Reddit Hints—Without Saying Anything—That It Got a National Security Letter
In the ongoing tug-of-war between secrecy and transparency over government surveillance, the side of transparency may have scored a slight victory today when Reddit appeared to disclose that it had received a secret order seeking information about one or more of its users.
The company didn’t say outright that it had received an order; instead it appeared to imply this in something it didn’t say.
Today Reddit released its annual transparency report, which lists the number and types of government requests it received in 2015, both requests for user information and requests to take down content from its user forums. But conspicuously absent from that report is any mention of the number of national security requests it received.
In Reddit’s transparency report for 2014, it indicated in a section titled “national security requests” that it had received no National Security Letter during that year, or any order issued by the Foreign Intelligence Surveillance Court.
“As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information.” The company also noted in the last sentence of that section, “If we ever receive such a request, we would seek to let the public know it existed.”
Now, in Reddit’s transparency report for 2015, that entire section is missing.
How NSLs Work
National security letters are written demands from the FBI that compel internet service providers, credit companies, financial institutions, and others to hand over confidential records about their customers, such as subscriber information, phone numbers, e-mail addresses, websites visited, and more. NSLs have been used since the 1980s, but the Patriot Act expanded the kinds of records that could be obtained with them. They do not require court approval, and, most importantly, they come with a built-in gag order that prevents the recipient from disclosing that they have received an order. This makes the government’s use of them ripe for abuse; and indeed DoJ inspector general reports have uncovered abuses of the FBI’s NSL authority.
The letters are one of the FBI’s most powerful tools; but there is little oversight of them and they are rarely discussed inside or outside Congress. The public has become aware of only a handful of some 300,000 NSLs handed out over the last decade, and those became public only after the recipients launched legal battles opposing them. Although recipients of an NSL can challenge them in court, few companies that received one have done so.
In the face of gag orders, many companies have devised a method, called a “warrant canary,” to notify the public that they’ve received an NSL or FISA Court order without actually stating so—they do this by including a statement in their annual transparency report that asserts they have not received any such order for that year. As long as that “canary” keeps singing, meaning that it keeps appearing in a company’s annual transparency report, the public can safely assume this to be true. But once the “canary” falls silent in a transparency report, it’s a sign that the government likely served the company with a national security order during the period since their last transparency report.
Although gag orders can prohibit the company from saying in the positive that they received an NSL, the government can’t force a company to lie, says Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, which the company would be doing if it continued to publish a statement in reports saying it hasn’t received an NSL when in fact it has received one. The concept of warrant canaries hasn’t been fully tested in court, however, and companies could find themselves in trouble if the government decided to challenge them. Reddit is the first company Opsahl is aware of that has “killed” its canary, if that indeed turns out to be the case. But he doesn’t think Reddit is on shaky ground if it did indeed tell the public, in killing its canary, that it received a national security letter.
“The question is whether the government could require you to continue to [state you haven’t received an NSL] when that’s not true,” he says. “I would certainly argue that they cannot compel someone to lie.”
As for whether the government could go after Reddit for violating the spirit of the law?
“You can’t get thrown in jail for violating the spirit of the law,” says Kevin Bankston, director of New America’s Open Technology Institute.
Companies Push Back—Or Try To
Reddit didn’t respond to WIRED’s request for comment. But in a discussion thread on the site today, Reddit CEO Steve Huffman, who uses the Reddit handle “spez,” discussed the issue of the warrant canary and the difficulty of not being able to confirm or deny whether the company had received a national security letter.
“Even with the canaries, we’re treading a fine line,” he wrote. “The whole thing is icky, which is why we joined Twitter in pushing back. I’ve been advised not to say anything one way or the other.”
His reference to Twitter is about an amicus brief that Reddit filed earlier this month, along with several other tech companies, in support of Twitter.
In that case, Twitter is asking the government for permission to publish a transparency report disclosing the number of requests for data that it received from the Foreign Intelligence Surveillance Court between July 1, 2013 and December 31, 2013. “Twitter does not wish to reveal detail about any specific order that it may have received from the FISC during that time period, but rather seeks to publish the actual aggregate number of [Foreign Intelligence Surveillance Act (FISA)] orders received,” the amicus brief states. Twitter also wants the freedom to report that “it received ‘zero’ FISA orders, or ‘zero’ of a specific kind of FISA order, for that period, if either of these circumstances is true.”
Twitter, and the signatories to the amicus brief, assert that the gag orders that come with national security orders violate the First Amendment “and to the extent the government relies on those provisions to prohibit Twitter indefinitely from publishing information about FISA orders it receives, those provisions are unconstitutional as applied.”
They’re not the only ones who think so.
In 2013, a California district court judge ruled that NSL gag orders are an unconstitutional impingement on free speech, after one recipient of an NSL challenged it. US District Judge Susan Illston found that although the government made a strong argument for prohibiting the recipients of NSLs from disclosing to the target of an investigation or the public the specific information being sought under an NSL, the government did not provide compelling argument that the mere fact of disclosing that an NSL was received harmed national security interests.
A blanket prohibition on disclosure, she found, was overly broad and “creates too large a danger that speech is being unnecessarily restricted.” Illston ordered the government to stop issuing NSLs across the board and also ordered the government to cease enforcing the gag provision in other cases where they may already have been issued. However, the government appealed to the Ninth Circuit Court of Appeals, which vacated her ruling and sent the case back to the district court last year. The case is pending further proceedings.
In their amicus brief in the Twitter case, Reddit and its co-signers urged the court to find that service providers have a constitutional right to report data about national security requests.
“This question is crucial for all companies seeking to provide accurate, useful information to their users in the aftermath of momentous public disclosures about government surveillance that have undermined user trust in online services,” they wrote.
As the recent Apple-FBI case over the San Bernardino iPhone has shown, sunlight and transparency help produce a healthy and vigorous public debate about government surveillance activities that have long been in the dark.