Transparency report reveals Google receives less than 1,000 NSLs yearly

Google rocked the boat by sidestepping national security letter gag orders to reveal generalized NSL data in a new transparency report.

Despite that a national security letter comes with a gag order forbidding recipients of NSLs to tell targeted customers about the government requesting their records, Google released a new transparency report about NSLs the company has received. The FBI maintains that the gag is imposed since a "disclosure may result in 'a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person'."

"We've been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11," wrote, Richard Salgado, Google's Legal Director, Law Enforcement and Information Security. "Starting today, we're now including data about NSLs in our Transparency Report." He added, "You'll notice that we're reporting numerical ranges rather than exact numbers. This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations."

Since the numbers are generalized, we know that Google received fewer than 1,000 NSLs every year since 2009. This means there is still a ton that we don't know...but having some general idea is better than no clue about the number of NSLs. It's surely a step in the right direction.

Yet Cato @ Liberty's Julian Sanchez wrote "It's illuminating to compare the minimum number of users affected by NSLs each year to the numbers we find in the government's official annual reports. In 2011—the last year for which we have a tally—the Justice Department acknowledged issuing 16,511 NSLs seeking information about U.S. persons, with a total of 7,201 Americans' information thus obtained." Sanchez added, "What ought to leap out at you here is the magnitude of Google's tally relative to that total: They got requests affecting at least 1,000 users in a year when DOJ reports just over 7,000 Americans affected by all NSLs—and it seems impossible that Google could account for anywhere remotely near a seventh of all NSL requests." Then he suggests that the number of NSLs the Department of Justice reports each year may not be very accurate and

explicitly exclude NSL requests for “basic subscriber information,” meaning the “name, address, and length of service” associated with an account, and only count more expansive requests that also demand more detailed “electronic communications transactional records” that are “parallel to” the “toll billing records” maintained by traditional phone companies.

The ACLU applauded Google's move to sidestep the "gag-imposed silence" and to report on NSLs, before pointing out that the government has been known to issue "a staggering number of NSLs every year: forty to fifty thousand in some years. We also know, based on inspector-general reports (more info here), that NSLs have been repeatedly abused."

Why is information about the gags-and, more generally, government surveillance-so important? Look no further than our recent loss in the Supreme Court in Clapper v. Amnesty International. Last week, the Supreme Court threw out our challenge to the most sweeping surveillance statute that Congress has ever passed, the FISA Amendments Act of 2008, which authorizes the dragnet and warrantless surveillance of Americans' international communications. The Supreme Court tossed our suit because the plaintiffs-who included lawyers for suspected terrorists, journalists reporting in conflict zones, and researchers working with foreign dissidents-could not prove that the government had tapped their communications.

In that 5-4 decision, Supreme Court dissenting Justice Stephen Breyer wrote [PDF page 33] that "the plaintiffs have a strong motive to engage in, and the Government has a strong motive to listen to, conversations of the kind described." Breyer added [PDF], "We need only assume that the Government is doing its job (to find out about, and combat, terrorism) in order to conclude that there is a high probability that the Government will intercept at least some electronic communication to which at least some of the plaintiffs are parties. The majority is wrong when it describes the harm threatened plaintiffs as 'speculative'." 

After the ruling, the ACLU wrote that dismissing its challenge to NSA warrantless wiretapping law "shields surveillance program from judicial review."

The EFF, like the ACLU, applauded Google's move to report on NSLs as an "unprecedented win for transparency." Two days later, the EFF then asked Google to show us the numbers regarding FISA:

Releasing data about FISA court orders, even aggregated data, would help shed light on what is, presumably, the most secretive tool in the federal government's surveillance toolkit. Such a release from Google, for example, could demonstrate (or disprove) that FISA orders do NOT authorize dragnet surveillance of large numbers of Google users at once.

Let's hope Google complies with that request and keeps rocking the boat for the good of users and transparency. As Google said, "Our users trust Google with a lot of very important data, whether it’s emails, photos, documents, posts or videos."

Microsoft is also entrusted with important data in its cloud, such as email and Office 365. It would be great if Microsoft would also step up and do us a solid by releasing transparency reports detailing the same data as Google has...and toss in transparency about Skype eavesdropping by law enforcement.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022