In the past decade the American government has gained the ability to secretly observe and collect information on American, and foreign, citizens. Using legal proceedings like National Security Letters (NSLs) governmental agencies can demand that US-based companies turn over detailed customer information. The majority of companies affected are, understandably, not very pleased about this and they’ve started to fight back.
National Security Letters
The Electronic Frontier Foundation (EFF) — an organisation dedicated to defending digital rights — describes NSLs as “one of the most frightening and invasive” expansions of government power granted by the USA PATRIOT Act. They are orders secretly served to communications service providers by the FBI demanding data about users. Phone companies, Internet service providers (ISPs) and companies like Apple and Tumblr all fall under the broad umbrella of communications service providers.
The most worrying thing about NSLs is the accompanying gag order. Any company that receives an NSL is prohibited from revealing any details — including that they have received one. This, along with the lack of judicial oversight when NSLs are served, is why the EFF is challenging their constitutionality in court.
According to the EFF, an NSL requires any company served with one to provide the FBI with data related to “ordinary American citizens’ private communications and Internet activity”.
NSLs aren’t the only technique used by government security agencies to monitor people’s internet activity. My fellow MakeUseOf author Chris has written about the PRISM project which involves directly collecting data from the servers of major US-based companies.
Canary In The Privacy Mine
Canaries were once used by miners as a crude safety system. If there was a carbon monoxide leak in the mine the canary would be affected before the miners. By watching the canary the miners could tell whether or not they were safe. If it was tweeting away happily the miners would know everything was okay. If it wasn’t, it was time to get out of the mine. Based on the same principle, some companies — including Apple and Tumblr — have used a warrant canary to indirectly inform the public about gag orders.
Most major communications companies publish regular transparency reports that detail the number of governmental information requests they’ve received. NSLs are not the only kind of request companies get; they also get other kinds of information requests that don’t come with a gag order, for example, search warrants. Their transparency reports reveal far more specifics about these requests than they do the gagged ones.
A warrant canary is a statement that says that the company hasn’t received any gagged governmental information requests. By including the statement in every transparency report the company sets a pattern. If the statement is absent it can be inferred they have received a gagged NSL — or other similar order — in the period covered by the report.
The most important feature of warrant canaries is that companies cannot be compelled to include the statement if they have been served with a gag order because it would be untrue. While the American government can stop a company from speaking out about a gag order, freedom of speech laws mean that they cannot be forced to lie.
Unfortunately, most major companies cannot use warrant canaries; they all receive gagged legal requests. Under recent judicial guidelines, companies have finally been allowed reveal some information about the number of NSLs they receive. They can announce the number of NSLs they get in blocks of 1000, starting from 0. The EFF gives the example that “if an ISP received 654 NSLs, it could report 0–999” received. Looking at the transparency reports of companies like Apple, Google and AT&T is depressing: they receive hundreds or thousands of gag orders a year.
Companies are beginning to fight back against secret governmental information requests. More and more organisations are starting to campaign for privacy. It has become a hot button issue and companies like Apple and Google have reiterated their commitment to protecting their users’ information.
The EFF has starting to see some success. A judge ruled NSL gag orders unconstitutional last year although they are still being used while the ruling is appealed.
Even still, the continuing revelations about what American governmental agencies are capable of doing are worrying. Just a few months back Dann wrote about how merely searching for privacy software like Tor could get you on an NSA watch-list. The more companies that fight against this state of affairs the better.
What do you think of gagged governmental information requests? Are they an important tool in the fight against terrorism or an abuse of regular people’s privacy?