
Yahoo Announces Public Disclosure of National Security Letters - tintor
https://yahoopolicy.tumblr.com/post/145258843473/yahoo-announces-public-disclosure-of-national
======
kriro
"""You are directed to provide records responsive to this letter
electronically to the FBI within 21 business day(s) of receipt of this
letter"""

I wonder how the exchange takes place? There's no mention of encrypted mail or
anything just an additional note that regular mail and non-secure fax are not
secure enough.

They also seem to have a template of sorts as indicated by the day(s) and the
phrasing when it comes to accounting periods vs. 1st to 1st.

I wonder if you can forge (or possibly man in the middle) such a request
(there's no digital signature of the letter I suppose). You'd need to set up a
fake agent persona with phone number and fake signature. For a criminal
organization that doesn't seem to be an unreasonable afford.

~~~
ryanlol
>I wonder if you can forge (or possibly man in the middle) such a request
(there's no digital signature of the letter I suppose). You'd need to set up a
fake agent persona with phone number and fake signature. For a criminal
organization that doesn't seem to be an unreasonable afford.

Using fake subpoenas to dox people on IRC seems to be a regular thing, I don't
see why not NSLs. (Besides the fact that NSLs might actually receive some
scrutiny, so they're probably the inferior choice there)

Most people will just comply straight away.

~~~
nxzero
Still amazed to this day that a guy created fake FBI Google listings, proxied
the calls to the FBI, recorded the calls, told the FBI, and nothing happened.

~~~
goostavos
Whoa, what? Link to this story?

~~~
ymse
DDG dug up these:

[http://www.techtimes.com/articles/3930/20140303/heres-
how-a-...](http://www.techtimes.com/articles/3930/20140303/heres-how-a-hacker-
used-fake-google-maps-listings-to-record-calls-of-fbi-and-secret-services.htm)

[http://www.theverge.com/2014/2/28/5458610/fake-google-
maps-l...](http://www.theverge.com/2014/2/28/5458610/fake-google-maps-
listings-recorded-calls-to-the-fbi-secret-service)

------
greglindahl
The Internet Archive (helped by EFF) got one disclosed in 2008:

[https://www.eff.org/cases/archive-v-
mukasey](https://www.eff.org/cases/archive-v-mukasey)

[https://www.eff.org/document/national-security-letter-
intern...](https://www.eff.org/document/national-security-letter-internet-
archive)

Yahoo's claiming "This marks the first time any company has been able to
publicly acknowledge receiving an NSL as a result of the reforms of the USA
Freedom Act." \-- which is kind of true, in that IA got one released _before_
the reforms!

~~~
morgante
For an even more technical truth, IA is not a company.

~~~
dragonwriter
Actually, IA is both a company and a corporation. Its legally a charitable
non-profit corporation, but that's a specific kinds of company, not a not-a-
company. So, your "technical truth" isn't.

~~~
morgante
Well, I agree that IA is a corporation as that is a legal structure.
Technically a "company" has to be commercial in nature, at least if you go by
the dictionary definition.

This is entirely too pedantic though, and it rather upsets me that people feel
the need to down vote this.

------
eps
This makes zero difference.

So apparently the same people, who gag you, sometimes at their discretion may
remove the gag. The only thing the law requires is for them to _consider_
doing that.

~~~
MichaelBurge
That's actually important. If maintaining the letters requires some nonzero
effort, they'll want to weigh maintaining letters with other things they could
be doing with their budget.

I'm not sure if they have to be reapproved by a judge each time. If that's the
case, then on average it seems like you'd have greater churn on the letters.
And even if there's a near-100% approval rate while investigating, it seems
harder to argue to a judge as the years go on.

It won't help if Edward Snowden was the target of your letters, of course.

------
tonygrue
I had to do a double take on the third letter after reading the return address
of Microsoft Way. At first I thought Microsoft was issuing NSLs. Turns out the
FBI and Microsoft happen to be next door neighbors in Charlotte. I feel like
Microsoft ought to consider giving up the street name.

~~~
netsharc
Amazon and DHL in Germany occupy 2 halves of the same huge warehouse,
obviously because Amazon uses them for delivery.

Maybe there's some sort of cooperation with the two in Charlotte as well.

~~~
justaman
The worlds most popular operating system and a government's investigation
organization.

Yes.

------
discardorama
Direct link to the NSLs:
[https://s.yimg.com/ge/tyc/Redacted_NSLs.pdf](https://s.yimg.com/ge/tyc/Redacted_NSLs.pdf)

~~~
egwor
that includes the persons DOB. I wonder what would happen if the individual
had used the wrong DOB when creating the request. Could (should?) yahoo say
'That doesn't match our records' and require a new request?

~~~
ryanlol
There is no connection made between the name/DOB/address combo and the email
address. If Yahoo only found records matching the email address, then they'd
still have to provide those.

