Google shines a chink of light on secretive National Security Letters

National Security Letters (NSLs) are secret demands from the FBI for user and account data that come with an inbuilt gag order. Recipients are legally bound to comply – for reasons of national security – but are not allowed to notify the subject nor disclose even the receipt of an NSL. Their use since 9/11 has increased dramatically; but they remain hugely controversial since they require no judicial warrant nor oversight.

They are the perfect example of what The Atlantic calls the surveillance state’s catch-22. The Atlantic was discussing last week’s court ruling in Clapper v. Amnesty International, a challenge by a coalition of journalists, attorneys and non-profit organizations against the Foreign Intelligence Surveillance Act (FISA). FISA allows for the secret monitoring of foreigners’ communications; but it is disallowed it under the Fourth Amendment if one party to the conversation is American. The coalition sought to have FISA declared unconstitutional on the basis that they were bound to be monitored (illegally) on the basis of the foreigners they spoke to (journalists have to speak to dubious characters to do their job).

The court declined, ruling that the coalition has no standing. ‘Standing’ requires proof of actual harm. But since the the surveillance is secret, the coalition has no proof of harm, and therefore has no standing – catch-22, you cannot challenge secret surveillance since it is secret.

The same principle applies to NSLs. No subject of an NSL can challenge or question the NSL simply because he can never prove to the court that he is the subject of an NSL. Until now it has been a huge blind-spot in Google’s Transparency Report. Google has been able to quantify the number of times it has received government or court requests for user data, but has never been able to disclose any information on NSLs. “We’ve been trying to find a way to provide more information about the NSLs we get – particularly as people have voiced concerns about the increase in their use since 9/11,” announced Google yesterday.

It’s not much – just a range within which the actual number of received NSLs falls. Between 2009 and 2012 Google received between 1000 and 1999 NSLs, except for 2010 when it received between 2000 and 2999 NSLs. It is tempting to conclude that it averages close to 2000 received NSLs from the FBI each year. If this is true, it means that the FBI issues at least five demands for information about Google users every day of the year. 

The question of whether non-US citizens should worry about the FBI gaining access to their account details via NSLs is less easy to answer. NSLs came into existence with the PATRIOT Act following 9/11. The establishment response to foreign fears about the PATRIOT Act is that it is just FUD. However, Jon Stokes discussed this in Wired a little over a year ago. He concluded, “It pains me a great deal to say this, but anyone who is concerned about having their data handed over to the feds in secret (especially their email, which law enforcement can access without a warrant if it has been stored on a third-party server for at least six months) has absolutely no business using a US-based cloud.”

What the new Transparency Report shows is that the FBI actively uses its powers where Google is concerned.

What’s Hot on Infosecurity Magazine?