One of the FBI's most secretive tactics, under which it's allowed to send a tech company a letter that demands data on a user—and then force that company to stay quiet about the whole thing—is now a lot more public.
Yahoo has, for the first time, published three National Security Letters. NSLs are used by the FBI to get information, and they're particularly controversial because they don't require a warrant or allow the recipient to acknowledge them. But, thanks to the USA Freedom Act, signed into law almost exactly a year ago, the FBI periodically must reconfirm that an NSL's gag order is still relevant.
The fact that Yahoo published these three indicates the NSLs refer to cases that have concluded. Only a handful of NSLs have ever been published, meaning it's impossible for the public to have a good sense of how often they're sent.
The three letters follow a clear pattern. The first two are dated March 29 and August 1 of 2013, and both by agents in Dallas. The third was sent just May 29, 2015 by an agent in Charlotte, North Carolina. All three ask for information on a single, presumably different, owner of a yahoo.com email address.
"Our understanding is that the vast majority of NSLs of these kind that are issued go to tech companies, and that it's a basic tool that the FBI uses to start investigations involving people's communications," Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, told Vocativ. He added that there are other standard forms of NSLs for other industries, like banks and travel agencies.
What's most revealing about the Yahoo letters is the scope of information they demand. All ask for "electronic communications transactional records," which is to be expected from an NSL. But each letter includes an attachment showing just what that phrase is supposed to mean—something that hasn't been public since a controversial NSL from 2004.
In short, it's practically anything the FBI could consider metadata, as asking for a user's actual emails or chats would require a warrant. Everything else, though, is fair game, and includes the dates an account opened, the IP addresses used to log in, any physical address or phone number associated with the account, the credit card number it used to pay for any service, any listed aliases—pretty much anything a user gives when they create an account. Metadata also includes email header information, so with whom an account was communicating along with the associated subject line.
Each wanted essentially all information, save the actual contents of emails and chats, associated with a single Yahoo email address. (Presumably they were after different addresses, though the account name is redacted in each case.)
Further down, the letter details to the extent to which Yahoo is instructed to act as if nothing has happened. "While fulfilling your obligations under this letter, please do not disable, suspend, lock, cancel, or interrupt service to the above-described subscriber(s) or accounts. A service interruption or degradation may alert the subscriber(s)/account user(s) that investigative action is being taken." It further prohibits anyone with knowledge of the letter "from disclosing this letter, other than to those to whom disclosure is necessary to comply."