Reddit's Warrant Canary Just Died

Reddit has received a National Security Letter.

I have long discounted warrant canaries. A gag order is serious, and this sort of high-school trick won’t fool judges for a minute. But so far they seem to be working.

Now we have another question: now what? We have one piece of information, but not a very useful one. We know that NSLs can affect anywhere from a single user to millions of users. Which kind was this? We have no idea. Is Reddit fighting? We have no idea. How long will this go on? We don’t know that, either. When I think about what we can do to be useful here, I can’t think of anything.

Tags: , ,

Posted on April 1, 2016 at 3:16 PM68 Comments

Comments

JdL April 1, 2016 3:37 PM

Am I the only one who thinks that this kind of “do this for us and don’t tell anyone, or you’re screwed” order from the government smacks of totalitarianism?

Matt April 1, 2016 3:37 PM

“A gag order is serious, and this sort of high-school trick won’t fool judges for a minute. But so far they seem to be working.”

But if the government goes after a site for removing its warrant canary, that’s as much admitting that they sent the NSL. If they DON’T go after them, there’s always the possibility that the canary’s removal does not actually reflect the receipt of an NSL. If their actual purpose is to try to avoid tipping off suspects, they wouldn’t want to say anything about it one way or the other.

Hm, I presume it’s not illegal to claim you received an NSL when you haven’t. What would happen if lots of people publicly claimed to have received NSLs (but who actually hadn’t)?

Matt April 1, 2016 3:38 PM

@jdl:

“Am I the only one who thinks that this kind of “do this for us and don’t tell anyone, or you’re screwed” order from the government smacks of totalitarianism?”

No, that’s been something thousands of people have been saying for many, many years. (Including Bruce.) You aren’t the first person to think of it. 🙂

Martin April 1, 2016 3:40 PM

You could have various canaries:

“We have not received an NSL today”
“We have not received an NSL about more than 1 user today”
and so on

Yes, it seems likely that a judge would not be impressed.

John Doe April 1, 2016 3:53 PM

So what difference would it make in court, if:
– An admin has a canary on the site and manually removes it upon receiving a NSL/GAG
– An admin instead uses canaries with 1 month expiry dates and does not update it afterwards (allows it to it expire)

Alex April 1, 2016 3:53 PM

I expect it to have political/legal value. Now we can beat the government over trying to gag reddit. Tomorrow it might be someone bigger. And if at least one use of a canary survives the inevitable court challenge, then we have a good precedent that they violate the First Amendment.

Matt April 1, 2016 4:09 PM

A strict view of either approach to canaries (upon receipt of an NSL, remove it; or put an expiration date on it and simply fail to update it) would be that both cases betray an obvious intention to communicate the receipt of an NSL. Putting up a “No NSLs received as of [date]” notice prior to receiving one obviously isn’t illegal, but as soon as you have received one, failing to update that notice, or removing it, could easily be seen by a court as constituting conveying the information that you have received an NSL, in violation of the gag order.

Warrant canaries rely on a softer interpretation, that the lack of updates after receipt don’t consitute anything; I can’t possibly be obligated to keep taking positive action to assert that I’ve never received an NSL.

The whole point may end up being moot as cases are already working their way through the system (and have made good progress toward such gag orders being prima facie unconstitutional) but unless a warrant canary SPECIFICALLY causes a criminal charge, we’re never going to know for sure.

Sasparilla April 1, 2016 4:48 PM

The main usefulness is awareness for the public I think – which is a useful thing in and of itself….particularly over time.

paul April 1, 2016 4:51 PM

I thought at least one organization that had received an NSL had won the right to talk about it?

But here’s the thing: not only would it be stupid and counterproductive for the issuer of a warrant to prosecute someone for using a warrant canary, it would probably be unlawful, because AFAIR the order not to publicize the NSL extends to anyone having direct knowledge of it, including the people who issued it.

