Law Enforcement Request Guidelines

Last updated: June 25, 2025

Introduction and ISRG Mission

These guidelines are for law enforcement officials seeking records from Internet Security Research Group (ISRG) concerning users of our Let’s Encrypt service, in connection with an official investigation or proceeding.

ISRG is a California nonprofit corporation with a mission to protect Internet users by lowering monetary, technological, and informational barriers to a more secure and privacy-respecting Internet. As a privacy-focused organization, we carefully balance our commitment to user privacy with our legal obligations to respond to valid law enforcement requests.

Acceptance of legal process by any means discussed in these guidelines is for convenience only, and does not waive any objections, including lack of jurisdiction or proper service.

What We Can Provide

We don’t collect much information about our subscribers. Because our service is free, we do not collect legal identity or payment information.

What we do collect is described in our Privacy Policy: https://letsencrypt.org/privacy/

Mainly we can provide:

We disclose records solely in accordance with our terms of service, privacy policy, and applicable law, including the Stored Communications Act, 18 U.S.C. § 2701 et seq.

A valid subpoena issued in connection with an official criminal investigation is required for disclosure of basic subscriber records (as defined in 18 U.S.C. § 2703(c)(2)). A court order issued under 18 U.S.C. § 2703(d) or search warrant may be required for other information pertaining to a subscriber (not including the contents of communications). See 18 U.S.C. § 2703(c)(1).

We will take steps to preserve account records in connection with an official criminal investigation for 90 days pursuant to 18 U.S.C. § 2703(f), pending our receipt of formal legal process. You may submit a preservation request using the contact information below.

ISRG and its Let’s Encrypt service are based in the United States. Generally, a Mutual Legal Assistance Treaty request or letter rogatory is required to compel the disclosure of user data to law enforcement agencies outside the United States. Due to resource limitations, we are generally not able to respond to requests from law enforcement agencies outside the United States that do not follow the MLAT process.

Emergency Requests

In emergency situations involving imminent danger of death or serious physical injury to any person, or significant harm to critical infrastructure, ISRG may expedite its response to law enforcement requests.

For emergency requests:

  1. Use the subject line “EMERGENCY DISCLOSURE REQUEST” when emailing law-enforcement@letsencrypt.org
  2. Provide all information outlined in the “Delivering Requests” section
  3. Include a detailed explanation of the nature of the emergency, the imminent harm, and why the information sought is necessary to prevent the harm
  4. Provide contact information for a supervising officer who can verify the emergency nature of the request
  5. Follow up with appropriate legal process as soon as practicable

ISRG will evaluate emergency requests on a case-by-case basis and may, at its discretion, provide information necessary to prevent the emergency harm while awaiting formal legal process.

Data Retention And Availability

Nondisclosure Orders

Our policy is to notify subscribers about law enforcement requests if we plan to produce subscriber data (if we have contact information), unless we are prohibited from doing so by law. We may also provide delayed notice upon expiration of a specific nondisclosure period in a court order.

If you believe that notification would jeopardize an investigation, you should obtain an appropriate court order or other valid process establishing that notice is prohibited. If you need to extend a nondisclosure period, please submit a new court order before the current order expires.

Delivering Requests

United States law enforcement agencies may send valid legal process or preservation requests in connection with an official criminal investigation to:

law-enforcement@letsencrypt.org

You may also mail the request to us at “Internet Security Research Group, ATTN: Law Enforcement Response Team, P.O. Box 18666, Minneapolis, MN 55418-0666”, but please note that you are likely to receive a quicker response if you send it by email.

Please identify requested records with particularity and include (1) the name of the issuing authority and agent; (2) an email address from a law enforcement domain; and (3) a direct contact phone number.

Cost Reimbursement

ISRG reserves the right to seek reimbursement for costs in responding to requests for information as provided by law. We may charge additional fees for costs incurred in responding to unusual or burdensome requests.

Transparency Reporting

ISRG publishes transparency reports every six months detailing the number and types of law enforcement requests received. All data in transparency reports is aggregated and does not identify specific investigations or requesting agencies. Current and past transparency reports are available at https://letsencrypt.org/repository/.