A bipartisan Senate trio is asking credit agencies Equifax, Experian and TransUnion to disclose more information about how the companies work with the FBI to spy on American consumers.
“Because [you] hold so much potentially sensitive data on so many Americans and collect this information without obtaining consent from these individuals, you have a responsibility to protect individuals’ data and be transparent about how or when you disclose it,” Republican Kentucky Sen. Rand Paul wrote in a Thursday letter co-signed by Democratic Sens. Elizabeth Warren (Mass.) and Ron Wyden (Ore.).
The trio said the companies frequently receive national security letters (NSLs) from the FBI — akin to “administrative subpoenas” — demanding full credit reports on consumers. While the letters often include gag orders preventing companies from disclosing their receipt, some of those orders have expired, permitting those companies to divulge details of the surveillance if they choose to do so.
Lawmakers pointed out that the companies have opted to withhold the information, even from Congress. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”
They added, “Dozens of technology and telecommunication companies publish reports of statistics about their receipt of NSLs. But [Equifax, Experian and TransUnion] maintain no such publicly available information and has not provided information about NSL receipt when asked by reporters.”
In September, documents obtained by the Electronic Frontier Foundation (EFF) through a Freedom of Information Act lawsuit indicated credit agencies received more NSL requests from the FBI than previously known. Equifax and Experian each received more than 50 letters terminating letters from the FBI, allowing them to disclose the existence of the NSLs. TransUnion received more than 40. None of the three took advantage of their right to disclose.
After the 2001 passage of the PATRIOT Act, the FBI ramped up its use of NSLs to seek information “relevant” to national security investigations. After tech companies including Facebook, Microsoft and Google spent nearly a decade filing lawsuits seeking the right to disclose their receipt of the letters, Congress passed a 2015 law permitting them to do so. Those three companies now report receiving around 1,000 NSLs requesting user information annually.
Critics suggest credit agencies do not follow the same reporting model because the industry doesn’t rely on maintaining a good relationship with consumers.
“Even when the FBI chooses to terminate a gag order, the simplest response is to do nothing,” EFF attorneys Andrew Crocker and Aaron Mackey wrote in an analysis. “This is particularly true for companies whose business is less dependent on direct interaction with individual consumers, such as credit reporting agencies. Banks and credit agencies may … wager they are better served by not calling attention to the value of their business records to FBI counterintelligence and counterterrorism investigations.”
Paul, Warren and Wyden asked credit agencies to submit answers detailing their failure to disclose, in addition to the nature of information the FBI has requested, by the end of December. “American consumers deserve to know what happens to the data that your company collects, which can encompass all of the major financial relationships that a consumer might have over the course of their lifetime.”