These guidelines are for law enforcement officials seeking records from Internet Security Research Group (ISRG) concerning users of our Let’s Encrypt service, in connection with an official criminal investigation or proceeding. Acceptance of legal process by any means discussed in these guidelines is for convenience only, and does not waive any objections, including lack of jurisdiction or proper service.
Note: In order to expedite the subpoena process, please be sure to read the sections “Limiting Requests to the Past 90 Days” and “Non Disclosure Orders.” These are the issues that most frequently require discussion with agents.
What We Can Provide
We don’t collect much information about our subscribers. Because our service is free, we do not collect legal identity or payment information.
What we do collect is described in our Privacy Policy: https://letsencrypt.org/privacy/
Mainly we can provide:
- Account registration date and time, as well as the IP address used to create an account.
- An optionally provided contact email address associated with accounts.
- API transaction logs with domain names, IP addresses, and timestamps.
- Lists of SSL/TLS certificates issued.
U.S. Legal Process
We disclose records solely in accordance with our terms of service, privacy policy, and applicable law, including the Stored Communications Act, 18 U.S.C. § 2701 et seq.
A valid subpoena issued in connection with an official criminal investigation is required for disclosure of basic subscriber records (as defined in 18 U.S.C. § 2703(c)(2)). A court order issued under 18 U.S.C. § 2703(d) or search warrant may be required for other information pertaining to a subscriber or customer (not including the contents of communications). See 18 U.S.C. § 2703(c)(1).
We will take steps to preserve account records in connection with an official criminal investigation for 90 days pursuant to 18 U.S.C. § 2703(f), pending our receipt of formal legal process. You may submit a preservation request using the contact information below.
International (Non-U.S.) Legal Process
ISRG and its Let’s Encrypt service are based in the United States. Generally, a Mutual Legal Assistance Treaty request or letter rogatory is required to compel the disclosure of user data to law enforcement agencies outside the United States. Due to resource limitations, we are generally not able to respond to requests from law enforcement agencies outside the United States.
Limiting Requests to the Past 90 Days
When crafting a subpoena or preservation request, our primary ask is that you limit requests for transaction log data to the 90 days prior to retrieval. That is what we have active and searchable. To go back further than that requires retrieval and review of off-site backups that are not reasonably accessible and involves substantial staff time and expense.
Some account data, such as contact email addresses, remain active and searchable past 90 days and are included in reports limited to the past 90 days.
Non Disclosure Orders
Our policy is to notify subscribers about law enforcement requests if we plan to produce subscriber data (assuming the subscriber has provided a contact email address), unless we are prohibited from doing so by law. We also provide delayed notice upon expiration of a specific non-disclosure period in a court order.
If you believe that notification would jeopardize an investigation, you should obtain an appropriate court order or other valid process establishing that notice is prohibited.
Delivering Requests
United States law enforcement agencies may send valid legal process or preservation requests in connection with an official criminal investigation to:
law-enforcement@letsencrypt.org
You may also mail the request to us at “Internet Security Research Group, ATTN: Law Enforcement Response Team, 548 Market St, PMB 57274, San Francisco, California 94104-5401”, but please note that you are likely to receive a quicker response if you send it by email.
Please identify requested records with particularity and include (i) the name of the issuing authority and agent; (ii) an email address from a law enforcement domain; and (iii) a direct contact phone number.
Cost Reimbursement
ISRG reserves the right to seek reimbursement for costs in responding to requests for information as provided by law. We may charge additional fees for costs incurred in responding to unusual or burdensome requests.