Apple revealed this week that it received a National Security Letter during the last six months of 2016. The news, which came as part of the company’s latest biannual transparency report, marks the first NSL Apple has reported receiving.
The iPhone manufacturer released the report via a portal on its website late Monday.
The company refers to the NSL as “declassified” in Table 7 of the report. When NSLs are marked declassified it’s often because the case has been marked inactive. However, it may be a while until Apple can disclose when it received this particular letter, or was it about.
Companies that receive NSLs are traditionally subjected to a gag order. It took Cloudflare nearly four years to disclose a NSL this past January which the company received in February 2013. Google, only after it managed to successfully fight gag provisions in court, disclosed the contents of eight NSLs it received from 2010 to 2015 last December.
Monday’s report also indicates a spike in the number of National Security Orders Apple has received. The company said that between July 1 and Dec. 31, 2016 it received between 5,750 and 5,999 orders pertaining to 4,750 and 4,999 accounts. That’s almost double the number it received in the first half of last year when the company reported it received between 2,750 and 2,999 orders pertaining to 2,000-2,249 accounts.
Those numbers include orders received under National Security Letters and Foreign Intelligence Surveillance Act (FISA) orders. Apple, like other companies that regularly release transparency reports, says in its report it would like to be more specific but can’t. Companies have to report U.S. National Security requests in bands of 250 by law.
As part of the report, the company also said it received 2,331 account-based requests and 30,184 device-based requests from law enforcement worldwide. Those numbers actually mark a slight decrease in requests. The company previously said in the first half of 2016 it received 2,564 account-based requests and 33,006 device-based requests from law enforcement.
Account-based requests usually pertain to illegal account use; details on the names and addresses – and occasionally stored photos and contacts – of iTunes or iCloud account users. Device-based requests usually pertain to stolen devices; details on which customers are associated with devices are often sought.
The company reiterates in the report (.PDF) that it has still not received any orders for bulk data.
The USA Freedom Act, passed in 2015, removed an indefinite gag order that once accompanied NSLs, cutting companies such as Cloudflare, Google, and Open Whisper Systems – the company behind Signal – some slack. The act compels the FBI to periodically review gag orders affiliated with NSLs to determine whether non-disclosure remains appropriate.
Yahoo became the first company to disclose details around three NSLs it received in 2013 this time last year.
Open Whisper Systems, with an assist from the American Civil Liberties Union, was able to fight a gag order and release transcripts from a subpoena it received for user data in the first half of 2016 last October. Since OWS keeps so little information on its users it was unable to produce most of what the government wanted.