Late last night, Apple released its latest transparency report, covering government requests for the second half of 2016. There were a number of new sections in the report — including more data on emergency requests, account deletions, and non-criminal data demands — but what stood out most was the section on National Security Letters, a controversial legal method used to secretly demand customer data. That section included a surprising line item, reporting a single declassified national security letter from the US government. The same report revealed more than 5,000 such requests in the second half of 2016, all still classified for reasons of national security. For some reason this one had lost its classified status. What could it mean?
Unfortunately there’s still not much hard data beyond what’s in the report. While the order is no longer classified, it’s still secret, possibly under court seal or another judicial protection. Apple declined to give any details on the nature of the request as a result. But there’s reason to think the order isn’t quite as unique as it looks, and this kind of abrupt declassification isn’t limited to Apple.
Apple has received more than 10,000 National Security Letters since 2015
The declassification is most likely the result of the USA Freedom Act, a surveillance reform bill passed in 2015. The law orders a periodic review of all the decisions made by the FISA court, which rules on all classified surveillance requests. That includes National Security Letters, which are typically classified and subject to complex gag orders preventing companies from describing them in any detail. If a given letter no longer needs to be classified, the review will declassify it, removing the gag order on the target company.
The law is nearly two years old, but we’re still figuring out exactly how that review will work in practice — but yesterday’s announcement is just the kind of declassification you’d expect. The first declassifications started rolling in during June 2016, just as the window on Apple’s latest transparency report was opening. According to transparency reports, the company has received more than 10,000 National Security Letters since 2015 — so it’s no surprise that there would be one ready for declassification.
Like most privacy victories, it’s bittersweet
We’ve seen other tech companies go through this process. In June 2016, Yahoo revealed three National Security Letters it received from the FBI, made public after a Freedom Act review. Six months later, CloudFlare made a similar announcement, revealing a single letter after a long legal fight and Freedom Act review. Twitter revealed two declassified letters, while Google revealed eight, most of which asked for the name, address and length of service for the targeted account.
But while the declassifications have been trickling in for a while, companies still don’t seem quite sure what to do with them. Yahoo got clever, changing its block reporting from “0-499” to “1-499,” but with declassifications coming in years after the fact, there’s no clear standard for how to report a declassified letter. Apple’s letter is another try at how you might share the news, but even then, it’s left users with more questions than answers.
In the background of all of it is the frightening reach of National Security Letters overall. Despite Apple’s full-throated defense of privacy in the San Bernardino case, most iPhone users still store vast amounts of data in iCloud, where it’s accessible to warrant requests. A National Security Letter means federal agents can get access to that information without ever presenting evidence in public court. Even if the order is ultimately declassified, it will be years before anyone’s aware of it. Apple’s declassified order is good news, to be sure, but it’s just one out of thousands of such orders, made public only after years of legal work and an uphill legislative fight. Like most privacy victories, it’s bittersweet. Despite the best efforts of Apple and others, there’s still a lot of secrecy in how law enforcement accesses remotely stored data — and chipping away at that secrecy is still very slow work.