As a civil liberties organization, it’s our job to evaluate how tech companies handle our most private data and to encourage them to do better year over year. Our Who Has Your Back report is designed to do both, which is one reason we revisit the report’s criteria every year—always striving to raise the bar.

In this post, we’ll highlight one of the new stars that does just that: “Stands up to NSL gag orders.” To earn a star in this category, companies must publicly commit to invoking a new statutory procedure to have a judge review every indefinite National Security Letter (NSL) gag order the company receives.

The NSL as we know it today was created by the USA PATRIOT Act’s Section 505. These letters, served on communications service providers like phone companies and ISPs, allow the FBI to secretly demand data about anyone’s private communications and Internet activity without any meaningful oversight or prior judicial review. Recipients of NSLs are subject to a gag order that forbids them from ever revealing the letters' existence to their coworkers, their friends, or even their family members, much less the public.

Since 2011, EFF has been fighting the NSL statute in court on behalf of CREDO Mobile and Cloudflare. Our lawsuit argues that the gag orders attached to nearly every NSL—which the FBI is permitted to apply without any court involvement whatsoever—are unconstitutional prior restraints. In response to our suit, Congress included in the 2015 USA FREEDOM Act, a process to allow providers to push back against those gag orders.

The new process gives technology companies a right to request judicial review of the gag orders accompanying NSLs (referred to as “reciprocal notice”). When a company invokes the reciprocal notice process, the government is required to bring the gag order before a judge within 30 days. The judge then reviews the gag order and either approves, modifies, or invalidates it. The company is permitted to appear in that proceeding and argue, but is not required to do so.

To be entirely clear, we don’t think reciprocal notice fixes the serious constitutional problems with NSLs. The First Amendment requires that when the government wants to impose a gag order, it must bear the complete burden of going to court and proving the gag is truly necessary. The government has attempted to avoid this requirement by making court review optional. Reciprocal notice doesn’t fix the constitutional problem with NSLs—it still requires the NSL recipient to stand up to the government and start the process.

The right thing for a company that receives an NSL with a gag order to do is to invoke the reciprocal notice procedure (flawed though it is) and make the government put the gag order before a judge. One of the primary arguments the government has made in EFF’s NSL lawsuit is that companies haven’t spoken out about NSLs and thus don’t care about being gagged. That’s simply false, but unless companies continue to challenge these gag orders as often as possible, the government may get away with its specious argument.

To earn a star for this category, therefore, we ask companies to commit to invoking the new reciprocal notice procedure for every NSL they receive. We are not asking companies to file lawsuits in opposition to NSLs the way our clients did. We are only asking them to invoke the reciprocal notice provision in 18 U.S.C. § 3511(b)(1)(A). The statute explicitly envisions this role for the NSL recipient, and the Department of Justice has taken the position that this can be set in motion by a letter or phone call. Furthermore, reciprocal notice does not require an objection to the underlying information request contained in an NSL.

While this step won’t bring NSLs in line with the Constitution, the reciprocal notice process does at least provide a path toward transparency. But that path doesn’t mean much if the provider won’t walk it. While a handful of Silicon Valley giants including Apple, Dropbox, Pinterest, and Uber all committed to invoking reciprocal notice for every NSL, we’re disappointed that others, such as Google and Facebook choose only to confront NSL gag orders on a case-by-case basis. The NSL system is broken and companies should invoke reciprocal notice systematically.

Given that companies have every right to take this step to stand with their users, we’re sorry we couldn’t award more stars in this category. All of Silicon Valley should follow Apple’s lead, and demand that a judge sign off on every single gag order they receive.