The F.B.I. has used secret subpoenas to obtain personal data from far more companies than previously disclosed, newly released documents show.
The requests, which the F.B.I. says are critical to its counterterrorism efforts, have raised privacy concerns for years but have been associated mainly with tech companies. Now, records show how far beyond Silicon Valley the practice extends — encompassing scores of banks, credit agencies, cellphone carriers and even universities.
The demands can scoop up a variety of information, including usernames, locations, IP addresses and records of purchases. They don’t require a judge’s approval and usually come with a gag order, leaving them shrouded in secrecy. Fewer than 20 entities, most of them tech companies, have ever revealed that they’ve received the subpoenas, known as national security letters.
The documents, obtained by the Electronic Frontier Foundation through a Freedom of Information Act lawsuit and shared with The New York Times, shed light on the scope of the demands — more than 120 companies and other entities were included in the filing — and raise questions about the effectiveness of a 2015 law that was intended to increase transparency around them.
“This is a pretty potent authority for the government,” said Stephen Vladeck, a law professor at the University of Texas who specializes in national security. “The question is: Do we have a right to know when the government is collecting information on us?”
The documents provide information on about 750 of the subpoenas — representing a small but telling fraction of the half-million issued since 2001, when the Patriot Act expanded their powers.
The credit agencies Equifax, Experian and TransUnion received a large number of the letters in the filing. So did financial institutions like Bank of America, Western Union and even the Federal Reserve Bank of New York. All declined to explain how they handle the letters. An array of other entities received smaller numbers of requests — including Kansas State University and the University of Alabama at Birmingham, probably because of their role in providing internet service.
Albert Gidari, a lawyer who long represented tech and telecommunications companies and is now the privacy director at Stanford’s Center for Internet and Society, said Silicon Valley had been associated with the subpoenas because it was more willing than other industries to fight the gag orders. “Telecoms and financial institutions get little attention,” he said, even though the law specifically says they are fair game.
The Federal Bureau of Investigation determined that information on the roughly 750 letters could be disclosed under a 2015 law, the USA Freedom Act, that requires the government to review the secrecy orders “at appropriate intervals.”
The Justice Department’s interpretation of those instructions has left many letters secret indefinitely. Department guidelines say the gag orders must be evaluated three years after an investigation starts and also when an investigation is closed. But a federal judge noted “several large loopholes,” suggesting that “a large swath” of gag orders might never be reviewed.
According to the new documents, the F.B.I. evaluated 11,874 orders between early 2016, when the rules went into effect, and September 2017, when the Electronic Frontier Foundation, a digital rights group, requested the information.
“We are not sure the F.B.I. is taking its obligations under USA Freedom seriously,” said Andrew Crocker, a lawyer with the foundation. “There still is a huge problem with permanent gag orders.”
The Justice Department declined to comment.
National security letters, which the F.B.I. has issued since the 1980s, have long been a point of contention in the debate over privacy and security. Initially, the bureau had to show “specific and articulable facts” indicating that the target was an agent of a foreign power. Now, the F.B.I. must certify that the information is “relevant” to a terrorism, counterintelligence or leak investigation.
“NSLs are an indispensable investigative tool,” the Justice Department argued in the Freedom of Information Act case. The department has said in legal documents that the information gleaned from the letters is important to identifying subjects and their associates, while helping to clear the innocent of suspicion.
According to a 2007 report from the Justice Department inspector general, the F.B.I. didn’t track how often information from the letters was used in criminal proceedings. But the report also said the letters had led to guilty pleas for arms trading, at least one conviction for material support of terrorism, and multiple charges of fraud and money laundering. The tool was also cited in efforts to investigate Russian meddling in the 2016 election.
Much of the concern about the letters has focused on the gag orders, which accompany nearly every request and prevent the recipient — typically indefinitely — from disclosing even the existence of the letter. The federal government has argued that the secrecy is necessary to avoid alerting targets, giving would-be terrorists clues about how the government conducts its surveillance or hurting diplomatic relations.
After a series of court rulings found that the gag orders violated First Amendment protections, Congress enacted the review requirements.
The documents obtained through the lawsuit include the number of orders reviewed, as well as redacted copies of 751 letters from the F.B.I. informing companies and organizations their gag orders had been lifted. These so-called termination letters do not reveal the contents of the original national security letters, but indicate which entities received them.
Because so few gag orders have been reviewed and rescinded, it isn’t possible to say whether the companies that received the most termination letters also received the most national security letters. But given the overall secrecy around the program, the termination letters offer a rare glimpse into these subpoenas.
Equifax, Experian and AT&T received the most termination letters: more than 50 each. TransUnion, T-Mobile and Verizon each received more than 40. Yahoo, Google and Microsoft got more than 20 apiece. Over 60 companies received just one.
The underlying national security letters were not included in the documents, and it is unclear when most of them were issued and who the individual targets were.
Tech companies have disclosed more information about the letters they received than the major phone providers, which included general information about them in transparency reports.
“We have fought for the right to be transparent about our receipt” of national security letters, Richard Salgado, Google’s director of law enforcement and information security, said in a 2016 statement explaining why the company was releasing the subpoenas. “Our goal in doing so is to shed more light on the nature and scope” of the requests, he added.
Other companies have generally remained mum. In response to inquiries, a TransUnion spokesman would say only that the company “has not disclosed the receipt of any national security letters.” A spokesman for Equifax said it was “compliant with the national security letters process.”
Mr. Gidari, the former tech lawyer, attributed some of that lack of reporting to differences in company culture, noting that tech firms were more predisposed to openness, and financial institutions less likely to discuss any outside access to customer data. And most small companies, he said, don’t have the resources to keep long-term track of or challenge the subpoenas.
“That’s the problem with the Freedom Act: It procedurally pretended to solve the problem,” he said. “But the whole structure of this involves presumption in favor of the government for perpetual sealing.”