Unless you could find a secret court who would hear a motion in secret and issue a criminal-contempt order that specifically forbade the marshals enforcing it to disclose what the person subject to the order was being jailed for…

Sami April 1, 2016 4:57 PM

They have some sound legal theory behind them, at least in the United States. That is because there is a much higher legal bar for the Government compelling speech (especially false speech) than suppressing speech. So it’s not a mere trick. You shouldn’t expect it to “fool” judges; any competent judge sees clearly what’s going on. It’s just there may not be much they can do about it, or if they try, it’s at least going to give much more ammunition for appeal.

Also, if a court ever rules that compelling such speech in some circumstances is legally possible, there’s a good argument to be made that such a ruling has a significant public policy impact and therefore it should be possible to get a permission to publish it with all the details of the case carefully excised.

Wael April 1, 2016 5:07 PM

Even our friend @Mike the goat removed his canary. Canaries are so yesterday, and the process is inhumane. What you need is a friggin indicator implemented as an automated “snitch-background-process-parrot-with-ultra-loose-lips (beaks, in this case)” that looks like a data loss event 😉 Go prosecute a faulty program!

@Mike the goat,

Stop messing around and come help me! @Clive Robinson tore me a new one the other day because of my excessive ancient links!

Sofa April 1, 2016 5:20 PM

Bruce,

Perhaps it doesn’t tell you anything outright, but wouldn’t you rather know than not? Does that count for something?

Secondly, it’s not the notice outright it’s the metadata. What’s to stop we have not received more than 10 NSL, next day 11, next day more than 110. The rate of change of the wording would give you some clue as to the frequency of orders and could be meaningful over the longterm. You wouldn’t get the call content essentially but you could get everything the government has already said doesn’t matter and is acceptable under the term metadata. We have not received more than 10 NSL, 35 content subpoena’s, 54 account access requests etc. for 2015/16/17/18. You can cut it up and put out a million different ways without violating or getting in trouble. At some point the 1st amendment comes into it, you can be stopped from talking about what they do ask, at no point can you be stopped from talking about what they aren’t asking or general facts and figures or am I missing something?

Either the metadata is important and they lied then back when it was just the metadata not the content or the metadata isn’t important and they would be lying now in saying it is stop talking about it. Like an omnipotence paradox or informal fallacy.

666 Hail Satan 666 April 1, 2016 5:49 PM

Makes you wonder if Reddit’s legal response includes invocation of the procedure directed in E.O. 13107 Section 3. FBI’s goons are in dire need of corrective action.

“Article 19, paragraph 2 embraces a right of access to information held by public bodies. Such information includes records held by a public body, regardless of the form in which the information is stored, its source and the date of production. Public bodies are as indicated in paragraph 7 of this general comment. The designation of such bodies may also include other entities when such entities are carrying out public functions. As has already been noted, taken together with article 25 of the Covenant, the right of access to information includes a right whereby the media has access to information on public affairs and the right of the general public to receive media output. Elements of the right of access to information are also addressed elsewhere in the Covenant. As the Committee observed in its general comment No. 16, regarding article 17 of the Covenant, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control his or her files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to have his or her records rectified…

“The Committee, in general comment No. 32 on article 14, set out the various entitlements to information that are held by those accused of a criminal offence. Pursuant to the provisions of article 2, persons should be in receipt of information regarding their Covenant rights in general…

http://www2.ohchr.org/english/bodies/hrc/docs/gc34.pdf

Because clearly the only authority Comey knows is “…If my enemies surround me, my heart will not be frightened, whippety whip-whip-whip, when danger arises against me, in him will I hope, whippity-whip, let my cry come to you, wahh, wahh, boo-hoo!

Comey, you Counterreformation throwback, the fucking Pope obeys this law. Who do you think you are?

JHAnderson April 1, 2016 7:09 PM

Am I the only one that thinks this might possibly be an April Fool’s joke?

EvilKiru April 1, 2016 7:50 PM

@JHAnderson: I wondered that at first too. Then I followed the source links and discovered that the story broke on the 31st.

Trevor April 1, 2016 8:03 PM

The fundamental legal issue here … is that ONLY U.S. courts (judicial branch of government) have Constitutional authority to legally issue warrants, sub poenas or gag orders (on direct court proceedings only). These are all standard “judicial powers” … and “The judicial power of the United States, shall be vested in one Supreme Court…” (Article III, Section I).

