More Transparency For U.S. National Security Requests

You may have heard that the U.S. government issued a new policy last week that lets Internet providers disclose more about the U.S. national security requests they receive. Yahoo and other tech companies fought vigorously in court for the right to share such information. We’re pleased that the Department of Justice has embraced the compelling need for greater disclosure.

In light of the new policy, we’re updating the disclosures we provided to you in Yahoo’s first global transparency report last September with more detailed information about the number of U.S. national security requests we receive. As we said then, the number of Yahoo accounts specified in global government data requests comprised less than one one-hundredth of one percent (<.01%) of our worldwide user base for the reporting period.

The U.S. government limits how we can report its national security requests. For example, such requests must be reported in ranges, rather than in exact numbers, and information about requests made under the Foreign Intelligence Surveillance Act (FISA) must be delayed six months. (You can read the government’s reporting limitations here. We’ve adopted the disclosure option that lets us provide the most information to you about both the type and number of requests we get.)

The numbers reported below represent the number of U.S. national security requests received by Yahoo that were effective during the reporting period and the number of accounts about which data was sought. This is the maximum amount of detail that the U.S. government allows.

Reporting period: January 1 – June 30, 2013

image

Reporting period: July 1 – December 31, 2013

image

FISA Requests are compulsory legal process reviewed and approved by the Foreign Intelligence Surveillance Court that require companies to disclose information about their users in national security investigations.

  • FISA Requests for Disclosure of Content may be used to get content that users create, communicate, and store on or through our services. This could include, for example, words in an email or instant message, photos on Flickr, Yahoo Address Book or Calendar entries and similar kinds of information.
  • FISA Requests for Disclosure of Non-Content Data (NCD) are limited to NCD such as alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from email headers).

NSLs are national security requests approved by the Federal Bureau of Investigation that require companies to disclose information such as the names, addresses and length of service of their users. They may not be used to request content.

The Number of Accounts is typically larger than the number of users and accounts involved because an individual user may have multiple accounts that were specified in one or more requests, and if a request specified an account that does not exist, that nonexistent account would nevertheless be included in our count.

What’s next?

As always, Yahoo will continue to protect the privacy of our users and to ensure our ability to defend it. This includes advocating strenuously for meaningful reform around government surveillance, demanding that government requests be made through lawful means and for lawful purposes, and fighting government requests that we deem unclear, improper, overbroad, or unlawful.

Yahoo updates its full global transparency report every six months and will update it again in the next few months. We’re also pleased to share with you that our colleagues at tumblr released their first global transparency report today too.

By Ron Bell, General Counsel, and Aaron Altschuler, Associate General Counsel, Law Enforcement and Security