Continued from page 1

Initially created to acquire bank records in money-laundering probes, the subpoena authority was expanded to cover communications businesses by Section 215 of the Patriot Act, the antiterrorism laws hurriedly enacted in the wake of the Sept. 11, 2001, attacks.

In June, Mr. Snowden revealed that national security letters were served on U.S. telephone companies to enable the NSA to build a vast database of information about every phone call made in the United States.

Mr. Janke said such broad use of national security letters is not exceptional. “If you get [one], they don’t have to say, ‘Just give us [the data on] these three guys.’ They take it all,” he said.

Lawmakers who helped draft the Patriot Act have said they did not intend the provision to be used in this sweeping fashion, but Obama administration officials have said they informed Congress about the program in closed briefings and in recently declassified letters.

To assuage growing public concern that the NSA is eroding Fourth Amendment rights against unwarranted searches and seizures of property, President Obama recently outlined a series of new oversight and policy measures, including the appointment of a special board of outside advisers to examine how U.S. intelligence agencies use surveillance technologies.

He also asked Congress to review Section 215 of the Patriot Act. Critics say the provision is too broad and shrouded in secrecy.

‘Everyone has a relationship’

The gag order that drew Mr. Levison’s complaints, for example, strongly suggests that his company was served a national security letter, because targets of such subpoenas are forbidden to disclose they have received such an order. Company officials cannot even reveal it to their boards of directors.

“The sheer time and cost of responding to these demands is oppressive for a small business,” said Mr. Cate, the law professor. “And at some point, the government stops playing nice and starts saying: ‘You’re breaking the law, you could go to jail.’”

Mr. Levison advised any Americans wanting electronic privacy to choose communications and data-storage services that are not based in the U.S.

But Mr. Janke, whose company’s servers are in Canada and Switzerland, said that being located outside the United States offers no protection because of broad cooperation among Western intelligence and law enforcement agencies.

“The United States, the European Union, everyone has a relationship,” he said.

Mr. Schmidt, the former cybersecurity czar, noted the close cooperation among the 39 nations that have ratified the Budapest Convention on Cybercrime, which covers assistance in accessing and intercepting computerized data.

Even in Western countries, “most governments doing intelligence collection are not looking to use the court system,” Mr. Schmidt said. “Nation-states are going to do what they do, and they’re not going to advertise it.”

In addition, Mr. Janke said, email is nearly impossible to secure because the Internet addresses of the sender and the recipient are “exposed in any email system.”

Story Continues →