
Sharing National Security Letters with the Public - 0mp
https://blog.google/topics/public-policy/sharing-national-security-letters-public/
======
mr_spothawk
> Over 300,000 NSLs have been issued in the past 10 years alone. The most NSLs
> issued in a single year was 56,507 in 2004. In 2013, President Obama’s
> Intelligence Review Group reported; that the government continues to issue
> an average of nearly 60 NSLs every day. By contrast, in 2000 (the year
> before the passage of the USA PATRIOT Act that loosened NSL standards),
> 8,500 NSLs were issued.

[[https://www.eff.org/issues/national-security-
letters/faq#5](https://www.eff.org/issues/national-security-letters/faq#5)]

* - formatting

~~~
bogomipz
I am trying to imagine just how much the legal council alone for 300K NSLs a
year costs the American Economy.

I would like to know what proportion of those 300K are tech companies.

~~~
kodablah
Correction, ~30k a year. Still doesn't change your question much. I really
hope the vast majority have their gag order removed. Who knows how many were
sent to now defunct companies.

~~~
collinmanderson
Is it just me or is the DOJ/FBI being foolish about using an incrementing
identifier for these? Base on Google's list, we now know there have been at
least 418,313 letters/records, and can track roughly how many letters there
were between specific dates.

------
timbowhite
> we have been freed of nondisclosure obligations.

> the Act restricts the use of indefinite gag restrictions that prevent
> providers from ever notifying customers

Did Google say anywhere in that blog post that they've notified the users the
NSLs were targeted at?

EDIT: no, but from the TC article[1]

> A Google spokesperson said the usernames were redacted to protect user
> privacy and that the targeted individuals had been notified.

[1] [https://techcrunch.com/2016/12/13/google-national-
security-l...](https://techcrunch.com/2016/12/13/google-national-security-
letters/)

------
h4nkoslo
The interesting aspect of NSLs to me has always been authentication. One gets
a fax, and one faxes some crap back? Trivially hackable. One contacts the
phone number listed on the NSL? Ditto. How difficult would it be for the
Chinese or the Russians to slide in their own "NSL" in the 30K / year
"legitimate" ones?

In fact the feds make it intentionally difficult to authenticate requests; for
instance they prohibit taking copies of federal IDs, they often won't submit
them for actual inspection, and they have no directory of employees to
consult. If one wants to confirm that one is speaking to a bona fide FBI agent
you're looking at minimum an hour in phone tag, and then there is the issue of
if they are relating a bona fide request or going off the reservation.

~~~
mikiem
You can Google the phone number in the letter and _also_ look up the number
for the field office they are from, call the office and ask for the agent.

Yes, it may take time. But you don't get many NSLs, so you do it. You do it to
protect yourself (liability of disclosing info without a legal order) and your
customer/user who is the subject of the letter. Every time.

------
JorgeGT
Tangential: it always annoys me how difficult it is to highlight text in a
Google blog post and look it up. Drag doesn't work and right click clears the
selection. My only working approach is highlight and hit menu key.

~~~
eriknstr
I was about to say that it worked fine for me but then I realized that it
might be because I have uMatrix, so I allowed the site everything it wanted in
order to test and indeed that interferes with right click due to a dumb black
popup thing with a twitter and two other icons on it.

Disappointed. Would have expected more in terms of UX from Google.

Anyway you might enjoy uMatrix, it's pretty good although it can be a tad bit
annoying to figure out what I need to allow each domain in order for their
pages to load content when they host content-critical scripts and such on a
separate CDN-domain that they own or through a third-party CDN.

I also don't know if it's possible to allow some domain to always be allowed
to be iFramed by any other. For example I would like to always allow embeds
from SoundCloud, YouTube and Vimeo on any site.

~~~
komali2
I don't know why you'd expect better from UX, Google has had notoriously
terrible UX for as long as I can remember. Off the top of my head -
blogger/blogspot, youtube, hangouts android app, google voice android app,
gmail settings, google maps (especially the android app), etc.

~~~
dom0
My favourite example of poor, almost outright user-hostile Google UX is adding
a contact to the Android address book.

(For the uninitiated: there is no yep/confirm/save element in the add-contact
dialog. You have to press the back arrow -- the biggest text on the screen is
the heading _Add new contact_ , but that doesn't react to touch!)