------
ComodoHacker
Fun fact: these documents was properly redacted by Yahoo. Unlike some PDFs
we've seen previously released by NSA (IIRC), which had just black rectangles
drawn over the content.

~~~
Inconel
Would you mind explaining the significance of this to me? What does properly
redacted mean as opposed to drawing black rectangles over the content?

Am I correct in assuming that if done improperly the content underneath can be
reconstructed?

~~~
misnome
In the past there have been instances where e.g. the Microsoft Word highlight
tool has been used to... highlight the paragraph in black, which obviously
visibly hides the text but not removing it (unless only published as an
image). Drawing a box directly onto a PDF without re-rasterizing it (or
explicitly removing the text from the pdf data) achieves the same effect.

~~~
Inconel
Thanks for the explanation.

------
DigitalJack
Are they actually written with a typewriter? I thought maybe a daisy wheel,
but some of the pages are crooked which wouldn't happen like that in a daisy
wheel printer.

~~~
otterley
They were most likely FAXed in, and the paper was misaligned when it was sent
from the FBI office to Yahoo!.

------
CDokolas
It seems that the redacted text at the top left of every non-letterheaded page
is probably "File No.NSL-XX-XXXXXX" (where the Xs stand for the actual
numbers). The file/ref number is at the first page, under the FBI logo and is
also mentioned at the end of the letter, for use instead of the letter's
details. So, why redact it?

------
Sephr
Semi-unrelated. I don't understand how the FBI can require companies to say
"0-499" when companies could previously have said "0". It's already obvious
that it means that they have received 1-499 (otherwise it wouldn't be an NSL-
limited range in the first place), but what happens if you were to do
something like the following?

All you have to do in your initial transparency report (before receiving any
NSLs) is to just straight-up say "We have received zero NSLs. If in the future
we only indicate that we have received a possible range of NSLs, that means we
have recieved at least one NSL".

It's already obvious to most people, but would explicitly stating that to your
users (before actually receiving any NSLs) be "pre-contempt"?

~~~
pdq
This is called a warrant canary.

[https://en.m.wikipedia.org/wiki/Warrant_canary](https://en.m.wikipedia.org/wiki/Warrant_canary)

~~~
Sephr
This is a little more explicit than that, since they would be specifically
informing their users that they received an NSL.

------
rocky1138
The fact that this is called the "USA Freedom Act" tells you everything you
need to know.

------
ISL
Do the targets of the NSLs now have standing to file suits?

~~~
hashkb
This is a funny joke.

~~~
kodablah
Is it? Have there been any suits/appeals dismissed based on a lack of standing
due to an NSL being inadmissible? Or has there been any dismissal for other
reasons (e.g. national security reasons) that might now be able to be
revisited now that some NSLs are becoming public record?

~~~
dublinben
It would be impossible to prove that you are the subject of an NSL, because
that information is never released publicly or acknowledged in court.

------
sandworm101
Are real agents signing these? "Mr. Freese" and "John Strong" read like
character names. Are these aliases?

~~~
yompers888
A quick LinkedIn search shows a Donald Freese who seems to be fairly high-
ranking in the FBI.

~~~
sandworm101
But he is still only a piece of paper away from being Doctor Freeze working
alongside Captain Strong out to foil terrorists on behalf of SHIELD.

------
ramblenode
Am I mistaken or does it look as though these letters were typed on
typewriters? Please tell me I'm wrong...

~~~
jakub_g
Looks more like low quality / highly compressed scan but I might be wrong.

Anyway, typewriter is not a bad idea, probably more secure than any computer
with internet connection or USB port ;)

~~~
zaroth
Don't be so sure! There was an amazing Soviet hack of the US embassy
typewriters back in the day. There's a great writeup here:
[http://www.cryptomuseum.com/covert/bugs/selectric/](http://www.cryptomuseum.com/covert/bugs/selectric/)

~~~
jakub_g
Awesome link, thanks!

------
venomsnake
I love how their demands are just repaste verbatim of the parts of the law
that grants them authority.

~~~
voxic11
No need to give the judge a reason to throw it out on grounds its demands
exceeded the requirements of the law.

~~~
venomsnake
My point was the opposite - that they always exercise their authority to the
maximum. Not a single thought spared on restraint or precision.

------
em3rgent0rdr
"John A. Strong" \- Special Agent in Charge.

reminds me of Special Agent Force. :P

------
thinkMOAR
Announces disclosure, reads to me, 'giving government bit more time for
another gag order or lawsuit'

Just disclose it already.

------
rasz_pl
>FBI is now required to periodically assess whether an NSL’s >nondisclosure
requirement is still appropriate, and to lift >it when not

This is not an act of civil disobedience, FBI let them release this
information.

~~~
comex
Nobody said it was.

------
reustle
It looks like they immediately removed them? From the bottom:

> Note: The letters we released have been redacted to protect the identities
> of the FBI agents involved in the investigations, our own personnel, and the
> Yahoo users affected by the NSLs. The affected users received notice of the
> NSLs directly from us under our User Notice Policy.

~~~
bobbles
'redacted' implies only a segment of the content has been removed, not the
entire docs.

