EFF: Telcos over-disclose private data to FBI

Investigation violations.

The Electronic Frontier Foundation has found some United States' based internet service providers and telcos are “too willing” to comply with FBI requests for customer data, frequently disclosing too much information that ends up being kept in US Federal files.

The EFF has produced a report on “patterns of misconduct” in FBI investigation practices, based on 2,500 pages of documents it forced US agencies to hand over last year.

The documents revealed details of 768 violations by FBI personnel that were handed to the Intelligence Oversight Board – a Presidential-level body that is supposed to maintain oversight of US intelligence activities.

The EFF estimated that the FBI “may have committed as many as 40,000 violations” in the decade since 9/11.

Some of those violations related to internal oversight processes – with the documents revealing it took on average of 2.5 years for a suspected violation to be submitted to the Intelligence Oversight Board, according to EFF.

However, many more reported violations related to the FBI’s issue of National Security Letters (NSLs) – “secret administrative subpoenas used by the FBI to obtain records from third-parties without judicial review”, EFF said.

The types of information typically sought with an NSL included subscriber and billing information from telephone companies as well as “electronic communications services”.

The EFF said its analysis found the FBI “committed violations involving… telephone and electronic communications records twice as often as it did for financial and credit records” orders.

“Perhaps most startling, however, was the frequency with which companies receiving NSLs — phone companies, internet providers etc — contributed to the FBI’s NSL abuse,” EFF said.

“In over half of all NSL violations reviewed by EFF, the private entity receiving the NSL either provided more information than requested or turned over information without receiving a valid legal justification from the FBI.

“Companies were all too willing to comply with the FBI’s requests, and — in many cases — the Bureau readily incorporated the over-produced information into its investigatory databases.”

The EFF produced one case where the FBI sought “email header information for two email addresses” used by a US citizen. In response on two separate occasions, the email service provider “returned two CDs containing the full content of all emails in the accounts”.

The EFF has called for an investigation by Congress this month before portions of the US Patriot Act expire and are potentially renewed.