The FBI can keep sending surveillance orders to tech companies and ban them from disclosing those requests, an appeals court ruled Monday.
Internet company Cloudflare and wireless network operator CREDO Mobile sued the federal government to be allowed to disclose public national security letters they have received. They argued that the letters, which are administrative subpoenas issued by the government to gather information for national security purposes, are unconstitutional because they violate the First Amendment's freedom of speech protections.
Critics of national security letters -- like the Electronic Frontier Foundation, which represented Cloudflare and CREDO in the case -- say they "allow the FBI to secretly demand data about ordinary American citizens' private communications and internet activity without any meaningful oversight or prior judicial review." Companies that receive national security letters, or NSLs, are subject to gag orders, which means they can't even disclose they've received such orders unless the letters become declassified. And those gag orders last indefinitely.
A three-judge panel on a US court of appeals in San Francisco on Monday upheld a lower court ruling that NSLs can remain secret. In their unanimous ruling, they said the Supreme Court "has concluded that some restrictions on speech are constitutional, provided they survive the appropriate level of scrutiny."
The law behind national security letters considers that disclosing the orders could result in danger to the national security of the US, interference with an investigation, interference with diplomatic relations; or danger to the life or physical safety of any person, the judges said in their opinion.
"We therefore conclude that the 2015 NSL law is narrowly tailored to serve a compelling government interest, both as to inclusiveness and duration," the opinion said. "Accordingly, we hold that the nondisclosure requirement ... survives strict scrutiny."
Andrew Crocker, an attorney with EFF, said in a statement that he's disappointed the court "failed to recognize that the NSL statute violates the free speech rights of technology companies that are required to turn over customer data to the FBI and banned indefinitely from ever publicly discussing the requests."
He added that NSLs prevent companies from being open with their customers.
"Unfortunately, the Ninth Circuit avoided addressing the serious First Amendment problems with NSLs, particularly the fact that they are often left in place permanently," Crocker said. "We're considering our options for next steps in challenging this unconstitutional authority."
The US Justice Department declined to comment on the ruling.
"We are disappointed in the Ninth Circuit's decision and are considering our options for next steps," CREDO CEO Ray Morris said in a statement. "At CREDO, we know what an uphill battle challenging these gag orders can be and feel that the court missed an opportunity to protect the First Amendment rights of companies that want to speak out in the future."
Cloudflare said in a statement that it's disappointed by the ruling and that it believes there's additional work to be done to improve the NSL process.
"Cloudflare's approach to law enforcement requests is that we are supportive of their work but believe that any requests we receive must adhere to the due process of law and be subject to judicial oversight," Doug Kramer, Cloudflare general counsel, said in a statement. "It is not Cloudflare's intent to make their job any harder, or easier."
NSLs were enabled by the USA Freedom Act, which passed in 2015. As part of the regulations, the FBI has to re-examine past NSLs and decide which can be declassified. Those started being reported by recipients a year ago.
Cloudflare and CREDO aren't the only companies that have received NSLs. Apple in May disclosed that one of the thousands of security orders it's received came in the . And Twitter disclosed in January that it received two from the FBI in the last two years that previously came with gag orders not to discuss them. Google, Yahoo and Cloudflare also have published NSLs received from the FBI, some dating back to 2013.
Reuters earlier reported on Monday's ruling.
First published July 17, 1:45 p.m. PT.
Update, 6:05 p.m.: Adds comments from CREDO, Cloudflare and DOJ.
It's Complicated: This is dating in the age of apps. Having fun yet? These stories get to the heart of the matter.