For the first time since the implementation of the USA Freedom Act, Yahoo published three National Security Letters — perhaps the most secretive and contentious method the FBI has for obtaining information on individuals — after the lifting of repressive and equally-contentious gag orders.
Mainstays of the USA PATRIOT Act, National Security Letters (NSLs) generally request customer data information from businesses such as banks, internet service providers, travel agencies, and phone and telecommunications companies — without a warrant required. Worse, NSLs include onerous, mandatory orders prohibiting their recipients from disclosing to anyone — including coworkers, friends, and family — that they even received the letter.
“Yahoo has always maintained a strong commitment to protecting our users’ safety, security and privacy,” the company said in an announcement of the disclosure. “The release of these documents and information regarding NSLs today is consistent with our commitment to share as much information as we legally can regarding government data requests. We believe there is value in making these documents available to the public to promote an informed discussion about the legal authorities available to law enforcement.”
“Each NSL included a nondisclosure provision that prevented Yahoo from previously notifying its users or the public of their existence,” the company ominously stated.
Largely due to these mandatory nondisclosure orders, gauging exactly how many NSLs have been issued remains impossible — though as of 2013, the Obama administration admitted an average of 60 per day were being issued. Alarmingly, in its latest transparency report, Apple claimed the number of “national security orders” — including NSLs — had doubled in just six months. Yahoo said it plans updates to its own transparency report as additional nondisclosure orders are lifted.
Though they haven’t received quite the notoriety of more sweeping surveillance programs — perhaps due to the extensive reporting after revelations from Edward Snowden — NSLs are at least equally troubling. As EFF previously noted, “in march 2007 the Department of Justice’s inspector general released a report confirming extensive misuse of NSLs in a sample of four FBI field offices. An internal audit by the FBI confirmed that the problem was far more extensive than first thought.”
Essentially anything surrounding the account of the user targeted by the FBI must be disclosed, except for the actual content of communications. But plenty of information can be derived, without having to delve into the content, Vocativ noted, as metadata could include “the dates when an account was opened, IP addresses used to log in, any physical address or phone number associated with the account, the credit card number it used to pay for any service, any listed aliases — pretty much anything a user gives when they create an account.”
“Our understanding is that the vast majority of NSLs of these kind that are issued go to tech companies, and that it’s a basic tool that the FBI uses to start investigations involving people’s communications,” Andrew Cocker, staff attorney at EFF, told Vocativ in discussing NSLs specific to companies like Yahoo.
Yahoo’s decision to disclose these NSLs marks the company’s “ongoing commitment to transparency.” A minor concession in the Freedom Act requires the FBI to periodically assess whether gag orders should remain in place. In the case of Yahoo’s three NSLs, the termination of ongoing nondisclosure indicates the FBI completed those investigations.
“We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data,” Yahoo stated.
While the Freedom Act basically continued many of the same programs from the PATRIOT Act that had expired, minor changes like the requirement to review FBI nondisclosure arrangements provide a degree of transparency desperately needed. Now, thanks to Yahoo, NSLs became a little less secretive.