Automattic Releases Five Un-Gagged National Security Letters

Another batch of FBI National Security Letters has been released, thanks to the expedited review process instituted by the USA Freedom Act. Automattic, the company behind Wordpress, has released five NSLs dating back to 2010, as the result of successful nondisclosure challenges.

Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the "reciprocal notice" procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

The five NSLs are identical. (PDF links included at the bottom of the Automattic post.) Automattic responded to four of those, but had none of the information requested for the fifth. After the gag orders were lifted by the FBI, Automattic informed the targeted users.

The boilerplate NSLs ask for far more info than the FBI's own legal guidance suggests it should be able to request. A 2008 DOJ legal memo says NSLs should be constrained to "phone billing records." The FBI has apparently decided to interpret this as any and all electronic transactional records when it comes to internet service providers. Here's what's requested in the Automattic NSLs:

• Subscriber name and related subscriber information
• Account number(s)
• Date the account opened or closed
• Physical and or postal addresses associated with the account
• Subscriber day/evening telephone numbers
• Screen names or other on-line names associated with the account
• All billing and method of payment related to the account including alternative billed numbers or calling cards
• All e-mail addresses associated with the account to include any and all of the above information for any secondary or additional e-mail addresses and/or user names identified by you as belonging to the targeted account in this letter
• Internet Protocol (IP) addresses assigned to this account and related e-mail accounts
• Uniform Resource Locator (URL) assigned to the account
• Plain old telephone(s) (POTS), ISDN circuit(s), Voice over internet protocol (VOIP), Cable modem service, Internet cable service, Digital Subscriber Line (DSL) asymmetrical/symmetrical relating to this account
• The names of any and all upstream and providers facilitating this account's communications

This is where the FBI starts digging, apparently. By demanding all this info from a single service provider, the FBI can issue NSLs and subpoenas to a large number of additional third parties, even though the DOJ's legal guidance suggests the FBI's NSL requests should be far more constrained.

The recently-instituted challenge options are better than what was in place previously, but Automattic points out there's still plenty of room for improvement.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs.

The FBI has almost zero legal obligation to perform proactive reviews of issued NSL gag orders. Recipients must spend their time and money challenging them. Fortunately, the challenge process now requires much less of these scarce resources. Automattic has its own boilerplate form for challenging boilerplate NSL gag orders -- one it's willing to share with any NSL recipient --- so we should be seeing more of these released in the near future.