Yahoo Publishes NSLs Following Freedom Act Reforms

Yahoo last week published the text of three National Security Letters it received from the FBI in 2013.

The letters demand the names, addresses, length of service, and electronic communications transactional records — existing transaction and activity logs and all email header information — of the targets. However, they do not ask for any content — either the subject lines or bodies of emails.

Yahoo sent the FBI the name, address and length of service for each of the accounts identified in two of the NSLs, but it did not provide any information in response to the third, as the referenced account did not exist in its system, according to company spokesperson Charles Stewart.

It published the NSLs after the FBI rescinded the nondisclosure requirements imposed in accordance with the USA Freedom Act of 2015.

“We’re the first company to disclose [the NSLs] as a result of the reforms of the USA Freedom Act,” Stewart told the E-Commerce Times. The rescinding of the nondisclosure provisions, and Yahoo’s subsequent publication of the letters “is a good win for transparency and keeping users informed of what’s going on around them.”

The Threat of NSLs

Each of the NSLs certifies that the FBI sought the information to protect national security, or to carry out criminal, counterterrorism or counterintelligence investigations, among other things.

The U.S. District Court for the Northern District of California in 2013 ruled that the nondisclosure provisions the FBI employed were in violation of the First Amendment and the separation of powers. It enjoined the government from issuing NSLs under Section 2709 of the United States Code or from enforcing the nondisclosure provisions.

The Obama administration has appealed the ruling.

The FBI applies the same criteria and procedures to review existing nondisclosure requirements that it uses to assess whether a nondisclosure obligation should be imposed in the first place. When those criteria are no longer met, it terminates the requirement.

Still, “no government branch should be able to circumvent the safeguards of the Constitution and unilaterally acquire information without due process of law,” maintained Yasha Heidari of the Heidari Power Law Group.

“History has shown us that the biggest threat to a citizen’s freedom is that citizen’s own government,” Heidari told the E-Commerce Times. “The NSLs are simply one of the many recent strikes against the Constitution that have recently come to light.”

NSLs “demonstrate just how pervasive government scrutiny is in the area of Internet services,” noted Mike Jude, program manager at Stratecast/Frost & Sullivan.

They “fuel the flames of privacy concerns,” he told the E-Commerce Times.

Data accessed through NSLs raises concerns, as “the government’s ability to securely and properly use the data has often not been adequate,” noted Rob Enderle, principal analyst at the Enderle Group.

“In some if not all cases, this may create a bigger problem than the one the government’s attempting to address,” he told the E-Commerce Times.

NSL Issues Disclosed

The USA Freedom Act “is essentially the government’s attempt at public relations,” Heidari observed, and the FBI’s allowing the publication of the NSLs “is inconsequential.”

How much Yahoo achieved by publishing the NSLs is open to question, as they disclosed nothing of import.

“Like the government, Yahoo gets some positive PR,” Heidari suggested. “It can make the publication seem like a large victory for consumers that it championed.”

The publication “is good cover for Yahoo,” Jude said, because it “helps them demonstrate they’re being compelled to disclose some information.”

The risk for Yahoo is the letters being leaked and outside their control, Enderle suggested.

“This way, they can announce and position the event and perhaps better control the underlying perception,” he reasoned.

“It’s brilliant of Yahoo to publish, and gives them the moral high ground on the privacy issue,” Jude said, noting that other companies might follow Yahoo’s lead.

If that happens, “we might be able to look at these [letters] as data points,” Yahoo’s Stewart remarked.

There’s no reason for other companies not to publish their NSLs, said Heidari, and “get on the PR bandwagon.”