial review of the gag orders and forced courts to defer to the government’s assertions about the necessity of a gag order, and in part because they thwarted the ability of recipients to challenge the gag order. The case was sent back to the U.S. District Court for the Southern District of New York, forcing the government to justify the constitutionality of the gag order imposed on Merrill.

The ACLU worked hard to negotiate a partial gag-lift with the government that allowed Merrill to finally identify himself in 2010, while still keeping the details of the NSL he had received secret. In return, Merrill and the ACLU agreed to drop their appeal of the case.

The case helped expose the secrecy around NSLs and resulted in some First Amendment progress for entities receiving such requests — Congress amended the law to allow recipients to challenge NSLs and gag orders, and the FBI must now also prove in court that disclosure of an NSL would harm a national security case.

Number of NSLs Issued by the FBI

2000 8,500 2001 Unknown 2002 Unknown 2003 39,346 2004 56,507 2005 47,221 2006 49,425 2007 16,804 2008 24,744 2009 14,788 2010 24,287 2011 16,511 Total 289,633

(Source: DoJ reports)