March 5, 2013 5:48PM

Google Illuminates the Shadowy World of National Security Letters

In a pretty much unprecedented move, Google today announced that it was expanding its regular “Transparency Report” to include some very general information about government demands for user information using National Security Letters, which can be issued by the head of any of 56 FBI field offices without judicial approval or supervision. Recipients of NSLs are typically forbidden from ever revealing even the existence of the request, and therefore not included in the company’s general tally of government surveillance requests. Instead of disclosing specific numbers of NSL requests, then, Google is publishing a wide range indicating the rough volume of requests they get each year, and how many users are affected. Broad as these ranges are, there’s some interesting points to be gleaned here:

NSL's Google has received since 2009

It’s illuminating to compare the minimum number of users affected by NSLs each year to the numbers we find in the government’s official annual reports. In 2011—the last year for which we have a tally—the Justice Department acknowledged issuing 16,511 NSLs seeking information about U.S. persons, with a total of 7,201 Americans’ information thus obtained. That’s actually down from a staggering 14,212 Americans whose information DOJ reported obtaining via NSL the previous year. Remember, this total includes National Security Letters issued not just to all telecommunications providers—including online services like Google, broadband Internet companies, and cell phone carriers—but also “financial institutions,” which are defined broadly to include a vast array of businesses beyond such obvious candidates as banks and credit card companies.

What ought to leap out at you here is the magnitude of Google’s tally relative to that total: They got requests affecting at least 1,000 users in a year when DOJ reports just over 7,000 Americans affected by all NSLs—and it seems impossible that Google could account for anywhere remotely near a seventh of all NSL requests. Google, of course, is not limiting their tally to requests for information about Americans, which may explain part of the gap—but we know that, at least of a few years ago, the substantial majority of NSLs targeted Americans, and the proportion of the total targeting Americans was increasing year after year. As of 2006, for instance, 57 percent of NSL requests were for information about U.S. persons. So even if we reduce Google’s minimum proportionately, that seems awfully high.

There’s a simple enough explanation for this apparent discrepancy: The numbers DOJ reports each year explicitly exclude NSL requests for “basic subscriber information,” meaning the “name, address, and length of service” associated with an account, and only count more expansive requests that also demand more detailed “electronic communications transactional records” that are “parallel to” the “toll billing records” maintained by traditional phone companies. I’ll get back to what that means in a second. But the obvious inference from comparing these numbers, unless Google gets a completely implausibly disproportionate percentage of total NSLs, is that the overwhelming majority of NSLs are just such “basic subscriber information” requests, and that the total number of Americans affected by all NSLs is thus vastly, vastly larger than the official numbers would suggest.

The rationale for not counting such “basic subscriber information” requests—beyond a desire not to terrify Americans by exposing the true magnitude of government surveillance—is presumably that these are so limited in scope that they don’t pose the same kind of civil liberties concerns as more extensive data requests. But this may not really be the case when you think about how we use the Internet in practice: Many people, after all, go online to engage in anonymous speech. In those cases, the contents of a person’s communications may be public (or at least widely shared), and what’s sensitive and private is the identity of the person tied to a particular account. (The first step in the FBI investigation that ultimately brought down CIA chief David Petraeus, recall, was stripping away the digital anonymity of his biographer and lover, Paula Broadwell, by linking a pseudonymous e‐​mail address to her primary Google account.) Indeed, that seems to be the primary reason one would issue such a “basic subscriber information” request to an entity like Google: To effectively de‐​anonymize the otherwise unknown user of a particular account. Insofar as the right to both speak and read or recieve information anonymously has long been recognized by the Supreme Court as a component of our basic First Amendment freedoms, even these relatively limited requests may indeed have important implications for our civil liberties. And Google’s numbers, imprecise as they are, very strongly suggest that such requests are issued in far higher numbers than had previously been recognized.

The other interesting tidbit to come from Google today is their expanded FAQ detailing what kinds of information can be obtained under NSLs:

Under the Electronic Communications Privacy Act (ECPA) 18 U.S.C. section 2709, the FBI can seek “the name, address, length of service, and local and long distance toll billing records” of a subscriber to a wire or electronic communications service. The FBI can’t use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses.

For a long time, the FBI operated on the assumption that NSLs could be used broadly to obtain any “electronic communications transactional records.” But in a 2008 memorandum, the Office of Legal Counsel rejected that interpretation, holding that NSL authority “reaches only those categories of information parallel to subscriber information and toll billing records for ordinary telephone service.” Just what that means, of course, is fairly opaque—but I think most observers had supposed, as I had, that it encompassed user IP addresses. Since these can be crucial to linking a wide array of online activity to a particular user, their exclusion would somewhat limit the potential of NSLs to undermine Internet anonymity. Whether IPs are covered, however, may well depend on the specific service in question—and it is not at all clear whether other providers will disclose IP addresses in response to NSLs.

Of course, what Google does not specify clearly is just what information does fall into the category of “toll billing records.” In all likelihood, however, it covers the equivalent of the kind of information about who is communicating with whom that might be found on a phone bill—such as a list of all the people with whom you exchange e‐​mails or Gchat instant messages, though again, given differences in how people use the Internet versus traditional phone service, such lists are likely to be substantially more revealing than any phone bill.