~~~
ReverseCold
Looks like they fixed it, there's a save button for me.

[http://i.imgur.com/S7Zfk0Sh.jpg](http://i.imgur.com/S7Zfk0Sh.jpg)

------
bahmboo
From the statute (and in the letters):

> the information sought is relevant to an authorized investigation to protect
> against international terrorism or clandestine intelligence activities,
> provided that such an investigation of a United States person is not
> conducted solely upon the basis of activities protected by the first
> amendment to the Constitution of the United States.

Of course they could still lie but you can't be investigated just for your
protected speech. Not defending the whole thing, but didn't realize that
requirement until now.

[edit: formatting]

~~~
sandworm101
>> ... but you can't be investigated just for your protected speech.

Yes you can. All law enforcement regularly investigate wholly innocent people.
It's called following leads. The vast majority of people investigated are
totally innocent and never hear a peep. Sometimes those investigations lead to
bad people, sometimes the lead was false, and sometimes they discover there is
no real crime. They look at the speech, determine it is perfectly legal, and
that's the end of the situation. But that is still "investigating".

~~~
dannypgh
It's not as simple as that.

"The price of lawful public dissent must not be a dread of subjection to an
unchecked surveillance power. Nor must the fear of unauthorized official
eavesdropping deter vigorous citizen dissent and discussion of Government
action in private conversation." From
[https://en.wikipedia.org/wiki/United_States_v._United_States...](https://en.wikipedia.org/wiki/United_States_v._United_States_District_Court)

And "These Guidelines do not authorize investigating or collecting or
maintaining information on United States persons solely for the purpose of
monitoring activities protected by the First Amendment or the lawful exercise
of other rights secured by the Constitution or laws of the United States" from
the Attorney General's guidelines for the FBI, which were originally created
because of said case.

Much as how there's a legal distinction between firing someone for no reason
and firing someone for an illegal reason, there is certainly reasonably
interpretable legal precedent that investigating someone solely for their
protected first amendment activities may violate their first and fourth
amendment rights.

Of course, IANAL, but that doesn't seem to stop many people on the internet.

~~~
sandworm101
>> unauthorized official eavesdropping

It's authorized by law.

>> solely for the purpose of monitoring activities protected by the First
Amendment

They don't look into such things randomly. They have some notion, say a report
from someone, and examine the speech. A typical example might be some kid
reporting "terrorist speech" in a public forum. So some officer somewhere
takes a look, finds nothing illegal, and that's the end of things. That is an
"investigation" of 1st-amendment speech because the officer is reading and
investigating legal speech, but the purpose of the investigation was non-
protected terror speech, or child porn, or threats, or any number of
categories of illegal speech. It's not proper to turn around and call those
investigations illlegal simply because they didn't find anything. That would
only encourage officers to find things, to make mountains out of molehills, to
justify their investigation.

~~~
dannypgh
You might want to skim the decision (try searching for the word "authorize")
in the case: [http://caselaw.findlaw.com/us-supreme-
court/407/297.html](http://caselaw.findlaw.com/us-supreme-court/407/297.html)

This is semantics, but they're important. The investigation you mentioned
isn't someone being investigated just for their protected speech, it's someone
being investigated on suspicion of a specific crime. I do believe there are
frameworks in which such investigations can be legal (but whether the NSLs
themselves are sufficient or warrants are necessary is another matter) but I
do not believe it follows that you can be investigated solely for [any]
protected speech, which is what I interpreted your comment to mean. Could the
speech create the suspicion in many contexts? Sure, I don't see why not. But
it must actually do so, and it's the suspicion that provides the framework for
the potentially legal search, not the speech.

The real law enforcement activity I think this prohibits would be pure fishing
expeditions against those engaged in lawful first amendment activities. If the
head of the FBI decides he doesn't like a given newspaper because of what
they've said, and he can't even name a crime he suspects they've committed, I
do not believe he has the legal authority to authorize an investigation into
the newspaper to see if he can find something that they're guilty of. I
believe it violates first and fourth amendment protections under Keith. What
precisely the bar is to prove or justify any such suspicion (or even if
there's any oversight) is a separate question.

~~~
sandworm101
>>I do not believe it follows that you can be investigated solely for [any]
protected speech, which is what I interpreted your comment to mean.

Then you did miss my point. Often cops/feds have to investigate whether
something is or isn't protected speech. When those investigations find nothing
(normal) they then appear to have been an investigation into protected speech,
but that wasn't clear at the time. We cannot make such investigations illegal
simply because they come to nothing.

