Perhaps one of the most disturbing aspects about this week's revelations of the Federal Bureau of Investigation's abuses of the Patriot Act is the agency's widespread use of "exigent letters" to improperly obtain consumer telephone records.

A 199 page audit by the Justice Department's Office of Inspector General (OIG) issued on Friday indicates that from 2003 through 2005 the FBI ignored proper legal procedures for securing private documents: including email records, financial records, and customer telephone data.

The revelations have great significance for the Federal Communications Commission, currently considering new rules to make consumer telephone records more secure against "pretexters" - ”con artists who fool telephone companies into giving up private phone use data, then selling the information to others.

The Patriot Act requires the FBI to issue "national security letters" (NSLs) - essentially warrants - to entities that have private data that the FBI wants. The agency can also get the documents through Grand Jury subpoenas.

But in the case of telephone records, the OIG found over 700 instances in which the FBI obtained the information without resorting to either method. Instead they sent out so-called "exigent letters," signed by FBI officials who had no authorization to sign NSLs.

"In many instances there was no pending investigation associated with the request at the time the exigent letters were issued sent," the OIG report discloses. "In addition, while some witnesses told us that many exigent letters were issued in connection with fast-paced investigations, many were not issued in exigent circumstances, and the FBI was unable to determine which letters were sent in emergency circumstances due to inadequate record keeping."

9/11 background

After the September 11th, 2001, attacks, the FBI formed a squad called "DT-6" ("DT" may stand for "domestic terrorism"). This group quickly established a close relationship with three New York telephone companies, whose representatives provided the FBI with access to their consumer databases.

At first DT-6 officials seeking documents provided grand jury subpoenas to these phone companies. But then, according to the OIG, FBI personnel began issuing "placeholder" letters stating that exigent circumstances - that is, matters needing immediate attention- required the private documents. Relatively low level FBI personnel typically signed these letters.

The OIG report cites a typical exigent letter:

"Due to exigent circumstances, it is requested that records for the attached list of telephone numbers be provided. Subpoenas requesting this information have been submitted to the U.S. Attorney's Office, who will process them formally to [information redacted] as expeditiously as possible."

The FBI sent out 739 of these forms, asking for data on about 3,000 telephone numbers. They often sought telephone toll billing and subscriber information.

But the OIG found that, contrary to the claims of these letters, the FBI had not filed requests with the U.S. Attorney's Office before issuing them. The OIG randomly selected 88 exigent letters from the total of 739, and asked the FBI to verify that proper national security letters eventually backed up these missives.

The FBI could only produce unsigned national security letters for 14 of the first 25. The documents the FBI submitted to support the legitimacy of the requests indicated to the OIG that the agency could not prove that the national security letters corresponded to exigent letters.

"Therefore, because of this clear finding in the first 25 letters and the labor intensive nature of the exercise, we did not ask the FBI to complete the sample of 88 letters," the OIG report concludes.

In addition, when FBI clerks gave the exigent letters to telephone companies, "they did not provide to their supervisors any documentation demonstrating that the requests were related to pending FBI investigations," according to the OIG.

And furthermore" "there sometimes were no open or pending national security investigations tied to the request."

The OIG audit concludes that the FBI's use of "exigent letters" violated the law: specifically the Electronic Communications Privacy Act, which allows the FBI to collect subscriber and tolling billing information upon certification that the information sought is "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities . . . "

These disclosures come as the FCC continues to deliberate on new rules to stop pretexters. The Commission's public comment proceeding on the matter has gone on for more than a year.

In February of 2006, the FCC opened the proceeding in response to a request by the Electronic Privacy Information Center (EPIC). The FCC asked the public to comment on five security measures proposed by EPIC to protect customer phone data: passwords set by customers, better tracking of customer records, encryption of records, limits to how long companies can keep customer data, and letting customers know if the security of their records has been compromised.

During the course of this comment period the Federal Bureau of Investigation, Department of Justice, and Department of Homeland Security have repeatedly asked the FCC to include rules that delay letting customers know if the security of their records has been breached. A December 28, 2006 DOJ filing suggested that if a "relevant investigating agency" decides that letting consumers know that their data has been stolen could compromise an investigation, the agency could tell the carrier not to disclose the breach for "an initial period" of 30 days.

"Such period may be extended by the agency as reasonably necessary in the judgment of the agency," the DOJ proposes.

The DOJ's Deputy Attorney General Paul McNulty, who filed the comments, argues that immediately letting customers know that their calling records have been obtained by pretexters could tip off the culprits, "causing them, among other things, to destroy evidence, change their behavior, and accelerate their illegal use of any data before consumers or company victims can act." Delaying notification could allow law enforcement to conduct an ongoing undercover investigation, McNulty contends.

These suggestions may be seen in a new light since the OIG's report on the FBI.