Data Privacy

In the same way that political leaders have exploited post-9/11 security concerns to expand governmental surveillance activities, data collection authorities have also expanded, presenting additional threats to Americans’ privacy interests.

Before 9/11, only if a person in the U.S. was the target of an authorized investigation and suspected of wrongdoing did the FBI have authority to secretly demand information about their financial transactions and communications records from banks and internet firms. This information was obtained through a “National Security Letter,” a demand that a third party turn over records about that person and keep it secret. 

Post-9/11, the Patriot Act allowed the FBI such access even if a person was not the subject or target of an authorized investigation. The FBI could secretly demand that phone companies, internet service providers, banks, insurance companies, and a laundry list of businesses that deal in cash—like casinos, jewelers, realty firms, and even the U.S. Postal Service—turn over information about an American's transactions, without any court order or independent review of such demands. The agency only had to assert the information was “relevant” to an authorized investigation.

New guidelines issued by Attorney General John Ashcroft further expanded the FBI’s intrusive authority by elevating what had once been known as “preliminary inquiries” to the level of “investigations," allowing the use of NSL letters to gather information on people who had done nothing wrong. Businesses that received these secret demands were banned from revealing to their customers that an NSL had been received.

Since 9/11, records indicate that over a quarter million NSL demands have been issued. Tens of thousands of American citizens (and tens of thousands of non-citizens) have had their private financial and communications records swept up by the FBI. The agency has also been collecting “Open Source” information from social networks and commercial data-collection companies. These data-collection authorities and practices have resulted in people “two or three steps removed” from the original subject of an investigation being swept-in. Assuming, conservatively, that an average person has contact with at least 500 people in a year—friends, family, colleagues, and service staff—searching “two steps” away could subject 250,000 people (500x500) to data collection.

In the process of complying with the FBI’s counter-terrorism efforts, businesses have provided the government with access to the private information of millions of Americans.  Multiple airlines have admitted turning over records of their customers’ travels to the government, not to track a particular suspect, but in the hopes of identifying “suspicious” patterns in travel. In May 2002 the Professional Association of Diving Instructors voluntarily provided the FBI with a disk containing the names, addresses and other personal information of about 2 million people, nearly every U.S. citizen who had learned to scuba dive in the previous three years.[1]

The potential for unchecked government surveillance galvanized a diverse set of interests against the Patriot Act. The American Civil Liberties Union was joined by business groups such as the U.S. Chamber of Commerce, the National Association of Manufacturers, and the National Association of Realtors in pushing Congress to narrow the law’s scope. These business groups were concerned about the cost of compliance with the law and its potential for abuse: like police searching a car trunk after a traffic stop, the federal government could discover other sensitive private information when rummaging through business records.[2]


[1] American Civil Liberties Union [hereafter “ACLU”], The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society, August, 2004; available at
 Dunham, Richard S. "The Patriot Act: Business Balks," Business Week, November 10, 2005; available at