A Developer’s Guide to Responding to National Security Letters

February 02, 2018
Written by
Twilio
Twilion

Twilio Bug Logo

When the FBI Shows Up at Your Office with an NSL

When you receive thousands of requests from law enforcement each year, it’s actually not a surprise when a representative from the FBI shows up at your office to deliver a request for information. There are no cloaks or daggers involved, just a sealed manila envelope.

The San Francisco FBI office is very familiar with working with tech companies and will reach out with a call or email to find a time to stop by.  If parking is bad – like it often can be around the Twilio office – the FBI representative might even be willing to hand you the request right on the street.

So receiving government requests for information can be a fairly administrative, straightforward process.

But as we outlined in a blog post in July, National Security Letters are unusual for requests because they’re steeped in secrecy.  That’s because the US Department of Justice is able to issue such requests without the oversight of a court, and these requests contain strict nondisclosure requirements.

That means companies – including Twilio – haven’t been able to notify users when they received National Security Letters, or even include the specific number of these requests they’ve received in transparency reports.

Companies – including Twilio – have begun requesting judicial review to see whether the nondisclosure requirement of National Security Letters they have received is necessary.

In some cases, after review, the Department of Justice will drop the nondisclosure requirement and permit companies to notify their users, restate the range of National Security Letters received in their transparency reporting, and publish the National Security Letters and the letters from the DOJ that allow the company to do so.

That’s what happened with Twilio and the two National Security Letters we posted.

Note that the information we redacted was either requested by the DOJ or to protect the potentially personally identifiable information of the Twilio customer(s).

Best Practices in Responding to National Security Letters

When Twilio receives a National Security Letter, we have a checklist that we’re happy to share with you.

  1. Verify the request is a real legal request.
    We verify that it’s an actual representative of the FBI (yes there’s a cool badge). And we verify the request is actually addressed to Twilio.
  2. Review the info being sought and any restrictions included in the request. / Determine whether you will try to narrow the scope.
    We check to make sure it’s information we actually have, and determine whether we will seek to narrow the scope of the information requested.
    As we cover in our July 2017 Best Practices for Responding to Government Requests for Information post, there’s a reason agencies ask for a wide range of information as a default, and companies can push back on that default request.
  3. Issue an initial objection response that requests review.
    We confirm receipt and indicate our objection to the nondisclosure requirement and requesting judicial review.
    Here’s a template for requesting judicial review that you can adapt for your own use.

In response to Twilio following the process above and issuing a request for judicial review, the Department of Justice withdrew their nondisclosure requirements on the two National Security Letters we’ve published.

As you can see in the responses, in the National Security Letter dated May 24, 2017, Twilio was directed to provide the information requested but permitted to notify our customer, which we did.

In the National Security Letter dated May 19, 2017, the US Department of Justice withdrew the request entirely rather than proceed with judicial review. Because Twilio did not furnish a response to the information requested, we did not notify our specific customer(s) of the existence of the request. However, for the sake of furthering the public discourse on National Security Letters, we are publishing a copy of the request and the response authorizing us to do so.

So when we received responses from the DOJ to our request for judicial review following the template linked above, we added new items to our checklist in relation to replying to the request with the requested information and notifying the customer(s) that we did so:

  1. Respond to the agent with the information requested.
    We furnish our formal response with the information requested and notify the agent that we intend to notify the customer, citing the document we received waving the nondisclosure requirement.
  2. Notify customer(s).
    We notify our customer that we have received and will respond to a request for information.
    Twilio’s commitment to notify customers that we have responded to a request for information, when not prohibited from doing so by law, is in our Privacy Policy.
  3. Restate Transparency Reports.
    We update the relevant Transparency Report to revise the number range of National Security Letters received.
  4. Publish properly redacted copies of the NSL and the DOJ response permitting disclosure.
    We publish copies of the National Security Letters on our website redacting personal information about the requesting agent per the DOJ’s guidelines and customer-identifying information.If Twilio has received additional National Security Letters and if Twilio obtains permission to confirm receipt of such requests, we pledge to publish these letters.

Ongoing Privacy and Free Speech Concerns

Adopting a process for dropping nondisclosure requirements is an important step toward transparency, accountability and oversight, and we commend the Department of Justice for instituting this practice and encourage the continued review of this process.

But there’s still a long way to go for full oversight and accountability. Twilio and other companies are still prevented from disclosing the specific number of National Security Letters received, and Twilio continues to object to blanket nondisclosure requirements. Twilio believes that government requests should not be issued in secret, and should only be issued with the proper transparency, accountability and oversight that judicial review provides.

The process for receiving and responding to National Security Letters has become less opaque, but there’s still more room for sunlight.

In that spirit of openness, for questions or comments please reach us at: transparency@twilio.com.

Please note that these best practices do not constitute legal advice. You should consult an attorney if you have any questions in how to respond to requests for information from government agencies. For example, even with the nondisclosure requirement, National Security Letters expressly permit the recipient to consult “an attorney to obtain legal advice or legal assistance with respect to this letter.”