National Security Orders

To resolve a dispute that began last year after former government contractor Edward J. Snowden revealed that F.B.I. and National Security Agency surveillance programs rely heavily on data from U.S. email providers, video chat services, and social networking companies, the Department of Justice (DOJ) has agreed to permit communications providers to make more detailed disclosures about the number of national security orders and requests they received and the number of customer accounts targeted under those orders and requests. In return, the firms that filed the lawsuits against the government in the Foreign Intelligence Surveillance (FISA) Court seeking the ability to publish more information about the requests (Google, Inc., Microsoft Corp., Yahoo, Inc., Facebook, Inc., and LinkedIn Corp.) agreed to seek dismissal of the lawsuits with prejudice.

 

Under the new DOJ procedures, providers now have two options for informing their customers about government requests for data:

Under the first option, a provider may report aggregate data in the following separate categories:

1.     Criminal process, subject to no restrictions.

2.     The number of National Security Letters (NSLs) received, reported in bands of 1000 starting with 0-999.

3.     The number of customer accounts affected by NSLs, reported in bands of 1000 starting with 0-999.

4.     The number of FISA orders for content, reported in bands of 1000 starting with 0-999.

5.     The number of customer selectors targeted under FISA content orders, in bands of 1000 starting with 0-999.

6.     The number of FISA orders for non-content, reported in bands of 1000 starting with 0-999.

7.     The number of customer selectors targeted under FISA non-content orders. in bands of 1000 starting with 0-999.

Providers may publish FISA and NSL numbers every six months. For FISA information, a six-month delay will apply between publication data and the period covered by the report. In addition, a delay of two years will apply for data related to the first order that is served on a company for a platform product, or service (whether developed or acquired) for which the company has not previously received such an order, and that is designated by the government as a “New Capability Order.” The delay is necessary because disclosure would reveal that the platform, product, or service is subject to previously undisclosed collection through FISA orders.

The two-year delay does not apply to a FISA order directed at an enhancement to or iteration of an existing, already publicly available platform, product, or service when the company has received previously disclosed FISA orders of the same type for that platform, product, or service. A provider may include in its transparency report general qualifying language regarding the existence of this additional delay mechanism to ensure the accuracy of its reported data, to the effect that the transparency report mayo r may not include orders subject to such additional delay (but without specifically continuing or denying that it has received such new capability orders).

Under the second option a provider may report aggregate data in the following separate categories:

1.     Criminal process, subject to no restrictions.

2.     The total number of all national security process received, including all NSLs and FISA orders, reported as a single number in the following bands: 0-249 and thereafter in bands of 250.

Background

In 2013, the government agreed that providers could report in aggregate the total number of all National Securityrequests received for customer data, including all criminal process, NSLs, and FISA orders, and the total number of accounts targeted by those requests, in bands of 1000. In the alternative, the provider could separately report precise numbers of criminal process received and number of accounts affected, thereby, as well as the number of NSLs received and the number of accounts affected thereby in bands of 1000. Under this latter option, however, a provider could not include in its reporting any data about FISA process received.