National Security Letters (NSLs) — FBI Administrative Demands for Records
A National Security Letter is an administrative demand — issued by the FBI without a court order or judicial approval — compelling telecommunications companies, financial institutions, and credit agencies to turn over customer records in connection with a national security investigation. NSLs are authorized by five separate federal statutes, with the most commonly used being 18 U.S.C. § 2709 (telecommunications records), 12 U.S.C. § 3414 (financial records), and 15 U.S.C. §§ 1681u and 1681v (credit records). The FBI issues approximately 10,000–20,000 NSLs per year, targeting an estimated 5,000–8,000 people annually. NSLs can demand your name, address, phone records, email transaction records, financial records, and credit reports — but not the content of communications. Each NSL comes with a nondisclosure order (gag order) — the recipient (your phone company or bank) is prohibited from telling you or anyone else that the FBI demanded your records. The USA PATRIOT Act of 2001 significantly expanded NSL authority, and the USA FREEDOM Act of 2015 reformed the nondisclosure provisions after extensive litigation and criticism from civil liberties groups.
Current Law (2026)
| Parameter | Value |
|---|---|
| Authorizing statutes | 18 USC § 2709 (telecom); 12 USC § 3414 (financial); 15 USC §§ 1681u, 1681v (credit); 50 USC § 3162 (government employees) |
| Issuing authority | FBI — authorized by designated senior officials (Special Agents in Charge and above) |
| Standard | Records must be "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities" |
| No court approval required | NSLs are administrative demands — no judge reviews them before issuance |
| Annual volume | ~10,000–20,000 NSLs per year (targeting ~5,000–8,000 people) |
| Records obtainable | Subscriber information, toll records, financial records, credit reports — NOT content |
| Nondisclosure | Automatic gag order; recipient may challenge in court; FBI must periodically review necessity |
| Judicial review | Recipient may challenge NSL or gag order in federal court |
| Reporting | FBI must report NSL usage to Congress; DOJ IG conducts periodic audits |
Legal Authority
- 18 U.S.C. § 2709 — Counterintelligence access to telephone toll and transactional records (FBI may issue NSLs to wire or electronic communication service providers for subscriber information and toll billing records relevant to an authorized international terrorism or counterintelligence investigation)
- 12 U.S.C. § 3414 — Right to Financial Privacy Act exception (FBI may obtain financial records from financial institutions through NSLs without following normal RFPA procedures)
- 15 U.S.C. § 1681u — Disclosures to FBI for counterintelligence purposes (credit reporting agencies must furnish consumer identifying information and financial information upon FBI certification)
- 15 U.S.C. § 1681v — Disclosures to governmental agencies for counterterrorism purposes (credit agencies must furnish consumer reports to government agencies authorized to conduct international terrorism investigations)
- 50 U.S.C. § 3162 — Requests by FBI for financial records of government employees (NSL authority for financial records of federal employees in counterintelligence investigations)
How It Works
An FBI Special Agent in Charge (or higher-ranking official) issues an NSL as a written letter to a company — phone provider, bank, or credit agency — certifying that the records sought are "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities" and that the investigation is not based solely on First Amendment-protected activities. The company must produce the records. No judge reviews the NSL before it's issued — it's an administrative process entirely within the FBI's control. NSLs can demand subscriber information (name, address, account number), toll billing records (numbers called, call duration — not content), electronic communication transactional records (email headers, IP addresses, session times — not content), financial records, and credit reports. NSLs cannot obtain the content of communications — for emails, phone conversations, or text messages, the government must use a wiretap order, search warrant, or FISA order.
Every NSL also includes a nondisclosure requirement: the recipient company is prohibited from disclosing to anyone that the FBI sought or obtained records — your bank or phone provider cannot tell you. Before 2015, this gag order was permanent and essentially unreviewable. The USA FREEDOM Act of 2015 reformed the process: the FBI must periodically review whether nondisclosure remains necessary (at 3 years and then annually), and recipients can challenge the gag order in federal court where the government must demonstrate a good reason for continued secrecy. DOJ Inspector General audits in 2007 and 2008 found widespread FBI misuse — including informal "exigent letters" that bypassed even NSL procedures, inaccurate reporting to Congress, and NSLs issued without proper authorization. These findings drove internal reforms, enhanced oversight, and the 2015 statutory changes; the FBI now reports NSL statistics to Congress annually and DOJ IG continues periodic audits.
