Sometimes, saying nothing says quite a lot.
At the end of January 2015, the online bulletin board reddit issued a “transparency report” that informed its users, and the broader public, about the law enforcement requests for user data that the site’s operators had received over the course of the preceding year. Compared to thousands of requests listed in the similar reports issued by tech giants like Google and Facebook, the total number of requests reported by reddit was tiny: just 55 in total. But reddit’s report was not just an informational document — it was a statement of commitment, a promise to its users that the company would defend and protect its users’ privacy to the maximum extent possible.
A critical aspect of that promise was a legally experimental, categorical statement known as a “warrant canary.” A warrant canary, as the Electronic Frontier Foundation explains, “is a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed,” thereby informing the public that the process has been received.
reddit’s canary looked like this:
As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
Thus, reddit set up a warrant canary that would expire upon the receipt of any legal process related to national security. At the time the canary was published, it drew praisefrom EFF and garnered much attention in (e.g., here and here) the technology press. Many other technology companies followed suit.
Now, though, it is the disappearance of reddit’s canary — in the company’s new transparency report, issued last week, covering law enforcement requests made during 2015 — that is getting attention from the site’s users and the broader public.
Indeed, that is exactly what a warrant canary is supposed to do: alert the public that a government request for information has been made to a particular provider. But the mysterious flight of the reddit bird raises several important questions.
First, what sort of information might the government be seeking from reddit through a national security subpoena?
Because reddit is a public bulletin board, it may seem a bit strange that a secret government request would land there at all. But reddit does have (optional) user accounts, and its systems do log information, such as the IP addresses of users, that could potentially be of interest to government agents in a national security investigation.
Last fall, Nick Merrill — who, with the help of the ACLU, won an important court ruling narrowing the scope of national security letters and the gag rules that accompany them — finally won, with the help of Yale Law School’s Media Freedom and Information Access Clinic, the right to publish a list of the kinds of “subscriber information” that the government had sought through the NSL that it had served on him. Glancing at that list, IP addresses and other account information appear to be the most likely answer here, but, of course, we are still in the dark about the details (and might be for a long time).
Second, why is the news that reddit (probably) received a national security request important?
Most of all, the news is important because it draws attention to the information vacuum in which we debate the wisdom, necessity, and utility of these kinds of requests. The public remains woefully under-informed about the scope of government surveillance, almost entirely due to government rules governing transparency reporting and government gag orders that accompany national security requests. The disappearance of reddit’s canary shines a new light on the expansiveness of this surveillance, and allows the public to ask questions about what, exactly, is going on.
As I have previously explained, the government’s position is that providers can only report their receipt of specific types of national security requests in large bands (from 0 to 999, 1000 to 1999, and so on). That “requirement” originally stemmed from a settlement, reached in January 2014, between the government and major providers like Google and Microsoft. (Technically, it applies to providers “similarly situated” to the parties to the settlement, though that term is not defined.) But technology companies, including some of the parties to the agreement, have almost universally continued to lobby for more leeway to provide further information about the national security requests they receive. When Congress passed the USA Freedom Act, it codified this “bands” requirement and gave companies several other options for reporting the numbers of requests they received.
In fact, Twitter — which was not a party to the settlement but which the government claimed was bound by it anyway — is currently litigating a challenge to those rules in federal court in California. Specifically at issue in that suit is the government’s rule addressing warrant canaries. Under the government’s rule, if a company has receivedsome form of national security request (say, a Foreign Intelligence Surveillance Act order), it cannot publicly say that it has not received a different form of national security request (say, a national security letter). In other words, as far as warrant canaries are concerned, the government puts all national security requests into the same basket.
But this rule doesn’t apply to a company that has never received any type of national security request. It appears that while reddit was not bound by the canary rule at the time it issued its 2014 transparency report, things have now changed. That’s presumably why, if (for example) reddit received a single national security letter, it cannot say that it has still received “zero” FISA orders.
Notably, though, the reddit case does not raise the most interesting legal question posed by the increasing popularity of warrant canaries: whether the government could force a company that had issued a warrant canary to continue publishing that canary afterserving a request covered by the canary. In other words, whether the government could force a company to lie to the public. Whether such a demand would violate the First Amendment’s compelled-speech doctrine is a thorny question. Because reddit has eliminated the canary in its new report, it seems unlikely that the government sought to force that issue here.
Finally, as Bruce Schneier asks, “now what?”
Schneier, a warrant canary skeptic, suggests that the information we now have as a result of the disappearance of the reddit canary is not all that useful:
We know that NSLs can affect anywhere from a single user to millions of users. Which kind was this? We have no idea. Is Reddit fighting? We have no idea. How long will this go on? We don’t know that, either. When I think about what we can do to be useful here, I can’t think of anything.
On the one hand, it’s hard to argue with what Schneier is saying — it’s not as if, now, users will (or should) abandon reddit en masse because it is somehow “compromised.” That the site may have received a national security request does not really change the fact that it was always possible that reddit would receive such a request. In terms of changing user behavior, then, the warrant canary is likely of little utility.
But on the other hand, the reddit example makes clear that even though they plainly cannot be the only solution to the information vacuum in which we debate these requests, warrant canaries can be useful in ensuring that people are paying attention and asking questions. After all, we wouldn’t be talking about national security letters today had reddit never included a warrant canary in its 2014 transparency report. And, in time, the answers to Schneier’s questions — what kind of request was this? is reddit fighting? etc. — will become clear. Had reddit never published its warrant canary, we wouldn’t even know that we should be asking these questions at all.
This was originally posted on Just Security.