Yahoo today disclosed the contents of three National Security Letters it has received since 2013, the first time a company has made such a disclosure since the passage of the USA FREEDOM Act.
Under the law, the FBI is now required to periodically review whether non-disclosure around National Security Letters remains appropriate.
“We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data,” said Chris Madsen, Yahoo’s head of global law enforcement, security and safety.
Information about the subjects of the respective NSLs has been redacted from the letters, two of which Yahoo received and complied with in 2013 and the other last year.
Two of the letters, one from the FBI’s Dallas office on Aug. 1, 2013 and the other from its Charlotte office May 29, 2015, demand the target of the investigation’s name, address and length of service with Yahoo for all services and accounts. The remaining letter from the FBI’s Dallas office dated March 29, 2013 also requires Yahoo turn over electronic communications transactional records, which include “existing transaction/activity logs and all electronic (email) header information.”
The FBI uses National Security Letters to compel technology companies, service providers, banks and other organizations to turn over specific customer records in national security investigations. Gag orders accompany the letters prohibiting recipients from disclosing receipt of a NSL and from informing the customers who are the subjects of investigations.
“Yahoo complied with these three NSLs and, to the extent we had the information requested, we disclosed it as authorized by law,” Madsen said. “Specifically, we produced the name, address, and length of service for each of the accounts identified in two of the NSLs, and no information in response to the third NSL as the specified account did not exist in our system. Each NSL included a nondisclosure provision that prevented Yahoo from previously notifying its users or the public of their existence.”
The USA FREEDOM Act spelled out a number of procedures that govern the review of the gag orders that accompany a National Security Letter. From the procedures:
“Under these NSL Procedures, the nondisclosure requirement of an NSL shall terminate upon the closing of any investigation in which an NSL containing a nondisclosure provision was issued except where the FBI makes a determination that one of the existing statutory standards for nondisclosure is satisfied. The FBI also will review all NSL nondisclosure determinations on the three-year anniversary of the initiation of the full investigation and terminate nondisclosure at that time, unless the FBI determines that one of the statutory standards for nondisclosure is satisfied.”
This is not the first time the contents of a National Security Letter have been made public. Last December, Nicholas Merrill, owner of defunct ISP Calyx won a long court battle to publicly reveal the contents of a NSL he received in 2004 for information on one of Calyx’s customers.
The order was extensive, requesting a laundry list of information the FBI considered to be under the umbrella of a vague legal term: “electronic communication transactional record.” In Merrill’s specific case, the FBI not only sought detailed personal subscriber information, but browser history, IP addresses the subscriber connected to, email addresses, screen names and online aliases associated with the account, plus six months worth of online purchases. The FBI also sought a radius log, which includes cell tower-based tracking information.