~~~
dannypgh
I didn't say the investigation is/should be illegal if they come to nothing. I
said the are/should be illegal if they happen without suspicion that a
specific crime has been committed.

The state should not be able to target someone for investigation solely
because they disagree with their speech and "think they might be guilty of
something." They need to state/establish what that something is. That's my
read of Keith.

Material support of designated terrorist organizations is a crime under the
law, and investigating someone for that is wholly different from investigating
someone solely because they disagree with their protected first amendment
activities. Consider again my newspaper example. With terrorism cases, they
can point to the laws about supporting terrorism and say that's what the
person is suspected of. They likewise need to have a law they can point to
that they need to believe is broken before they target the newspaper for
investigation because of their speech. How they have to do said pointing
(warrants, NSLs, etc.) is a separate question, but in the absence of such
suspicion I do believe the search is illegal.

------
gxs
It's interesting that most of these are only for:

>>...name, address, length of service, and electronic communications
transactional records for all services, as well as accounts...

Makes me think they would submit two requests: one for metadata and one for
content. This would allow them to let google publish more "innocuous" letters
while continue to gag order letters where they request more intrusive
information.

Would love to hear the opinion, however, of someone who unlike myself knows
what they are talking about.

~~~
magicalist
> _Makes me think they would submit two requests: one for metadata and one for
> content_

NSLs can't (legally) be used for content, only metadata.

(putting aside, of course, that metadata _is_ itself content)

~~~
gxs
Ah see, this is what I meant. This makes sense. Thanks for the clarification.

------
mikiem
Interesting. As a service provider (hosting) we have received many "court
orders" that are very similar to these NSLs... but they were not NSLs. Now
that I see these NSLs, I am not that freaked out by them. I'm not sure of all
the hub bub, at least for these particular NSLs. The scope of these is
basically limited to identifying the user. These specifically say to _not_
provide content of the account to the FBI. The not-NSL court orders we have
received have included verbage to not disclose the request to the subject of
the request.

I thought NSLs were supposedly non-contestible, broad and were for
communication detail. These don't seem to be any if that.

The requests we have received have been from a variety of organizations (but
signed by a magistrate) ranging from local law enforcement to three letter
acronyms and one entity that is neither. While the requests don't say why the
order is being issued, we usually receive a call from the agent/detective
beforehand and dialog ensues in which they explain what's going on.

While many companies will just give the info, we scrutinize the request and
ask the agent/detective politely and apologetically that we can help, but only
if they acquire a court order. We have caught not-legitimate requests before,
so we verify the request is legit before responding. We have never been asked
for content of communications. If Google is not doing the same thing... oof.
Just as a matter of process I assume they do. I recall in the past some
networks having right in their WHOIS info, how/where Law Enforcement can send
FAX requests.

------
bflesch
They redacted the NSL letter number on the top left of the second pages, but
kept the file reference number "In reply, please refer to NSL 10-272979" both
in the address box on first page and the name of the PDF file.

~~~
christop
Are you sure that's the NSL number being redacted at the top-left?

The NSL numbers are also listed in the Google blog entry, and are in the URLs
of each PDF, so the numbers definitely aren't something that Google intended
to censor.

------
boomboomsubban
I only looked at one of them, but it seems that these are able to be released
as they have the same illegal language as the Internet Archive release. Their
language makes it sound like they were released due to the government being
forced to review if they should be upheld.

------
CiPHPerCoder
Has anyone on HN ever been notified by Google/Yahoo/other that they were the
subject of an NSL? I wonder if the people most likely to care about that are
unlikely to ever be targeted?

~~~
rhizome
NSLs prohibit informing the target.

~~~
dewey
"A Google spokesperson said the usernames were redacted to protect user
privacy and that the targeted individuals had been notified."

~~~
privong
The notification to targeted individuals was presumably after Google had
successfully fought the gag order.

