It Turns Out CREDO Will Respond to Administration Subpoenas

It turns out CREDO will respond to simple administrative subpoenas.

That’s one thing their new Transparency Report — the first of its kind in the industry — reveals. They complied with 5 administrative subpoenas last year: 3 from the DEA, one from a police department, and one from a DA, a full third of all the disclosed requests they got and complied with.

So they’re not opposed, in principle, to information requests lacking any judicial review.

That’s not in the least bit surprising, but it is significant because CREDO is almost certainly the telecom that challenged an NSL asking solely for subscriber information back in 2011; Judge Susan Illston ruled in their favor last March.

That may or may not say anything new about its challenge. I had considered whether this suggested it got some kind of bulk request (my new obsession). But the actual request in the NSL doesn’t leave much space for any bulk request.

Screen shot 2014-01-10 at 2.35.48 PM

The reference to what the government had required on page 11 of its reply to the government is redacted, and the reference to subscriber information on the following page lacks any pronoun to qualify it. Its language attesting to its preference to notice its subscriber uses “the,” which seems to suggest an entity rather than a person. A quotation from the FBI’s declaration on page 27 suggests the target is a plural noun.

But most of the rest of the discussion in the provider’s filings and the opinion suggest CREDO (if it is CREDO) challenged the NSL because it deemed the request on a CREDO subscriber to infringe on that subscriber’s First Amendment rights which are implicated in choosing CREDO (see pages 24-5), as well as CREDO’s ability to fight NSLs and PATRIOT more generally.

There’s two more related items of interest in CREDO’s Transparency Report. It includes two passages on related legislation — one mapping out things it can’t comment on, and one mapping out its stance on various pieces of legislation.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information.


CREDO supports the repeal the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008, and the passage of Rep. Rush Holt’s Surveillance State Repeal Act. Until full repeal can be achieved, CREDO has worked specifically to reform the worst abuses of both acts. This includes fighting to roll back the National Security Letter (NSL) provisions of the USA PATRIOT Act, and fighting to make FISA Court opinions public so that the American people know how the secret FISA court is interpreting the law. CREDO endorses the USA Freedom Act and the Amash Amendment, both aimed at halting the indiscriminate dragnet sweeping up the phone records of Americans. CREDO also opposes Senator Feinstein’s FISA Improvements Act which would codify the NSA’s unconstitutional program of surveillance by bulk collection.

Note it points to USA PATRIOT that prevents it from fully responding because it would be gagged in the case of both NSLs and Section 215 orders. (It made me wonder whether the government went and got a Section 215 order after Illston’s ruling.)

Then it describes opposing both PATRIOT and the FISA Amendments Act, which highlights FAA’s absence from CREDO’s list of statutes that limit its ability to fully respond.

Most telecoms would also be subject to FAA orders (incidentally: did you know telecom orders have been going up since 2012?). But CREDO is apparently not, for this reason.

Customer information refers to non-content information such a customer’s name, address, bill information, or handset or account information. Regarding the content of customer communications, CREDO does not receive or store the content of customer communications. This report includes only CREDO’s requests and does not include requests that may have been directed to another carrier.

I assume that Sprint (from which CREDO leases access) retains all CREDO’s customers’ content. If that’s right (and given the reference to “requests that may have been directed to another carrier,”) I wonder if the FBI initially served Sprint for this customer information based off content already collected.

Screen shot 2014-01-10 at 4.52.24 PM

It’s one possibility, I guess (though that would obviously weaken CREDO’s case, if they made it, that the FBI was infringing on its customer’s First Amendment choice to work with CREDO).

In any case, there are a few interesting new tidbits. And just as importantly, CREDO’s catalog of the requests it did get does lay an excellent standard for Verizon’s upcoming report.

A 15-Month Fight for Subscriber Information

The WSJ today presents a Whodunnit behind an NSL submitted to a cell company in spring 2011.

Early last year, the Federal Bureau of Investigation sent a secret letter to a phone company demanding that it turn over customer records for an investigation. The phone company then did something almost unheard of: It fought the letter in court.

The U.S. Department of Justice fired back with a serious accusation. It filed a civil complaint claiming that the company, by not handing over its files, was interfering “with the United States’ sovereign interests” in national security.

This is just the second time a challenge to an NSL has become public–the other being Calyx’s Nicholas Merrill, whom the WSJ also profiles this morning.

WSJ makes a compelling argument the company challenging the NSL is Credo, based in part on details that reveal the company has associational aspects in addition to its phone service. Assuming they’re right, I find it all the more interesting Credo is challenging not just the gag on this NSL, but the underlying order, particularly since the order asks for just the subscriber information–but not the call data–of the subscriber.

all subscriber information, limited to name, address, and length of service, for all services provided to or accounts held by the named subscriber and/or subscriber of the named account.

