Transparency. We aim for it in most everything we do at Automattic.
When it comes to legal demands from the government, being fully transparent can be hard and even impossible in cases where we are prohibited by law from revealing information about a legal request we receive. Nowhere is the lack of transparency more controversial than in the area of National Security Letters (“NSLs”).
Today we are releasing and publishing redacted versions of five NSLs, which we hope will add to the public’s understanding of this legal tool and help inform the debate about their scope and use.
We would also like to share some information about the process we followed to lift the nondisclosure restrictions associated with these NSLs and provide copies of our correspondence with the government on this subject. We hope this information will be useful to other companies who may wish to take advantage of the legal options that are currently available to challenge NSL nondisclosure orders.
What is an NSL?
NSLs are a form of government legal process (like a subpoena) used to request information from communications service providers, like phone and internet companies, about their users in national security investigations.
NSLs are legally controversial because no judge reviews the information demands before they are issued, and they often come with a nondisclosure requirement (also known as a “gag order”) that lasts for an indefinite amount of time and can end up being permanent. An NSL gag order legally prohibits the recipient (often an internet company like Automattic) from sharing a copy of the NSL with the user whose account info is being requested. It also prevents the company from sharing any information about the NSL publicly, or from even making a public statement that they received the NSL at all. Instead, the government allows NSL recipients to report the number of NSLs they receive in a broad range, which is designed to give the public an idea of the number of NSLs received during a certain period of time. This is why we reported receipt of 0-249 NSLs for certain periods covered by our Transparency Report.
The EFF has published a comprehensive set of resources about NSLs here, if you’re interested in learning more about them.
National Security Letters Received by Automattic
Below are redacted copies of five National Security Letters received by Automattic between 2010 and 2013.
Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.
We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.
In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.
We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.
In response to four of the letters, we produced information that was responsive to the government’s request. We did not have user information that was responsive to one of the NSLs, and did not produce any information as a result.
Before publishing these letters publicly, we notified each WordPress.com account holder whose information was requested or produced under the NSLs we received, and provided them with a copy of the relevant NSL.
Legal Review of Nondisclosure Requirements
The USA FREEDOM Act, passed in 2015, includes two avenues under which an NSL nondisclosure requirement might be reviewed and lifted.
First, the Act requires the FBI to periodically review the NSLs that they have issued and determine whether their nondisclosure requirements are still necessary. As a result of these reviews, the FBI has terminated gag orders for at least a handful of NSLs. We know, for example, that two companies were able to discuss and publish NSLs for the first time as a result of this periodic review: Yahoo released three NSLs in June 2016 and Google released eight NSLs in December 2016.
Second, the statute provides a mechanism under which the recipient of an NSL, like Automattic, has the right to ask the FBI to review the nondisclosure requirement accompanying an NSL. This process is referred to as “reciprocal notice.” If an NSL recipient invokes reciprocal notice, the FBI must review the NSL within 30 days and decide whether the nondisclosure requirement is still necessary. If the FBI decides it is not, it lifts the gag order. If the FBI decides that secrecy is still needed, the government must seek review of the nondisclosure requirement in federal court. A judge then reviews the nondisclosure requirement to determine if it should stay in place, needs to be modified, or should be terminated.
It is our policy to invoke the reciprocal notice procedure for any NSLs we receive. If and when a nondisclosure requirement is lifted, our policy is to share the contents of the NSL with any affected users where possible, as well as to publish a version of the NSL.
In May 2017, we sent letters to the FBI invoking the reciprocal notice procedure for each of the five NSLs that we are publishing today. Though each of the NSLs is several years old (the oldest letter dates back to 2010), we have a strong commitment to transparency and thought it was important to do what we could to disclose NSLs to our affected users and the public, even though these disclosures are several years after the fact.
In response to our letters, the FBI declined to seek judicial review of any of the five nondisclosure requirements. Instead, the government lifted the nondisclosure requirement for each letter, allowing us to share a copy of each letter publicly, with voluntary redactions to protect the privacy of the people involved.
Based on our correspondence with the government, we’ve developed a form reciprocal notice request here in Google Docs format. If your company has received an NSL in the past and you would like the government to review the letter’s nondisclosure requirement, this form may be useful to you. We have also included a copy of the FBI’s response to each of our request letters (see below).
Automattic’s Commitment to Transparency
We believe that the government does critically important work to protect our national security, and that investigative tools like NSLs are necessary to that work. At the same time, we take our commitment to transparency very seriously, and believe that our users and the public have a right to be informed about the nature of the tools that the government uses to conduct investigations and the scope of their use. That is why we worked to lift the gag orders on the NSLs that we are releasing today. We hope that the information we’ve published adds to the body of knowledge and helps inform the important public debate about NSLs.
We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs. Though flawed, these procedures are all we have for now. We were able to use them to remove the nondisclosure orders on the letters we publish today and would like to see other companies who have received NSLs follow the same path.
Redacted NSLs (pdf)
Redacted FBI Response Letters (pdf)