A National Security Letter (NSL) is an FBI-issued administrative subpoena that compels a service provider to hand over subscriber and transactional records (name, address, length of service, billing records) and prohibits the provider from telling the customer that the request occurred. No judge involved. The authority comes from four federal statutes (Right to Financial Privacy Act, Electronic Communications Privacy Act, Fair Credit Reporting Act, National Security Act) and has been used hundreds of thousands of times since the 2001 USA PATRIOT Act expanded their scope.
What it means in practice
What the FBI gets: subscriber name, addresses on file, length of service, billing records, IP address logs, email-to-from records (not content). What the FBI does not get: communication content (that requires a warrant or FISA order). What the customer gets: nothing, because the gag order is automatic and lasts indefinitely. Providers can challenge NSLs in the FISA Court (Doe v. Mukasey, 2008, established the procedural framework); few do because the legal cost is high and the public-relations benefit is low. The 2015 USA Freedom Act added a sunset on indefinite gag orders requiring periodic FBI review, but the gag remains active by default and lifts in only a small fraction of cases.
Who it affects, and how
Targets are anyone the FBI believes has communications metadata relevant to a counterterrorism, counterintelligence, or counter-espionage investigation. The “relevant to” standard is far below probable cause. The 2007 DOJ Inspector General report documented widespread FBI procedural violations in NSL use. Investigative journalism shows recurring use against journalists’ records (the Risen-NYT case, the AP records subpoena), against political figures, and against employees of organizations that have drawn FBI attention. The provider knows. The customer does not. The customer’s recourse only exists if the provider chooses to fight, which is rare.
What you can change today
The structural defense is provider choice. NSLs reach US providers; they do not reach providers in jurisdictions outside US legal authority (Switzerland for Proton, Iceland for some specialty providers, the EU for some categories under the Data Retention Directive). For sensitive metadata, route accounts through providers whose jurisdictional position makes NSL service practically harder. The tactical defense is metadata minimization: use email aliases (SimpleLogin, Proton aliases, Firefox Relay), rotate phone numbers used for sensitive registrations, do not let the recovery email of your sensitive account be a US-provider Gmail. The NSL captures what the provider knows; reduce what each provider knows about you.