------
haikuginger
The fact that the NSL numbers are sequential gives an interesting look into
the scale of issuance.

~~~
paganel
I checked the article again after reading your comment and you were not
kidding. Damn! I thought maybe they had learned something from the "German
tank problem"
([https://en.wikipedia.org/wiki/German_tank_problem](https://en.wikipedia.org/wiki/German_tank_problem)),
but maybe they just don't care how all this looks to us, regular people.

------
tehwalrus
> In 2015, Congress passed the USA Freedom Act

Really?! That is a terrible name for a piece of legislation - it says
_nothing_ \- even before you consider that it was messing with gag orders
about executive overreach.

~~~
throwaway199729
Certain names are timeless favorites with bureaucrats (and worse):

"Freedom Act", "Freiheitsgesetz":

[https://en.wikipedia.org/wiki/German_referendum,_1929](https://en.wikipedia.org/wiki/German_referendum,_1929)

"Extraordinary rendition", "Sonderbehandlung":

[https://en.wikipedia.org/wiki/Sonderbehandlung](https://en.wikipedia.org/wiki/Sonderbehandlung)

------
secfirstmd
I wonder how this writing of a NSL letter would affect an organisation's
warrant canary (if they have one).

~~~
kakarot
There's always blackmail, too. Plenty of ways to force a warrant canary to
continue as normal

~~~
indolering
That's what an NSL is ... if you don't comply they throw you in jail. If you
challenge a charge, the prosecutor will often add new ones.

~~~
jonlucc
Who do they jail? You can't jail a corporation, so do they jail the CEO? The
lawyer who sends the letter saying they won't comply?

Either way, isn't that just begging for that information to be made public?
Suddenly, Sundar Pichai is missing, and someone finds out he's in jail. That's
going to be a story that gets reported (and probably leaked widely).

~~~
AnimalMuppet
I know of an instance of corporate executives being walked out the door in
handcuffs by the US Marshalls. That was for flagrantly disobeying the FDA. I'm
pretty sure there wouldn't be a lesser response for flagrantly disobeying a
National Security Letter.

~~~
jonlucc
My point is that the NSL is supposed to be secret, not just for its contents,
but the existence of the letter. So, dragging a CEO off publicly would almost
certainly expose the existence of the NSL.

~~~
AnimalMuppet
It might expose the existence of _an_ NSL, but not of _that_ NSL.

That is: I'm Joe Terrorist. I use, say, GMail. Google gets a thousand NSLs. On
at least one of them, they tell the NSA/FBI/CIA/whoever to get lost. Five
Google execs get arrested. I, Joe Terrorist, may guess that the arrest is over
NSLs. I have no idea whether I am named on one of the NSLs in question, or
whether I was on one of the NSLs that Google complied with, or whether I'm
still completely under the radar.

It might serve to remind me "oh, yeah, that's right, any of those companies
can get an NSL and report everything they know about me", but if I'm at all a
competent terrorist, that's something I already knew and should be continually
remembering.

------
awqrre
I wish the FBI would be required to produce the original digital document
instead of poor quality scans...

~~~
slig
I'm guessing here that the original, even if redacted, can leak extra data
that they don't intend to leak.

------
swalsh
Imagine the possibilities of this, combined with McCarthy's wet dream
palantir.

~~~
plussed_reader
You mean Trumps wet dream, Palantir? What a perfect vessel for public/private
cooperative actions! I'm sure his buddy Pete would give him a huge referral.

~~~
indolering
I've had at least half-a-dozen non-techie friends signup for Signal since
Trump's election.

~~~
james_pm
But not under Obama or (potentially Hillary)? What about Trump makes them so
fearful now where they weren't under the current state of affairs.

I'm not saying that a Trump presidency isn't a great way to convince people to
get a Signal account, but it strikes me that NSA spying and everything else
that's gone on over the past decade should have been enough.

~~~
hackuser
The increased fear is not based on the capabilities, which as you said have
existed for awhile, but on what Trump will do with them. They feel he has
fascist tendencies or intentions and does not respect for American traditions
or law.

(I'm not trying to make partisan points; I'm only saying that there is a large
cohort that feels that way. Obviously, many in the U.S. voted for Trump.)

~~~
ozaark
> They feel he has fascist tendencies or intentions and does not respect for
> American traditions or law.

These illegal capabilities have been spreading regardless of party or
political promises.

~~~
rconti
Absolutely. And I don't doubt that Hillary wouldn't have expanded them
further; if anything she's more hawkish than Trump.

That said, only one of these two people is asking for names of every
government employee who has attended a climate science meeting in the past 5
years. The implications are truly chilling.

