Automattic Releases Five Un-Gagged National Security Letters
from the ask-and-you-have-slightly-better-chance-of-receiving dept
Another batch of FBI National Security Letters has been released, thanks to the expedited review process instituted by the USA Freedom Act. Automattic, the company behind WordPress, has released five NSLs dating back to 2010, as the result of successful nondisclosure challenges.
Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.
We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.
In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.
We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.
The five NSLs are identical. (PDF links included at the bottom of the Automattic post.) Automattic responded to four of those, but had none of the information requested for the fifth. After the gag orders were lifted by the FBI, Automattic informed the targeted users.
The boilerplate NSLs ask for far more info than the FBI’s own legal guidance suggests it should be able to request. A 2008 DOJ legal memo says NSLs should be constrained to “phone billing records.” The FBI has apparently decided to interpret this as any and all electronic transactional records when it comes to internet service providers. Here’s what’s requested in the Automattic NSLs:
- Subscriber name and related subscriber information
- Account number(s)
- Date the account opened or closed
- Physical and or postal addresses associated with the account
- Subscriber day/evening telephone numbers
- Screen names or other on-line names associated with the account
- All billing and method of payment related to the account including alternative billed numbers or calling cards
- All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter
- Internet Protocol (IP) addresses assigned to this account and related e-mail accounts
- Uniform Resource Locator (URL) assigned to the account
- Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP), Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account
- The names of any and all upstream and providers facilitating this account’s communications
This is where the FBI starts digging, apparently. By demanding all this info from a single service provider, the FBI can issue NSLs and subpoenas to a large number of additional third parties, even though the DOJ’s legal guidance suggests the FBI’s NSL requests should be far more constrained.
The recently-instituted challenge options are better than what was in place previously, but Automattic points out there’s still plenty of room for improvement.
We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs.
The FBI has almost zero legal obligation to perform proactive reviews of issued NSL gag orders. Recipients must spend their time and money challenging them. Fortunately, the challenge process now requires much less of these scarce resources. Automattic has its own boilerplate form for challenging boilerplate NSL gag orders — one it’s willing to share with any NSL recipient — so we should be seeing more of these released in the near future.
Filed Under: fbi, gag orders, national security letter, nsl, nsls, secrecy, transparency, wordpress
Comments on “Automattic Releases Five Un-Gagged National Security Letters”
“We also continue to believe that NSLs pose serious constitutional concerns,”
Why? Because they flat out ARE unconstitutional? The attached GAG orders common to NSL’s are just exactly what the 1st Amendment was designed to tell government it could never do!
Yet here we are.
Questionable, but OK.
Inappropriate. FBI personnel have no business issuing overbroad demands, and it is inappropriate that they never suffer the public embarrassment that rightly should follow from their abuse.
From the first of the Redacted FBI Response Letters, identified as “NSL-10-287729_FBI Response_Redacted” (internally dated June 29, 2017, and signed by Karen D. Miller):
Thus, Automattic’s third category of redactions were made at the FBI’s request.
Re: Re: Redactions
How does that excuse sheltering abusive requests from disclosure? I never want my name attached to anything embarrassing I do, but I don’t get to use the force of law to ensure that. If this was truly an FBI "request", then Automattic had no obligation to comply, and based on past FBI conduct, I can’t see why they would want to. I rather doubt they’re going to end up on the FBI’s nice list just because they withheld that.
Re: Re: Re: Redactions
If you believe that Acting Deputy General Counsel Karen D. Miller’s request for the third category of redactions was improper or abusive, then I’d certainly encourage you to loudly complain to your United States congressional delegation. Your senators and representative should help you.
Re: Re: Re:2 Redactions
While I suspect that your claim that Congress would take a serious interest in this is a tell that you’re just trolling, you missed a key distinction. Miller’s request was disclosed. I think it was improper for Miller to request redactions with no basis in law, since it seems the FBI grossly overstepped its bounds in the demand letters. However, I also expect that Miller shelters every letter as a matter of course, without reviewing the letters at issue.
It was the original NSL that was abusive and should not have been sheltered, but instead disclosed in full (without redaction) and promptly upon completion of the investigation for which it was issued. Once the investigation is complete, the FBI has no basis for keeping their conduct secret, yet it took an affirmative request from the provider to get the nondisclosure provision lifted at all, and likely not in a very timely manner. I think it very unlikely that the FBI notified Automattic promptly that the investigation was concluded (thereby opening the possibility that Automattic might prevail in a request to be ungagged). Rather, Automattic likely made their own judgment about when to request permission to speak. I appreciate that they spent the resources to do it all. I find it unconscionable that they had to put so much effort into it.
Re: Re: Re:3 Redactions
Which one of us is “just trolling” here?
When you call up your congressman, the phone often gets answered by a relatively low-level staff person. Don’t angrily swear at the congressman’s staff: They’ll just hang up the phone. Or maybe the call got disconnected for some other reason—you can try calling back again.
Redacted does not mean deleted and forgotten. The info still exists if needed in the future.
Who were the targets of these NSLs? I mean, this is crucial information to know whether they are being used to fight crime (including terrorism because it’s just more crime) or journalists and people who simply annoy corporations and the govt. I believe this is even more important than knowing what they asked for (which conveniently from what I got from the article is everything anyway).
Telephone billing records
All of this would seem appropriate under "telephone billing records".
None of this seems to fall under that heading, however.
And this one is questionable / borderline.
Re: Telephone billing records
Well, dammit. Apparently multi-line consecutive ‘>*’ doesn’t actually work the way I’d expected it to. That’ll teach me to post without previewing…