Watson Institute for International and Public Affairs
Costs of War

Data Privacy

Before 9/11, the FBI could not secretly compel personal information from United States banks and internet firms unless the person was suspected of wrongdoing and under an authorized investigation. Since then, personal information has been more readily accessible without any individualized suspicion through a “National Security Letter” (NSL).

Post-9/11, the Patriot Act allowed the FBI such access even if a person was not the subject of an authorized investigation. The FBI could demand that phone companies, internet service providers, banks, insurance companies, and a laundry list of businesses that deal in cash—even the U.S. postal service—turn over information about an American's transactions, without any court order or independent review. Federal guidelines further expanded the FBI’s authority by elevating what had once been known as “preliminary inquiries” to the level of “investigations,” allowing the use of NSLs to gather information on people who are not suspected of wrongdoing. The Patriot Act expired on March 15, 2020, and it has not been reauthorized as of early 2021, although it passed a vote in the House in March 2020.

Tens of thousands of U.S. citizens—and tens of thousands of non-citizens—have had their financial and communications records swept up by the FBI. The agency also collected Open Source information from social networks and commercial data-collection companies. These data-collection authorities and practices resulted in people “two or three steps removed” from the original subject of an investigation being swept in.

Key Findings

  • Under the Patriot Act, "National Security Letter" (NSL) powers could be used to obtain records of virtually everything purchased with debit or credit cards.

  • In the process of complying with the FBI’s counter-terrorism efforts, businesses have provided the government with access to the private information of millions of Americans.

  • The data of a person whose information is swept in to the FBI’s database is then accessible to tens of thousands of government employees.


Following ACLU recommendations, Congress should pass legislation:

  • Requiring the government to obtain warrants before demanding location information from telecommunications companies; and
  • Banning the bulk data collection of Americans’ private information, as mandated by the USA Freedom Act.

(Page updated as of June 2021)