Security reforms adopted by the U.S. Congress last year have enabled Yahoo to publicly disclose three National Security Letters (NSLs) that it has received from the Federal Bureau of Investigation (FBI).
Prior to passage of the USA Freedom Act last June, recipients of NSL requests for user data were often prohibited from even publicly acknowledging they had received such orders. That led some technology companies to publish so-called "warrant canaries" in their transparency reports, stating that they had not received any NSLs or that they had received anywhere between 0 and 999 NSLs.
The changes introduced under the USA Freedom Act has allowed Yahoo to publicly acknowledge for the first time that it had received NSLs from the FBI, Chris Madsen, the company's head of global law enforcement, security and safety, wrote on Yahoo's Tumblr account yesterday. That's because the FBI told Yahoo that under the new regulations nondisclosure was no longer needed for three NSLs to the company.
'Nondisclosure No Longer Necessary'
Madsen said Yahoo received the NSLs in question in April 2013, August 2013 and June 2015. The company provided the FBI with "the name, address, and length of service for each of the accounts identified" in two of those letters, and provided no information for the third because the account didn't exist in Yahoo's system.
"Each NSL included a nondisclosure provision that prevented Yahoo from previously notifying its users or the public of their existence," Madsen said. Since then, however, Yahoo has learned that the FBI "determined that nondisclosure is no longer necessary."
Federal authorities expanded the government's NSL powers with the USA Patriot Act in the wake of the Sept. 11, 2001, terrorist attacks. Widely criticized by many civil rights organizations and technology companies, some of those powers were revised under the USA Freedom Act, with procedures spelled out for how recipients could challenge nondisclosure orders.
"The release of these documents and information regarding NSLs today is consistent with our commitment to sharing as much information as we legally can regarding government data requests," Madsen wrote in yesterday's blog post. "We believe there is value in making these documents available to the public to promote an informed discussion about the legal authorities available to law enforcement. They also demonstrate the importance of hard-fought reforms to surveillance law achieved with passage of the USA Freedom Act."
The information released by Yahoo was redacted to protect the identities of both Yahoo users affected by the NSLs as well as FBI agents involved in the investigations, Madsen said. He added that the affected users were notified by Yahoo as part of the company's user notice policy.
'Poison Pill for E-mail Privacy'
Ongoing use of NSLs continues to raise concerns in many circles, Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology, wrote in a commentary today. Last month, for example, Microsoft filed suit against the U.S. Justice Department to put an end to the gag orders -- some of them permanent -- often imposed on companies when faced with requests for user data. The American Civil Liberties Union has since joined Microsoft's case.
The ongoing FBI efforts to expand NSL authority represent a "poison pill for e-mail privacy," Gabe Rottman, deputy director of the Freedom, Security and Technology Project at the Center for Democracy and Technology, wrote in a commentary today. He criticized the FBI for seeking such expansion through language recently added to non-controversial e-mail privacy legislation or "must-pass" legislation on intelligence spending.
Rottman told us today that the disclosure by Yahoo yesterday indicates just how significant an expansion of NSL authority the FBI's proposal would be. "Under the FBI's proposal, the FBI could have demanded records on who e-mailed whom, when and from where; any Web browsing or search information held by Yahoo; location information from Yahoo mobile services; among many other things," he said. "All of that would be disclosed without a judge reviewing the request in advance."
Rottman added that other federal efforts to restrict encryption only underscore how much access authorities already have to electronic communications and other data. "The FBI's toolbox is full to the brim, and there's no need to force backdoors in communications systems that would be exploitable by spies, criminals and other bad actors," he said.