Google's statement was strong enough to rule out the possibility that either the CEO or chief legal counsel was aware of the existence of NSLs or warrants that are nearly as broad as what Verizon received. Therefore, while they can't say one way or the other whether they receive NSLs, it is a safe inference that Google has not received broad NSLs.

No it wasn't strong enough.

All the companies ruled out is direct access (and Microsoft said is if there's a voluntary program, they're not part of it; they didn't rule out an involuntary program of course).

They did not rule out even something so simple as an API, or another party doing the work for the NSA (which the NSA then taps into, ala the Palantir concept).

We may be thinking of different statements by Google. The one that I am thinking of is at https://plus.google.com/106189723444098348646/posts/A98pnaek.... Specifically this chunk of paragraph 3:

Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Yeah, I'm wondering if "someone down the chain in Gmail got NSL'd" is a possibility or not. I'm not familiar with Google's org chart nor do I know if NSLs are even flexible enough to accomplish such a thing.

If it is possible though, there could perhaps be an NSL that covers "just gmail" that is otherwise as broad as the Verizon one.

The notion that a CEO could be unaware of something like that happening is incredibly disturbing though. I hope that is not possible.

It's not uncommon for an NDA to name specific individuals in company A which could use proprietary information from company B to add features which would be useful to B into company A's product.

The covered persons in A would be just enough to appropriate the necessary budget and deliver the features.

When the VP of Engineering or CEO asked, 'why did we add this particular feature, what's the use case?' the answer was, "If it's business critical that you need to know, we would need to document that and see if you can be added to an NDA."

"An NDA with who?"

"I can't say."

NSLs take this to an entirely different level. Page and Zuck don't have a clue. As soon as the databases were large enough to be useful, the data was in the hands of the NSA. That much should be taken for granted. The more important question has always been "if and how can it be used against you?"

With Obama claiming it's legal and approved by 3 branches, and how widely outside the NSA the data will be shared, the reality of "show me the man, I'll show you the crime" has never been truer.

I assume they can but it would be a risky strategy. If google security found a breach where customer data was being leaked then they might disclose publicly before they can be informed that it is a national security issue.

I wonder if this could happen anyway in reverse.

I suppose though that whatever part of a NSL that authorizes the CEO to tell developers to make it would likely also authorize the CEO to tell the security guys not to sound alarms about it.. at least not without consulting senior management first.