Best Practices for Responding to Government Requests for Information

Best Practices for Responding to Government Requests for Information

Twice a year, Twilio publishes a transparency report to inform our community of how many government requests for information we received, how we responded to the requests, and how we notified the affected users. You can find Twilio’s reports, including the one for the First Half of 2017, on our website and on Github.

When viewed across industries, transparency reports provide insight on important public policy considerations around civil rights, data privacy and public safety.  A prime example of this is how companies, including Twilio, discuss the privacy and free speech concerns caused by National Security Letters.

In accordance with the USA Freedom Act of 2015, the US Department of Justice has recently notified some companies that the nondisclosure order on some National Security Letters they received had expired. As a result, some companies were able to confirm that they had in fact received National Security Letters over a set time period and were able to publish redacted versions of some of the letters they received.

We at Twilio are encouraged by this effort to increase transparency and continue to oppose the prohibition on companies from disclosing the specific number of National Security Letters they receive. We also object to the overbroad application of gag orders. Government requests should only be issued with proper transparency, accountability and oversight.

In that spirit, here are two best practices your company can employ when working with government agencies to refine requests for information:

1. Request judicial review when it is not automatically sought by an agency
2. Work with agencies to narrow the scope of requests

Request judicial review when it is not automatically sought by an agency

In the United States, most government requests for information issued are signed by a judge. However, both domestically and internationally, some common requests for information are issued directly by government agencies without judicial authorization.

Judicial review is an important check by the courts to ensure a request for information has been properly issued and that any limitations imposed by the request, such as restrictions on disclosing the existence of the request, are necessary and legally enforceable. National Security Letters do not appear to receive this oversight review.

Twilio complies with requests that include valid and enforceable legal process that compels production of the information requested. However, when we receive a request for information that hasn’t been signed by a judge and demands non-disclosure, we will ask the requesting agent to obtain a legal document that includes judicial authorization.

You can adopt the same best transparency practice.

Automattic’s blog on National Security Letters includes a Google Doc template to help companies push back when they receive requests for information that include non-disclosure requirements and have been issued without judicial review.

National Security Letters understandably receive a great deal of coverage in transparency reporting given their importance and the secrecy surrounding their issuance, but they represent a mere fraction of the requests for information issued by US agencies, let alone worldwide.

Work with agencies to narrow the scope of requests

Many agencies issue thousands of legal requests each day, and in order to scale, they may issue templated requests that include a default date range. This range can expand well beyond the scope of the specific investigation and may inadvertently include unassociated user records.

Similarly, boilerplate requests may ask for a wide range of sensitive content and location data, when in fact the requesting agent is simply seeking a user’s contact information.

Twilio thoroughly reviews each request for information we receive. As part of that review, we attempt to determine whether the request has been properly issued, whether we have the data sought and whether the full scope of information requested is likely to be relevant.

Before responding to a request with records, you can ask the agent to confirm whether the full scope of data requested is required for the investigation.

You can also publish guidelines for law enforcement and government agencies that outline the process for submitting a request, what level of documentation you require in order to respond to the request, and an overview of the types of customer data that you can access.

Publishing these guidelines isn’t just a transparency technique, it can also streamline the process for the government agents issuing requests, getting them the right information they need for the sake of public safety as quickly as possible.

Do you publish a transparency report or guidelines for law enforcement? We’d love to see them. We also welcome specific questions or feedback on Twilio’s transparency reporting.

You can reach us at transparency@twilio.com.