~~~
throwanem
"Chilling" seems a bit histrionic. It's an interesting challenge to the
customary, but as far as I know extraconstitutional, idea that cabinet
departments operate independently of the sitting president rather than, like
the rest of the executive branch, serving at his pleasure. If law exists to
mandate this arrangement, I'd be obliged to anyone who wil make me aware of
it; absent that, it seems like something that's purely _de facto_ , albeit at
this point quite longstanding, and open to challenge by any president who so
chooses.

I'm not surprised to see Trump mount such a challenge, because he is likely
ill accustomed to tolerating independent fiefdoms within an organization he
nominally heads. But he's far from the first president to try it on, and I
very much doubt he'll find more success than his predecessors - indeed the
latest on this particular story seems to be that DOE has told him to go to
hell, and if that sounds like hyperbole then it's no more so than a lot of the
headlines I've just seen.

~~~
wfo
There are a number of things presidents technically /could/ do but do not
because they are horrifying. The fact that he's technically legally allowed to
do something bad does not mean it's okay that he is doing it -- the president
can (and has) executed and indefinitely jailed citizens without trial or
attorney, locked everyone in America of a certain race in camps and taken
their belongings, sold arms to and trained terrorist groups, ordered torture,
leaked the identity of a CIA operative in order to enact personal petty
revenge on her husband, toppled and assassinated democratically elected world
leaders, given out pardons in exchange for personal favors or money,
criminalized drugs with the explicit stated purpose of going after cultural
subgroups who chose to dissent but were doing so legally and could not be
jailed, sent law enforcement to spy on and shut down peaceful legal protest
groups including trying to convince MLK Jr. to commit suicide, to name a few.

Presidents have done and can legally do all these things. Trump could do each
one of these things. The only hope we have is that he chooses not to out of a
sense of not wanting to destroy the country, or out of some sense of morality
and sense of what is right and wrong. Each one is a disgusting, horrifying
abuse of power. So is demanding a list of federal employees who meet some
political criteria with the explicit intention of an ideological purge (even
worse, he's purging all people who believe in or are curious about science
from a science agency). Next will he ask for a list of federal employees who
have had an abortion? A list of those who have voted Democrat? A list of those
who have posted an Internet comment critical of him? The next time he asks for
a list, will we hear about it?

~~~
throwanem
You have just equated a new president-elect inquiring into the staffing of one
of his subordinate departments, and the mass internment in concentration camps
of American citizens with Japanese ancestry.

In response to that, I cannot imagine what I might possibly be able to
contribute.

~~~
wfo
I have done nothing of the sort, of course, which you know, but it's a common
dishonest rhetorical tactic to suggest that mentioning two concepts in the
same post is automatically drawing an equivalence between them. I've made an
argument that because something a president does is /allowed/ or /legal/ does
not mean that it's morally acceptable. If you think everything that is legal
but immoral is equivalent, that's on you, not me.

The fact that he's doing horribly immoral things and the defense is -30 days
into his presidency already "it's legal therefore it's okay" is a very, very
bad sign for the future of his administration, because as I've shown abiding
by actions which are 'legal' means almost nothing when it comes to federal
executive power. That moral sense which we are depending on which prevents a
president from abusing their power is, by the evidence we've seen, not present
in him.

~~~
throwanem
> Each one is a disgusting, horrifying abuse of power. So is [...]

How do you mean this to be taken if not to say that what he's done is as bad
as all the other things you named? - that is, as a claim of moral equivalence.

~~~
wfo
It being disgusting and horrifying does NOT mean that it is the same as the
holocaust or Japanese internment. It can still be disgusting and horrifying
while simultaneously being less disgusting and horrifying than, say, genocide.

------
bradleyjg
This is probably a better link: [https://blog.google/topics/public-
policy/sharing-national-se...](https://blog.google/topics/public-
policy/sharing-national-security-letters-public/)

~~~
azurezyq
I really think HN should block/downvote all TC links, which are most of the
time worse than the original source.

~~~
jacoblambda
I think instead they could possibly add a report button for links explicitly
for providing the original source. To help limit people just bashing it for
the hell of it, the report could be set up to only submit with a valid URL.
Then the mods could quickly correct it.

~~~
pvg
You can just email them.

------
pauleastlund
Z

