The FBI attempted to get data on more than a thousand Google accounts last year without a warrant, Google has revealed.
Instead, the Bureau used a procedure known as a National Security Letter – which Google has never before discussed in detail. They are used, generally, to gather information for criminal investigations.
“The FBI has the authority to prohibit companies from talking about these requests,” says Richard Salgado, Google’s legal director for law enforcement and information security.
“But we’ve been trying to find a way to provide more information about the NSLs we get — particularly as people have voiced concerns about the increase in their use since 9/11.”
Google’s solution is to report the number of requests in terms of numerical ranges rather than exact numbers, sidestepping concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations.
As a result, it’s pretty vague. In every year between 2009 and 2012 the company received under 1,000 NSLs in the US. In 2009, 2011 and 2012, it says, these letters related to between 1,000 and 2,000 accounts, 2011’s requests covering between 2,000 and 3,000.
Even this limited data, though, represents a big first – as no internet company has ever before revealed that it’s received any NSLs at all.
NSLs are permitted under the Electronic Communications Privacy Act (ECPA) 18 USC section 2709, allowing the FBI to seek ‘the name, address, length of service, and local and long distance toll billing records’ of a subscriber to a wire or electronic communications service.
But, says Google, the FBI can’t use NSLs to obtain anything else, such as Gmail content, search queries, YouTube videos or user IP addresses.
The use of NSLs, as Selgado says, appears to have become much more idespread since the 9/11 attacks, thanks to the Patriot Act. The FBI doesn’t need court approval to issue one, but must provide written certification to show that the information requested is ‘relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities’.
Google doesn’t reveal to what extent it complied with requests – although it appears that from July 2010 onwards it complied with them all, at least in part.
“When possible and legal to do so, we notify affected users about requests for user data that may affect them,” it says. “And if we believe a request is overly broad, we will seek to narrow it.”