National Security Letters sit in an unusual legal space. They're administrative subpoenas — meaning they're issued by an executive agency, not a court — with the distinctive feature that disclosure is a criminal offense. They exist at the intersection of intelligence law, First Amendment law, and the practical mechanics of how the US government accesses private communications data. Understanding them is essential to evaluating any claim that a service "protects you from government access."
What an NSL Is
An NSL is a written demand from the FBI for records held by a third party, issued under one of several statutory authorities. The most commonly invoked is 18 U.S.C. § 2709, which applies to electronic communication service providers and authorizes the FBI to demand subscriber information and transactional records (not content) when the records are "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities."
Additional NSL authorities cover financial records (Right to Financial Privacy Act), credit records (Fair Credit Reporting Act), and telephone records. The § 2709 authority — covering ISPs, email providers, and messaging services — is the one most relevant to technology companies.
The key characteristics:
- No judicial approval required — a senior FBI official signs the NSL; no judge reviews it before issuance
- Permanent gag order by default — the recipient is prohibited from disclosing that they received the NSL or that they complied with it
- Limited to non-content records — subscriber information, metadata, transactional records; not message contents
- Compliance is mandatory — noncompliance is punishable by law
The Gag Order and Its Legal Challenges
The nondisclosure provision of § 2709 has been litigated extensively. In 2004, a district court in New York found the gag provision unconstitutional as applied to the Internet Archive (a case brought under the pseudonym John Doe v. Ashcroft), holding that the permanent gag with no judicial review mechanism violated the First Amendment. The case eventually reached settlement.
The USA FREEDOM Act of 2015 introduced some modifications: NSL recipients can now petition a court to modify or lift the nondisclosure requirement, and the FBI must periodically review whether nondisclosure is still necessary. Courts applying this process have occasionally lifted gag orders, allowing some NSL recipients (including Nicholas Merrill, who received an NSL in 2004 as an ISP operator) to eventually speak publicly about their experience — years after receiving the letter.
The gag order creates an information asymmetry that is difficult to remedy through oversight mechanisms. Congress receives aggregate statistics (the number of NSLs issued annually). Individual recipients can't speak. Targets never know they were subjects. Judicial review comes after the fact, if at all. The combination means that most NSL use is structurally invisible to the people it affects.
The DOJ Inspector General has reviewed NSL use multiple times and documented misuse: NSLs issued outside their statutory authority, NSLs with factual errors, NSLs that sought information beyond what was legally authorized. In response to IG findings, the FBI implemented additional internal controls. Whether those controls are effective is difficult to assess independently.
Scale: How Many NSLs Are Issued
The FBI is required to report NSL statistics to Congress, and those statistics are published. The numbers are substantial. In the years following the PATRIOT Act's 2001 expansion of NSL authority, the FBI issued tens of thousands of NSLs annually. The reported number declined after the Snowden disclosures in 2013, and more significantly after the USA FREEDOM Act in 2015 changed the bulk collection rules that NSLs had supported.
More recent figures (as reported in the DOJ's semi-annual reports to Congress) show NSL issuance in the low thousands per year, affecting a larger number of individual targets since a single NSL can request records on multiple people. These are self-reported figures; the structure of the gag means there's no independent verification mechanism.
What NSLs Can and Cannot Compel
Under § 2709, an NSL to an electronic communication service provider can compel:
- Subscriber name, address, length of service, and local and long-distance telephone connection records
- Records of session times and durations
- Temporarily assigned network address (IP addresses)
- Payment method and means of payment
NSLs cannot compel the content of communications. Email bodies, message contents, and stored documents require a court order (typically under the Stored Communications Act) or a FISA order. This distinction matters: NSLs are a metadata tool, not a content tool. But as we've discussed in our post on why metadata is often more revealing than content, that distinction provides less protection than it appears.
Knowing that a specific email address registered an account, when they first logged in, what IP addresses they used, and how long their sessions were can identify a person, their location, their associates, and their patterns — without reading a single message.
NSLs in Tech Company Transparency Reports
Most major US technology companies publish transparency reports that include information about government requests. The NSL reporting is constrained: companies can disclose the number of NSLs received only in bands (0–99, 100–499, etc.), a compromise reached between the government and companies like Google and Microsoft after the Snowden disclosures.
| Compulsion Type | Judicial Review | Gag Order | Scope | Recipient Can Disclose? |
|---|---|---|---|---|
| NSL (§ 2709) | ✗ None required | ✗ Statutory (default permanent) | Metadata only | Only after court lifts gag |
| Subpoena | ~ Grand jury or admin | ~ Sometimes | Varies | Generally yes, with limits |
| SCA Court Order | ✓ Judge must sign | ~ Sometimes | Metadata + content | Generally yes, with limits |
| FISA Order | ✓ FISC | ✗ Classified by default | Broad (foreign intelligence) | No |
| Search Warrant | ✓ Probable cause | ~ Sometimes sealed | Content and more | Generally yes after unsealing |
Warrant Canaries and Their Limits
A warrant canary is a public statement that a company has not received certain types of legal process — typically worded as "We have not received any NSLs." The theory is that a company can remove the statement when they receive an NSL (rather than publishing a false statement), without violating the gag order's prohibition on disclosure. The canary's disappearance signals receipt of the letter.
The canary approach has real limits. The government's position on whether removing a canary statement constitutes indirect disclosure that violates the gag has never been fully litigated. Some companies have removed canary statements preemptively to avoid the legal ambiguity. And a canary tells you about the most recent period, not about past NSLs that were issued and acted on before the canary was established.
For a fuller treatment of warrant canaries as a mechanism, see our post on how they work and where they fail. The short version: they're a useful but imperfect transparency mechanism that depends on good faith from both the company and the government's interpretation of its own gag authority.
What NSLs Mean for Your Privacy Model
If you're using any US-headquartered service for sensitive communications, NSLs are part of the threat model — alongside the more commonly discussed FISA orders and standard court orders. They're harder to see and harder to challenge, and they target the metadata layer that most encryption doesn't protect.
The practical implications:
- Metadata is as exposed as content for NSL purposes — "your messages are encrypted" doesn't protect subscriber records, IP logs, or session data
- Non-US incorporation reduces but doesn't eliminate exposure — NSLs require a US nexus, but US-hosted infrastructure creates that nexus regardless of where the company is incorporated
- Transparency reports undercount — the banded disclosure format means you know "0–99 NSLs" but not whether that's zero or ninety-eight
- End-to-end encryption protects content but not metadata — the records an NSL can compel are precisely the records that encryption doesn't cover
NSLs represent one data point in a broader picture. They don't make US services unusable, but they do mean that "encrypted" and "private from the US government" are different claims. Any honest threat model should account for the difference. For more on the relationship between legal jurisdiction and privacy guarantees, see our post on FISA 702.