But yet the Executive Branch (FBI) somehow routinely issues its own (non-judicial) warrants, sub poenas, and gag orders via National Security Letters.

This FBI practice is flagrantly unconstitutional/illegal from the getgo— nevertheless, Congress & Presidents and two lower Federal have enthusiastically & formally endorsed this illegal practice.

Thus, American citizens face a grave predicaments — their central government/ustice-system is corrupt at the highest levels.
(…… Yawn…. how’s that NCAA basketball Final-4 lookin’ ?)

{Note that the President Obama’s own “Surveillance Review Group” expressed deep concern over the FBI’s violation of Constitutional boundaries with the Judiciary — and recommended mandatory prior judicial approval for all National Security Letters. Obama completely ignored these findings}

J Olson April 1, 2016 8:23 PM

Serious question: how do these gag orders not violate the 1st Amendment? Isn’t it the very definition of “abridging the freedom of speech”.

Robert Thau April 1, 2016 8:25 PM

Strictly speaking, reddit didn’t delete any text. Instead, they published two reports — a transparency report for 2014, which said “no NSLs received to date”, and one covering surveillance activity during 2015, which didn’t mention NSLs at all, though it did describe some other legal orders received. People arguing that this was “deleting the canary” are, in effect, arguing that the government has the legal power to compel false speech in the newer report — which may be a different situation, legally speaking, from altering the earlier report (which covered only 2014, in any event).

Niko April 1, 2016 9:00 PM

@j olson

You can read about it in re National Security Letter, which punted the issue back to the district court after Congress amended the Patriot Act. The short answer, in the opinion of the DOJ lawyers, is that the first amendment doesn’t apply to information that you receive from the government in confidence.

two plus two still equals four April 1, 2016 10:48 PM

@Rob

For academic excercise amusement, presuming this isn’t an april fools day related joke, I agree, Schneier’s analysis that there is intent to mislead or deceive a judge seems flawed. Of course the idea that there is no way to help improve the situation coming to Bruce’s mind also supports the AFD hypothesis. Obviously at the very least we can use words to help educate other human beings as to what it is about the situation that we find unfavorable. Unfortunately the weird thing about fooling judges leaves me befuddled. That seems like total april fools day psyop, because obviously fooling judges was never any kind of intent associated with well known academic understanding of so called ‘warrant canaries’. And I don’t believe for a second that Schneier ever misunderstood that.

Monkey See and Hear No Evil April 1, 2016 11:07 PM

@sami

+1, that is the kind of analysis beyond “there’s no hope, lets throw up our hands” I would expect from Schneier any other day of the year.

Really, the sad insight I feel like adding is this- Heinlein’s Starship Troopers (or just the movie) comes to mind, including the bit about only soldiers having the right to vote. It truly feels like there must be so many things covered by USG secret clearance these days, that I don’t think the uncleared citizen is even capable of being informed sufficiently to have a competent opinion in the voting booth. I guess it’s all about charisma now, and which of the candidates you believe will represent you best with access to that knowledge. Frack, that Snowden JTRIG document almost has me thinking they can pull rabbits out of their hats if they want to these days.

WhiskersInMenlo April 1, 2016 11:50 PM

This may be the tip of a necessary and missing activity for the audit
and oversight of NSL activity. Oversight and audit of such secrets is quite
difficult. After all they are secret and disclosure is illegal.

Validating and correctly responding to a NSL is risky, expensive, difficult
and perhaps impossible for civilians to get correct.

I personally could not inspect and validate the credentials of most all state
and federal law enforcement agencies.

https://oig.justice.gov/reports/2014/s1408.pdf
“OIG MISSION
“To detect and deter waste, fraud, abuse, and misconduct in DOJ programs and
personnel, and to promote economy and efficiency in those programs.”