How It Affects You
<!-- pria:personalize type="eligibility" -->If you're a phone, internet, or email subscriber and you're worried about government surveillance: The difficult reality is that you almost certainly cannot detect whether you've been the subject of an NSL — and that's by design. The gag order prohibits your carrier, ISP, or bank from telling you your records were demanded. You won't receive notice, and there is no database you can query to find out.
What you can know is what an NSL can and cannot touch. The FBI can obtain through an NSL: your name and address on file with your carrier, the numbers you called and when (toll records), email header metadata (who you emailed, when, from what IP address), your bank account information, and your credit report. What NSLs cannot obtain: the content of your emails, the content of your phone calls, or the text of your text messages. For content, the government needs a warrant, wiretap order, or FISA order — all of which require judicial approval.
If you want to understand your surveillance exposure at the aggregate level: major carriers and platforms including Google, Microsoft, Apple, Verizon, and AT&T publish annual transparency reports disclosing how many NSLs they received in broad ranges (e.g., "0–499"). These reports are available on each company's legal/transparency page. They don't tell you whether you personally were targeted, but they show the scale of NSL usage. Meta's transparency report (transparency.fb.com) and Google's (transparencyreport.google.com) are the most detailed.
If you're a journalist, human rights worker, or activist who suspects you may be under counterintelligence scrutiny — not just ordinary law enforcement — the most practical step is using end-to-end encrypted communications. Signal encrypts message content so that even if the FBI obtains Signal's records via NSL, there's no content to read (Signal's metadata retention is minimal). Standard SMS, Gmail, and traditional phone calls produce the metadata that NSLs target. The Electronic Frontier Foundation's Surveillance Self-Defense guide (ssd.eff.org) provides platform-by-platform guidance on reducing your metadata footprint.
If you're a company that has received (or might receive) an NSL: Your obligations and rights differ significantly depending on your size and counsel.
First, your legal obligation: you must comply with a valid NSL. Failure to comply or disclosure of the NSL to any unauthorized person (including the subject of the NSL) can result in criminal penalties. Produce the records specified, maintain confidentiality, and document your response.
Second, you have the right to challenge the NSL or its gag order in federal district court under 18 U.S.C. § 3511. You can challenge the NSL itself (arguing the records aren't relevant, the investigation isn't properly authorized, or the scope is overbroad). You can separately challenge the nondisclosure requirement — arguing there's no specific reason to believe disclosure would harm national security. The FBI must review the gag order at 3 years and annually after that; you can trigger judicial review at any point.
Practically: engage outside national security counsel immediately upon NSL receipt. Organizations like the Electronic Frontier Foundation (eff.org) and the American Civil Liberties Union (aclu.org) have litigated NSL challenges and can connect you with experienced counsel. Large tech companies with dedicated government law teams (Google, Apple, Microsoft) have their own challenge protocols; smaller companies receiving NSLs are often unprepared. You cannot tell your board or your customers without potentially violating the gag order — talk to counsel before disclosing to anyone internally beyond those with a need to know.
If you're a journalist investigating government surveillance: NSLs are one of the more opaque aspects of U.S. national security law because the gag orders prevent companies from providing specific information even when they want to. The practical tools: (1) Freedom of Information Act requests to the FBI and DOJ for aggregate NSL statistics and IG audit reports — the DOJ publishes annual NSL usage reports to Congress required by 18 U.S.C. § 2709(e); (2) The DOJ Inspector General's NSL audits (2007 and 2008 reports documented FBI misuse; subsequent reports are available at oig.justice.gov); (3) EFF's NSL case docket and ACLU's National Security Project maintain public records of NSL litigation.
The USA FREEDOM Act's transparency reports — which allow companies to disclose NSL receipt in bands of 500 — are the most current public window into NSL volume. Requests to companies for their transparency report methodology and data can reveal which services generate the most NSL demand.
