On January 27, 2014, the Department of Justice announced that the federal government has approved new reporting methods that electronic communications providers can use to inform subscribers about national security demands. Yahoo, Facebook, Microsoft, Google, and LinkedIn had brought suit in the Foreign Intelligence Surveillance Court (“FISC”), challenging the government’s classification of aggregate data about demands and seeking the right to make additional disclosures.
The first of the newly approved reporting methods permits a provider to group together all of the national security process (including FISA Orders, Directives and National Security Letters (“NSLs”)) it has received in a given six-month period, and report the total number of orders received within set bands of 250 (for example, 0-249, 250-499, 500-749). The provider can, additionally, group together all “customer selectors” (i.e., accounts) targeted by any type of national security process, and report the total number of “customer selectors” targeted in orders received within set bands of 250.
For an example of this type of disclosure, see the amended Transparency Report published by Apple on January 27.
The second of the newly approved reporting methods permits a provider to separate out the types of orders received into the following categories, but in so doing, must use larger bands of 1000, starting at 0-999 (for example, 0-999, 1000-1999, 2000-2999):
- Number of NSLs received
- Number of customer accounts affected by NSLs
- Number of FISA orders for content
- Number of customer selectors targeted by FISA content orders
- Number of FISA orders for non-content
- Number of customer selectors targeted by FISA non-content orders
If a provider chooses this route, there are additional restrictions. For FISA orders, publication must come at least 6 months after the end of the reporting period (so, for instance, a reporting period ending on 12/31 cannot be published until 7/1). In addition, when a company receives the first process requesting data pertaining to a platform, product or service for which no previous process (presumably national security process) has been received and which is designated a “New Capability Order,” the company cannot disclose the order for 2 years after it is served.
By Marc Zwillinger and Dan Sachs