Not sure if this is really something to be concerned about or just absolutely nothing, but I thought it would be worthwhile to note it for the record and for visibility:
What we can say about either FISA court orders or NSL that we receive is highly regulated, and depends on exactly how we report the information. Current guidelines on reporting, codified as part of the USA FREEDOM Act, allow companies to disclose the combined number of NSLs and both content and non-content FISA orders as a single number in bands of 250, starting with 0-249.
So that may mean that they received 0, or it may mean that they received any number less than 250.
However, if you look at their previous transparency reports, the number was always specifically reported as "0" rather than "0-249". I don't know if that means that they were always supposed to be reporting the range previously even if it were 0, or if it means something changed and the number is now specifically indicated as being something greater than 0.
Again, may mean nothing, and even if they did have to comply with something relating to that "National security process" it may not necessarily mean anything especially nefarious. Just noting it as a change in what was recorded in the transparency report.
Here is the deal:
Since it cannot be illegal to say you have not received any orders (since the secrety of reporting orders starts apply once you receive the first order), it means its legal to say "0 reports".
Its when you receive the first order, that you cannot say that you have received any order.
Here is when the 0-249 exception applies. When you received your first order, you cannot say you have received 1 order as that is covered by a gag order.
So then you must report it as 0-249.
This means, 0 really means 0.
And 0-249 means 1-249 really for the period you received your first order.
But in the next period, you must still report it as 0-249, as the order you received at second half of 2025, is still valid first half of 2026 and second half of 2026 and so on, even if you didn't receive further order.
So thats an easy thing to check:
If a company reports it as "0 reports" you can be 100% sure they have not received any number of reports at all.
But when they start reporting as "0-249" they have received at least 1 report in their lifetime.
This is what the "canary" is about also. Some companies have a yellow bird on the homepage, that says "We have not yet received a NSL/FISA order". Once they have removed that bird, it means they have received at least one order.
It bases on the fact that the law cannot force you to say anything, they can only force you to keep silent. So thats why you turn the tables - you say something everytime you have NOT received a order, so by being silent, you are telling that you have received something - basically using the silence itself as a means of communication.
The IP address that requested a cert may be different than the one currently using it. I could imagine that some malware networks (or other networks that the gov't might be analyzing) especially might do that sort of thing.
Right, and account-specific info in general. What user-agent was in the request, the timing of requests, whether requests for an account all came from the same IP, that sort of thing.
And even if email isn't tied to a specific account, whether an email is on Let's Encrypt's mailing lists or not might be something they'd be interested in as a small part of building a case as to who what doing what when with what technologies.
Not to mention I bet that sometimes there's a "subpoena everyone for everything you can get and ask questions and filter it out later". And, like, even though Let's Encrypt says they no longer hold on to account-specific email addresses, they might ask for that anyway just to be sure, or compel them to produce their records showing that they actually don't have that data.
Yes exactly, think about websites that are behind CDN, are using Tor and similar. The IP in DNS will tell you nothing about where the site is actually hosted, but if they have a LE cert chance is that LE has seen the true IP address when the order was requested. Also, even if Let's Encrypt doesn't have data about a subscriber currently, you can compel them to collect this data in the future. For instance, LE could be coerced into collecting all information about subscriber X or domain name Y as they connect to any Let's Encrypt service in the future (like on the next ACME client renewal).