Yahoo Publishes Letters From the FBI Requesting Private Email Metadata

It's the first look at the government's specific demands.

Getty Images / Joe Raedle

When the government requests data from tech companies, the demands are far-reaching, compulsory, and, above all, secret.

Three National Security Letters (NSL) from the FBI were published today by Yahoo and they show previously unseen specifics of the demands the government makes on service providers. According to Yahoo, it is the “first time any company has publicly acknowledged receiving an NSL following the reforms of the USA Freedom Act.”

Prior to the USA Freedom Act passage in May of 2015, companies were not allowed to publicly disclose specific demands, only how many demands the government made. Yahoo was able to publish the three letters today because the USA Freedom Act requires the FBI to judge whether specific NSL nondisclosure requirements are still necessary. The letters were from April 2013, August 2013, and June 2015, and Yahoo complied with the demands in the letters.

Some of the data was redacted for privacy reasons, but the letters still show the stark reality companies faced from the USA Patriot Act when it comes to government data collection requests.

The header of the FBI request.


Far-reaching demands and long date spans

The letters demand that Yahoo hand over names, addresses, and the length of service for specific accounts. One letter also asked for bank accounts, IP addresses, and other associated email accounts.

The FBI was not able to request the content of communications such as subject lines and what is in the body of emails. Yet, as a recent study on phone metadata shows, it’s easy to draw conclusions even without what the government defines as “content.”

The requests also encompass a wide time span. The letters specify that all data is from the user’s “inception,” or when the account was made, to the present is to be handed over.

Demands on data are not an option

The letter to Yahoo details how a company can challenge disclosing information to the FBI. It’s a lengthy process that must be initiated 10 days after the letter is received, and involves court orders and federal judges.

If a company doesn’t challenge the disclosure or comply with demands and nondisclosure requirements, it “may result in the United States bringing an enforcement action.”

Secret for the person being watched, and for the general public

Above all, everything stated in the letter, and the letter itself, must be kept secret. Each letter contained nondisclosure requirements that kept anyone at Yahoo or anyone who saw the letter from telling the public that the letter exists at all.

The reasoning, according to the letters, is that alerting the public that the FBI wants specific information on an account “may endanger the national security of the United States; interfere with a criminal, counterterrorism, or counterintelligence investigation; interfere with diplomatic relations; or endanger the life or physical safety of a person.”

The wide net of government data collection was slightly trimmed when the USA Freedom Act passed. And, as Yahoo’s head of global law enforcement, security, and safety Chris Madsen writes, the letters “demonstrate the importance of hard-fought reforms to surveillance law achieved with the passage of the USA Freedom Act.”