"""You are directed to provide records responsive to this letter electronically to the FBI within 21 business day(s) of receipt of this letter"""
I wonder how the exchange takes place? There's no mention of encrypted mail or anything just an additional note that regular mail and non-secure fax are not secure enough.
They also seem to have a template of sorts as indicated by the day(s) and the phrasing when it comes to accounting periods vs. 1st to 1st.
I wonder if you can forge (or possibly man in the middle) such a request (there's no digital signature of the letter I suppose). You'd need to set up a fake agent persona with phone number and fake signature. For a criminal organization that doesn't seem to be an unreasonable afford.
>I wonder if you can forge (or possibly man in the middle) such a request (there's no digital signature of the letter I suppose). You'd need to set up a fake agent persona with phone number and fake signature. For a criminal organization that doesn't seem to be an unreasonable afford.
Using fake subpoenas to dox people on IRC seems to be a regular thing, I don't see why not NSLs. (Besides the fact that NSLs might actually receive some scrutiny, so they're probably the inferior choice there)
Still amazed to this day that a guy created fake FBI Google listings, proxied the calls to the FBI, recorded the calls, told the FBI, and nothing happened.
Yahoo's claiming "This marks the first time any company has been able to publicly acknowledge receiving an NSL as a result of the reforms of the USA Freedom Act." -- which is kind of true, in that IA got one released before the reforms!
Actually, IA is both a company and a corporation. Its legally a charitable non-profit corporation, but that's a specific kinds of company, not a not-a-company. So, your "technical truth" isn't.
Well, I agree that IA is a corporation as that is a legal structure. Technically a "company" has to be commercial in nature, at least if you go by the dictionary definition.
This is entirely too pedantic though, and it rather upsets me that people feel the need to down vote this.
So apparently the same people, who gag you, sometimes at their discretion may remove the gag. The only thing the law requires is for them to consider doing that.
That's actually important. If maintaining the letters requires some nonzero effort, they'll want to weigh maintaining letters with other things they could be doing with their budget.
I'm not sure if they have to be reapproved by a judge each time. If that's the case, then on average it seems like you'd have greater churn on the letters. And even if there's a near-100% approval rate while investigating, it seems harder to argue to a judge as the years go on.
It won't help if Edward Snowden was the target of your letters, of course.
There should be an automatic expiration date, say 90 days, after which the FBI would need to get another gag order. As it is now, the FBI gets unlimited secrecy until proven secrecy is not necessary. Instead, the burden of proof of the necessity of secrecy should remain on the FBI.
Right, and the companies can sue if they believe that the gag is no longer necessary. It provides a real legal argument for legal action, instead of nebulous moral arguments.
I had to do a double take on the third letter after reading the return address of Microsoft Way. At first I thought Microsoft was issuing NSLs. Turns out the FBI and Microsoft happen to be next door neighbors in Charlotte. I feel like Microsoft ought to consider giving up the street name.
that includes the persons DOB. I wonder what would happen if the individual had used the wrong DOB when creating the request. Could (should?) yahoo say 'That doesn't match our records' and require a new request?
There is no connection made between the name/DOB/address combo and the email address. If Yahoo only found records matching the email address, then they'd still have to provide those.
Interesting that NSLs don't get the content or subject line of emails. I was under the impression they could get every last scrap of data from anyone with one of these.
Fun fact: these documents was properly redacted by Yahoo. Unlike some PDFs we've seen previously released by NSA (IIRC), which had just black rectangles drawn over the content.
In the past there have been instances where e.g. the Microsoft Word highlight tool has been used to... highlight the paragraph in black, which obviously visibly hides the text but not removing it (unless only published as an image). Drawing a box directly onto a PDF without re-rasterizing it (or explicitly removing the text from the pdf data) achieves the same effect.
Are they actually written with a typewriter? I thought maybe a daisy wheel, but some of the pages are crooked which wouldn't happen like that in a daisy wheel printer.
It seems that the redacted text at the top left of every non-letterheaded page is probably "File No.NSL-XX-XXXXXX" (where the Xs stand for the actual numbers). The file/ref number is at the first page, under the FBI logo and is also mentioned at the end of the letter, for use instead of the letter's details. So, why redact it?
Semi-unrelated. I don't understand how the FBI can require companies to say "0-499" when companies could previously have said "0". It's already obvious that it means that they have received 1-499 (otherwise it wouldn't be an NSL-limited range in the first place), but what happens if you were to do something like the following?
All you have to do in your initial transparency report (before receiving any NSLs) is to just straight-up say "We have received zero NSLs. If in the future we only indicate that we have received a possible range of NSLs, that means we have recieved at least one NSL".
It's already obvious to most people, but would explicitly stating that to your users (before actually receiving any NSLs) be "pre-contempt"?
No, because if you say zero and say that you will use a range if you have recurved an then disclosing a range itself violates the nondisclosure order of there particular NSL received. Explicitly arranging a coded signal to disclosure specific information in advance and then sending that signal doesn't evade laws that prohibit disclosing the information.
There's no problem with the proper statement though, the problem is when you follow through with it.
Another issue: once you've received an NSL, can you, in future, report that you've received no NSLs for certain periods, or must you still use the 0-499 thing?
IANAL, but I believe you are allowed to offer either quarterly or semiannual updates to your NSL amounts. Anything more specific than that would not be allowed.
Is it? Have there been any suits/appeals dismissed based on a lack of standing due to an NSL being inadmissible? Or has there been any dismissal for other reasons (e.g. national security reasons) that might now be able to be revisited now that some NSLs are becoming public record?
It looks like they immediately removed them? From the bottom:
> Note: The letters we released have been redacted to protect the identities of the FBI agents involved in the investigations, our own personnel, and the Yahoo users affected by the NSLs. The affected users received notice of the NSLs directly from us under our User Notice Policy.
I wonder how the exchange takes place? There's no mention of encrypted mail or anything just an additional note that regular mail and non-secure fax are not secure enough.
They also seem to have a template of sorts as indicated by the day(s) and the phrasing when it comes to accounting periods vs. 1st to 1st.
I wonder if you can forge (or possibly man in the middle) such a request (there's no digital signature of the letter I suppose). You'd need to set up a fake agent persona with phone number and fake signature. For a criminal organization that doesn't seem to be an unreasonable afford.