Automattic Releases Five Un-Gagged National Security Letters

from the ask-and-you-have-slightly-better-chance-of-receiving dept

Another batch of FBI National Security Letters has been released, thanks to the expedited review process instituted by the USA Freedom Act. Automattic, the company behind Wordpress, has released five NSLs dating back to 2010, as the result of successful nondisclosure challenges.

Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

The five NSLs are identical. (PDF links included at the bottom of the Automattic post.) Automattic responded to four of those, but had none of the information requested for the fifth. After the gag orders were lifted by the FBI, Automattic informed the targeted users.

The boilerplate NSLs ask for far more info than the FBI's own legal guidance suggests it should be able to request. A 2008 DOJ legal memo says NSLs should be constrained to "phone billing records." The FBI has apparently decided to interpret this as any and all electronic transactional records when it comes to internet service providers. Here's what's requested in the Automattic NSLs:

  • Subscriber name and related subscriber information
  • Account number(s)
  • Date the account opened or closed
  • Physical and or postal addresses associated with the account
  • Subscriber day/evening telephone numbers
  • Screen names or other on-line names associated with the account
  • All billing and method of payment related to the account including alternative billed numbers or calling cards
  • All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter
  • Internet Protocol (IP) addresses assigned to this account and related e-mail accounts
  • Uniform Resource Locator (URL) assigned to the account
  • Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP), Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account
  • The names of any and all upstream and providers facilitating this account's communications

This is where the FBI starts digging, apparently. By demanding all this info from a single service provider, the FBI can issue NSLs and subpoenas to a large number of additional third parties, even though the DOJ's legal guidance suggests the FBI's NSL requests should be far more constrained.

The recently-instituted challenge options are better than what was in place previously, but Automattic points out there's still plenty of room for improvement.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs.

The FBI has almost zero legal obligation to perform proactive reviews of issued NSL gag orders. Recipients must spend their time and money challenging them. Fortunately, the challenge process now requires much less of these scarce resources. Automattic has its own boilerplate form for challenging boilerplate NSL gag orders -- one it's willing to share with any NSL recipient --- so we should be seeing more of these released in the near future.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fbi, gag orders, national security letter, nsl, nsls, secrecy, transparency, wordpress


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 26 Jul 2017 @ 1:36pm

    "We also continue to believe that NSLs pose serious constitutional concerns,"

    Why? Because they flat out ARE unconstitutional? The attached GAG orders common to NSL's are just exactly what the 1st Amendment was designed to tell government it could never do!

    Yet here we are.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 26 Jul 2017 @ 2:07pm

    Redactions

    (1) the site URL about which the government requested information,

    Questionable, but OK.

    (2) names of Automattic personnel to whom the request was addressed,

    Appropriate.

    (3) name and contact information for the FBI personnel involved in making the information request.

    Inappropriate. FBI personnel have no business issuing overbroad demands, and it is inappropriate that they never suffer the public embarrassment that rightly should follow from their abuse.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 26 Jul 2017 @ 3:01pm

    Re: Redactions

    (3) name and contact information for the FBI personnel involved in making the information request.

    From the first of the Redacted FBI Response Letters, identified as “NSL-10-287729_FBI Response_Redacted” (internally dated June 29, 2017, and signed by Karen D. Miller):

    Based on privacy and safety considerations, the FBI further requests that your client continue to maintain the confidentiality of the name and telephone number of the Special Agents contained within the NSL, located in paragraphs 10 and 14.

    Thus, Automattic's third category of redactions were made at the FBI's request.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 26 Jul 2017 @ 4:35pm

    Re: Redactions

    Redacted does not mean deleted and forgotten. The info still exists if needed in the future.

    link to this | view in thread ]

  5. icon
    Ninja (profile), 27 Jul 2017 @ 4:58am

    Who were the targets of these NSLs? I mean, this is crucial information to know whether they are being used to fight crime (including terrorism because it's just more crime) or journalists and people who simply annoy corporations and the govt. I believe this is even more important than knowing what they asked for (which conveniently from what I got from the article is everything anyway).

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 27 Jul 2017 @ 8:24am

    Re: Re: Redactions

    Thus, Automattic's third category of redactions were made at the FBI's request.

    How does that excuse sheltering abusive requests from disclosure? I never want my name attached to anything embarrassing I do, but I don't get to use the force of law to ensure that. If this was truly an FBI "request", then Automattic had no obligation to comply, and based on past FBI conduct, I can't see why they would want to. I rather doubt they're going to end up on the FBI's nice list just because they withheld that.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 27 Jul 2017 @ 9:25am

    Re: Re: Re: Redactions

              Automattic's third category of redactions were made at the FBI's request.

    How does that excuse sheltering abusive requests from disclosure?

    If you believe that Acting Deputy General Counsel Karen D. Miller's request for the third category of redactions was improper or abusive, then I'd certainly encourage you to loudly complain to your United States congressional delegation. Your senators and representative should help you.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 27 Jul 2017 @ 9:48am

    Re: Re: Re: Re: Redactions

    While I suspect that your claim that Congress would take a serious interest in this is a tell that you're just trolling, you missed a key distinction. Miller's request was disclosed. I think it was improper for Miller to request redactions with no basis in law, since it seems the FBI grossly overstepped its bounds in the demand letters. However, I also expect that Miller shelters every letter as a matter of course, without reviewing the letters at issue.

    It was the original NSL that was abusive and should not have been sheltered, but instead disclosed in full (without redaction) and promptly upon completion of the investigation for which it was issued. Once the investigation is complete, the FBI has no basis for keeping their conduct secret, yet it took an affirmative request from the provider to get the nondisclosure provision lifted at all, and likely not in a very timely manner. I think it very unlikely that the FBI notified Automattic promptly that the investigation was concluded (thereby opening the possibility that Automattic might prevail in a request to be ungagged). Rather, Automattic likely made their own judgment about when to request permission to speak. I appreciate that they spent the resources to do it all. I find it unconscionable that they had to put so much effort into it.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 27 Jul 2017 @ 10:01am

    Re: Re: Re: Re: Re: Redactions

    While I suspect that your claim that Congress would take a serious interest in this is a tell that you're just trolling…

    Which one of us is “just trolling” here?

    When you call up your congressman, the phone often gets answered by a relatively low-level staff person. Don't angrily swear at the congressman's staff: They'll just hang up the phone. Or maybe the call got disconnected for some other reason—you can try calling back again.

    link to this | view in thread ]

  10. icon
    The Wanderer (profile), 30 Jul 2017 @ 5:38am

    Telephone billing records

    Subscriber name and related subscriber information Account number(s)

    • Date the account opened or closed Physical and or postal addresses associated with the account Subscriber day/evening telephone numbers All billing and method of payment related to the account including alternative billed numbers or calling cards Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP)

    All of this would seem appropriate under "telephone billing records".

    Screen names or other on-line names associated with the account All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter Internet Protocol (IP) addresses assigned to this account and related e-mail accounts Uniform Resource Locator (URL) assigned to the account *Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account

    None of this seems to fall under that heading, however.

    *The names of any and all upstream and providers facilitating this account's communications

    And this one is questionable / borderline.

    link to this | view in thread ]

  11. icon
    The Wanderer (profile), 30 Jul 2017 @ 5:39am

    Re: Telephone billing records

    Well, dammit. Apparently multi-line consecutive '>*' doesn't actually work the way I'd expected it to. That'll teach me to post without previewing...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.