That is, this is by far the least invasive kind of NSL. Note, information elsewhere in this case is consistent with the possibility that this order seeks information on a group and not just an individual, though that may be boilerplate.

I’d be shocked if this were the first NSL Credo received, so there must be something about the request that makes it particularly worthwhile, from a Constitutional standpoint, to challenge (indeed, thus far a judge has not thrown out their challenge, so the possibility this subscriber is tied to a national security investigation can’t be obvious).

Credo may, after all, be challenging the order to protect the political speech of someone who has chosen to work with Credo because the company supports social causes. Or, if this is a group, it might be challenging an NSL to find out about the group’s recognizably political activities–though subscriber information doesn’t say much about that, unless this NSL would return, effectively, a membership list of a political organization.

But I’m wondering if Credo is also serving as a gate-keeper here. Credo doesn’t own its own lines; it’s just a reseller. And unless something has changed, it resells Sprint’s services. And Sprint is unique–at least as far as we know–for having set up a portal, L-Site, letting law enforcement access information, including precision location, directly.

I attended an invitation-only surveillance industry conference in Washington DC. It was at that event where I recorded an executive from Sprint bragging about the 8 million GPS queries his company delivered via a special website to law enforcement agencies in a 13 month period.

At that same event, Paul W. Taylor, the manager of Sprint/Nextel’s Electronic Surveillance team revealed that the wireless carrier also provides a next-generation surveillance API to law enforcement agencies, allowing them to automate and digitally submit their requests for user data:

“We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we’ve given it to the FBI, we’ve given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it … So, the DEA is using this, they’re sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there.”

This case is noteworthy because it is a rare public challenge. It’s noteworthy because the government has claimed the telecom has no legal means to challenge the NSL.

But there seems to be more to the challenge which, given the likelihood WSJ correctly identified Credo as the company, seems to get at underlying political speech as well.

Thank You Nicholas Merrill

Today we learn the name of the guy who challenged the more abusive aspects of the National Security Letter program: Nicholas Merrill.

Now, following the partial lifting of his gag order 11 days ago as a result of an FBI settlement, Merrill can speak openly for the first time about the experience, although he cannot disclose the full scope of the data demanded.


On a cold February day in 2004, an FBI agent pulled an envelope out of his trench coat and handed it to Merrill, who ran an Internet startup called Calyx in New York. At the time, like most Americans, he had no idea what a national security letter was.

The letter requested that Merrill provide 16 categories of “electronic communication transactional records,” including e-mail address, account number and billing information. Most of the other categories remain redacted by the FBI.

Two things, he said, “just leaped out at me.” The first was the letter’s prohibition against disclosure. The second was the absence of a judge’s signature.

Thanks to Merrill’s–and the ACLU’s–challenge of the gag order on NSLs, the authority has been slightly circumscribed (even as the Obama Administration tries to expand it).

Merrill’s ISP sounds pretty small in the grand scheme of things. So why was Merrill the guy fighting for our Constitution and not–say–Ma Bell?

DOJ: Give Us More Powers Because We F*** Up So Often

I don’t have time to do this EFF report justice–so just go read the whole thing. It traces the story of one of FBI’s misuses of National Security Letters–and the way in which Robert Mueller, having misused the NSLs, used the story to claim FBI needed more investigative powers. The short version is:

  • The FBI used a grand jury subpoena to get the educational records of an NC State Chemical Engineering student suspected of ties to the London subway bombers.
  • Then, someone in FBI HQ effectively said, "No, let’s use our fancy new toy, the National Security Letter, even though National Security Letters don’t apply to academic records!"
  • So the FBI returned the records, and then submitted a NSL.
  • NC State, which apparently has better lawyers than AT&T and Verizon, read the law and said, "Golly, you can’t use an NSL to get academic records!" So they denied the request
  • The FBI then gave up on the NSL, submitted a second grand jury subpoena, and voila! They got the records they had originally gotten with a grand jury subpoena.
  • Robert Mueller went before Congress and claimed that the NSL process had resulted in a two-day delay in getting the records, which justified giving FBI more investigative powers. You will not be surprised to learn that Mueller didn’t reveal the real details behind the request for records.
  • The FBI did not report this incident to the Intelligence Oversight Board as a potential violation of civil liberties until two years later, at a time when the IG was already investigating the incident.

As I said, it’s worth reading the entire EFF report, particularly its list of open questions about the incident.

But for now, I just wanted to point the the incident as yet another example (Mike McConnell’s false claim that the FISA process resulted in a delay on wiretaps on Iraqis who had kidnapped American soldiers and Michael Mukasey’s claim that FISA had prevented the FBI from learning that one of the 9/11 hijackers was communicating with a known Al Qaeda safe house are two others) where the government fucked up–and then used its own failure as an example to claim it needed more investigative powers.

It’s really a disturbing pattern. The Bush Administration apparently thinks it reasonable to argue, "we’re incompetent, so give us more ways to invade your privacy."