As part of the Google Transparency Report, Google has began publishing generalized information about the number of so-called National Security Letters that the company received in the past year as well as the total number of user accounts affected by those requests.
National Security Letters (NSLs) are official requests for data under the Patriot Act passed after the September 11, 2001 attacks.
These letters allow the FBI to secretly demand data about American citizens' communications and Internet activity without any prior judicial review. Recipients of NSLs are also subject to gag orders that forbid them from ever revealing the letters' existence to anyone.
Google said it was only allowed to provide ranges of numbers: in the years from 2009 to 2012, for example, it received between zero and 999 requests. The requests affected between 1,000 and 1,999 accounts, except in 2010, when the range was 2,000 to 2,999 accounts.
"You'll notice that we're reporting numerical ranges rather than exact numbers," said a blog post from Google law enforcement and information security director Richard Salgado.
"This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations."
NSLs can only be used to obtain information "relevant" to certain national security investigations and only then to obtain transactional user data--subscriber data and information such as which user account is communicating with whom--rather than user-generated content such as emails. However, according to the Electronic Frontier Foundation, "the NSL process suffers from an inherent lack of checks that would curb abuse, such as any kind of meaningful judicial review."
EFF is concerned, as Google has not released granular information about the nature of the data being requested, although the company assures us in the FAQ
that despite evidence of abuse, the FBI "can't use NSLs to obtain anything else from Google, such as Gmail content, search queries, YouTube videos or user IP addresses."