The FBI has been issuing national security letters for decades. The controversial subpoenas, which allow the feds to obtain customer records and transaction data from internet service providers and other companies without a court order, come with a perpetual gag order that prevents recipients from disclosing that they've received an NSL.

Only a small handful of recipients have ever publicly disclosed that they got one from the government, and only after lengthy court battles challenging the subpoenas. But today, Yahoo became the first company to go public about NSLs it has received without needing to duke it out with the feds in court.

That's because last year lawmakers passed the USA Freedom Act, which required the US attorney general to establish guidelines for the FBI to periodically assess when an NSL gag order is no longer necessary, and to lift it when that's the case.

Under those guidelines, the FBI must review gag orders either once an investigation involving an NSL closes or three years after the investigation was opened when the case is still ongoing. At each of these junctures, the FBI must lift the gag order if doing so will not harm the investigation.

Yahoo received letters in 2013 and 2015 and published redacted versions of them today. Two of the NSLs were sent to Yahoo from a special agent in the bureau's Dallas office; the third NSL came from an agent in the bureau's Charlotte, North Carolina office.

It's not clear whether the NSLs involve closed cases or ongoing ones for which disclosure is no longer a problem.

"We believe this is an important step toward enriching a more open and transparent discussion about the legal authorities law enforcement can leverage to access user data," Chris Madsen, Yahoo's head of global law enforcement, security and safety, wrote in a blog post about the disclosure.

Every Small Step Matters

The letters offer no insight into the investigations behind them, and offer little else except a description of the kinds of records the FBI sought. In each case, the FBI wanted the name, address, length of service, activity logs and activity/transaction records for a specific user account. The header information of emails would have indicated the sender and recipient addresses for each email as well as the subject line; the activity/transaction logs can include the date and time the user accessed the account and the IP address they used to do it as well as any screen names associated with the account and billing information.

Despite the fact that many questions around the NSLs still remain, Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, says the disclosure is a small but important step toward greater transparency and gives Yahoo greater authority to engage in public debates about NSLs.

"Now Yahoo can actually go and talk about NSLs as a recipient and be able to point to the fact that [gag orders are problematic] with a little more gravitas," he told WIRED. "It does make a difference that they can now say they received three NSLs."

The FBI notified Yahoo on May 3 and May 9 that it was lifting the gag orders. Madsen didn't say in his blog post why the company waited until today to publish the NSLs and the FBI's letters, and the company didn't respond to a request for comment. Although the FBI indicated that Yahoo could disclose the specific accounts for which the bureau sought information, Yahoo redacted that information in the NSLs it published.

Yahoo received the letters in April 2013, August 2013, and June 2015. In two of the cases Yahoo provided the FBI with the name, address, and length of service for each of the accounts specified in the NSL, but provided no information in response to the third NSL "as the specified account did not exist in our system," Madsen wrote.

How National Security Letters Work

The FBI has been issuing NSLs since the 1980s, but their usage dramatically increased after 9/11 and the passage of the US Patriot Act, which gave the FBI increased authority to issue them and expanded the kinds of records they allowed law enforcement to obtain. The FBI has issued more than 300,000 NSLs since 2000.

NSLs don't require court approval. Instead they are simply written demands from the FBI that compel internet service providers, credit companies, financial institutions and others to hand over confidential records about their customers. This can include subscriber information, phone numbers, e-mail addresses, websites visited, and IP addresses used to access accounts.

An FBI agent investigating a national security case can send a self-issued NSL to a credit bureau, ISP or phone company with only the sign-off of the Special Agent in Charge of their office. The FBI has to merely assert that the information is “relevant” to an investigation.

NSLs come with a gag order that prohibits businesses from telling anyone, other than a lawyer representing them, that that they have received one. This secrecy raises the possibility for abuse—in fact, a 2007 Justice Department Inspector General audit found that the FBI had abused its authority and misused NSLs a number of times.

Although the recipients of NSLs can challenge them in court, few companies have done so over the years. Only four other NSL recipients since 9/11 have publicly disclosed that they received letters, following legal battles. These included the Internet Archive, a group of librarians in Connecticut, a university in North Carolina, and Nicholas Merrill, the founder of Calyx Internet Access, whowon a six-year battle to be released from the gag order he received in 2004.

In 2013, a California district court judge ruled that NSL gag orders are an unconstitutional impingement on free speech, after one recipient of an NSL challenged it. US District Judge Susan Illston found that although the government made a strong argument for prohibiting the recipients of NSLs from disclosing to the target of an investigation or the public the specific information being sought under an NSL, the government did not provide a compelling justification that the mere fact of disclosing that an NSL was received harmed national security interests.

A blanket prohibition on disclosure, she found, was overly broad and “creates too large a danger that speech is being unnecessarily restricted.” Illston ordered the government to stop issuing NSLs across the board and also ordered the government to cease enforcing the gag provision in other cases where they might have already been issued. However, the government appealed to the Ninth Circuit Court of Appeals, which vacated her ruling and sent the case back to the district court. Last month that court ruled that the gag order challenge was no longer relevant because the USA Freedom Act had successfully addressed the issue of gag orders. Opsahl says that EFF will be appealing that decision.