Update 2013-06-07: at the time that we wrote this post, we asked Google whether its Transparency Report included data about secret FISA court orders that would send data to the NSA. The response we received was extremely vague, but seemed to possibly be "no". In the wake of yesterday's revelations that the NSA was harvesting data from Microsoft, Yahoo!, Google, Facebook, AOL, PalTalk, Skype, Youtube and Apple, Google has now clearly confirmed that the numbers in its Transparency Report do not include the number of orders or targets for NSA surveillance.
In an unprecedented win for transparency, yesterday Google began publishing generalized information about the number of National Security Letters that the company received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the National Security Letter (NSL) power provided by five statutory provisions is one of the most frightening and invasive. These letters--the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709--allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone.
Google has led the way among large companies in providing transparency with respect to legal and law enforcement requests with its transparency report, but until now, it has always left NSL requests out of its tally of requests for user data, in part, presumably, due to concerns about the accompanying gag order. By including this data, even in a generalized way that only tells us that Google received somewhere between 0 and 999 NSLs in 2012, Google has helped to at least shed some limited light on the ways in which the US government uses these secretive demands for data about users.
By law, NSLs can only be used to obtain information “relevant” to certain national security investigations and only then to obtain transactional user data--subscriber data and information such as which user account is communicating with whom--rather than user-generated content such as emails. However, the NSL process suffers from an inherent lack of checks that would curb abuse, such as any kind of meaningful judicial review. The FBI's abuse of this power has been documented both by a series of Congressionally-mandated Department of Justice investigations and in documents obtained by EFF through a Freedom of Information Act request. Yet there are only a handful of lawsuits (including EFF's) challenging the FBI's underlying authority to issue such information demands, despite the hundreds of thousands of NSLs that have been issued over the past decade.
While we continue to be in the dark about the full extent of how the law is being applied, this new data allays fears that NSLs are being used for sweeping access to large numbers of user accounts--at Google, at least. Indeed, though the numbers are rounded to the nearest thousand, there were under a thousand NSLs issued every year from 2009 to 2012, and the total number of user accounts targeted by the requests never exceeded 3,000 users per year, according to Google.
Serious concerns and questions remain about the use of NSLs. For one, this report only gives us a bit of insight into the scope of NSLs for Google, and we strongly believe that other companies should follow Google's lead where possible in order to give us a more complete picture. Second, the company has not released granular information about the nature of the data being requested, although Google assures us in the expanded FAQ that despite evidence of abuse--for an example, see page 66 of this report--the FBI "can't use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses."
Google's addition of NSLs to its transparency report is a big step forward for users who are unsure about what happens with their data. As the company stated in its announcement, “[o]ur users trust Google with a lot of very important data, whether it’s emails, photos, documents, posts or videos.” We are very glad to see Google working hard to maintain and build that trust, and hope that other companies follow suit.