<!-- /pria:personalize -->State Variations
<!-- pria:personalize type="state-specific" -->NSLs are exclusively federal:
- State and local law enforcement cannot issue NSLs — the authority is limited to the FBI
- State privacy laws do not override NSL demands (federal preemption)
- Some states have enacted laws requiring notification when government agencies access certain records — but NSL gag orders preempt state notification requirements
- State courts have no role in NSL issuance or initial review
Implementing Regulations
- NSLs are authorized by specific statutes (18 U.S.C. § 2709 for communications records, 12 U.S.C. § 3414 for financial records, 15 U.S.C. §§ 1681u–1681v for credit records, 50 U.S.C. § 3162 for government employee personnel records) and are self-executing — no CFR implementing regulations govern their issuance
- FBI Domestic Investigations and Operations Guide (DIOG) — internal FBI procedures governing NSL issuance, required approval levels (Special Agent in Charge and above), documentation standards, periodic gag order review, and compliance requirements; not publicly available in full but partially disclosed through FOIA litigation
- DOJ Inspector General audits — periodic IG reviews of NSL usage and statutory compliance serve as a primary accountability mechanism in the absence of traditional notice-and-comment rulemaking
Pending Legislation
NSL reform provisions appear in broader national security and surveillance legislation — see FISA Foreign Intelligence and USA PATRIOT Act.
Recent Developments
NSL usage has remained relatively stable at 10,000–20,000 per year. The USA FREEDOM Act's reforms — particularly the periodic review of gag orders and enhanced judicial review — have addressed some of the most criticized aspects of the program. Several technology companies (Google, Microsoft, Apple) now publish transparency reports disclosing the number of NSLs received in broad ranges (as permitted by law). Constitutional challenges to NSL nondisclosure provisions continue, with courts balancing national security interests against First Amendment rights. The FBI's use of NSLs in cybersecurity investigations and nation-state counterintelligence has grown alongside traditional counterterrorism applications.
- FISA Section 702 reauthorization and NSL context (2024): Congress reauthorized FISA Section 702 in April 2024 for two years (through 2026) after contentious debate about warrantless querying of U.S. persons' communications. NSLs and Section 702 are distinct authorities — NSLs compel records from third parties (ISPs, banks, phone companies), while Section 702 authorizes collection from foreign targets' communications. The political dynamics around 702 reauthorization — where libertarian-leaning Republicans joined civil liberties Democrats in opposing expansion — have spilled into debates about NSL oversight, creating pressure for additional judicial review requirements before the next reauthorization.
- Trump administration NSL and counterintelligence priorities (2025): The Trump administration's use of law enforcement and intelligence tools against perceived political opponents raised questions about NSL targeting. DOGE-related FBI investigations — including inquiries into civil servants who challenged DOGE's access to federal databases — generated congressional oversight requests about whether administrative NSLs (seeking financial or subscriber records) were used in those contexts. The FBI's NSL legal framework technically permits use against domestic targets when the records are "relevant to an authorized investigation" — a broad standard.
- China/Russia counterintelligence NSL surge: FBI counterintelligence investigations targeting Chinese government influence operations, technology theft, and academic espionage have driven increased NSL usage against Chinese nationals, Chinese-American community organizations, and research universities. Operations targeting alleged Chinese agents (including the 2023-2025 prosecution wave under the China Initiative successor programs) relied heavily on NSL-obtained financial and communication records to establish investigative leads. The same counterintelligence NSL pattern applies to Russian military intelligence (GRU) and SVR targeting of defense contractors.
- Section 2709 litigation and nondisclosure challenges: NSL nondisclosure provisions (18 U.S.C. § 2709(c)) — which prohibit recipients from disclosing receipt of an NSL — continue to face First Amendment challenges. The 9th Circuit's 2016 ruling in Matter of National Security Letter (upholding a modified nondisclosure framework with judicial review) established the current constitutional baseline. Recipients who want to challenge NSL nondisclosure orders must petition the FISA Court, which reviews requests in secret proceedings. Civil liberties organizations (EFF, ACLU) have argued that this framework insufficiently protects free speech; courts have generally upheld nondisclosure as constitutional when subject to judicial review.