Misconduct is only one activity in a big list.

https://www.washingtonpost.com/politics/court-ability-to-police-us-spying-program-limited/2013/08/15/4a8c8c44-05cd-11e3-a07f-49ddc7417125_story.html

Initially FISA criminal activity under the color of authority would be a needle in a haystack problem.
https://threatpost.com/fbi-issued-more-than-19k-national-security-letters-in-2013/106893/

Target a handful of OIG officials and legislators and it gets interesting.

https://threatpost.com/fbi-issued-more-than-19k-national-security-letters-in-2013/106893/
“We are reporting the annual number of requests rather than ‘targets’ for multiple reasons. First, the FBI’s systems are configured to comply with Congressional reporting requirements, which do not require the FBI to track the number of individuals or organizations that are the subject of an NSL,” the report says.”

Clive Robinson April 2, 2016 12:02 AM

@ Wael,

@Mike the goat, Stop messing around and come help me!

I suspect Mike has problems of his own at the moment. I’ve tried posting a comment on his site and WordPress throws up a “login screen” for some reason, which it dod not used to do in the past…

Useful idiot April 2, 2016 2:06 AM

“I can’t think of anything.”
Its time to go dark, Bruce. There is no other choice.

The Doctor April 2, 2016 3:03 AM

NSLs are the kind of tactic sociopaths use in abusive relationships. You can see for yourself how it’s abusive by reasoning through these NSL cases and see how it gives the government absolute power.

Harald Korneliussen April 2, 2016 4:13 AM

this sort of high-school trick won’t fool judges for a minute.

Sigh. It’s not supposed to “fool” judges. It’s supposed to make their power grabs apparent and undeniable.

It’s not a question if judges think there is a difference between forcing you to be silent and forcing you to become their instrument and actively lie. Quite possibly they won’t, judges are petty little creatures who don’t like restraints not of their own choosing.

But regardless of what judges think, there is a difference, and warrant canaries have a good shot at letting us see, letting it become undeniable for everyone, how far the government is willing to go. It worked this time, because look, the canary got taken down. At least for now, we know that the FBI isn’t as confident as you that judges will force people to lie.

Clive Robinson April 2, 2016 9:25 AM

@ Marcos El Malo,

Does this blog post by Bruce constitute a dead canary?

If it a “Norwegian Blue Parrot”, the Bruce might be telling us he’s going to change profession to being a lumberjack…

Clive Robinson April 2, 2016 10:15 AM

@ Thoth,

Probably it would be nice to invest time and effort into investigating the usefulness of decentralised distributed techniques…

This would not work with US DOJ and their “selected judges”.

The DOJ like the Executive believe not just in “American Exceptionalism” but also “The supremacy of American writ”.

We saw this recently when a US Judge decided despite all international consideration that third party data belonging to individuals that were not US Citizens and who were not in the US at the time of the data generation or use should despite the legislation of the country the data was held in and the country the country data owner was in should be subject to a US issued warrant by a US LEO, simply because they could put preasure on a US Company personnel in the US.

That attitude is hardly likely to change.

Likewise the UK via RIPA legislation and the “snoopers charter” proposed legislation have decided that you have no rights on any data no matter where you are or where the data is, and they reserve the right to use all methods to get at it, at any time they see fit.

Obviously this flys in the face of “sovereign jurisdiction”, International treaties and could easily be classified as “a primary act of war” and thus a “War Crime”.

The US and UK believe they can do this with impunity. Unfortunatly at some point somebody is inevitably going to call their bluff and respond with a kinetic response to such behaviour claiming the same nonsense the US does over drone strikes etc. They might do it directly or as the US does issue “Dead or Alive” bounties…

Whilst I’m reasonably sure the US will protect current and ex presidents and heads of federal agencies, how far down the organisational tree do you think they will stop?

This current nonsense with US trials of Chinese military and Iranian citizens will have consequences. Russia under Putin has not just said it’s laws take precedence, but also alow for extra territorial punishment upto and including death, and we know they have acted under this legislation already. Likewise so has Israel.

At some point it’s logical that such behaviour will escalate and the US and UK will find as with 9/11, 7/7, Alexander Litvinenko, Gerard Bull and Mordechai Vanunu to name just a few that there is little that can be done within their own jurisdictions to stop it…

Clive Robinson April 2, 2016 2:08 PM

@ Nick P,

You know I stoped doing personal E-mail even just for social issues some time ago.

In part because it was the “expectations” of others that I would be perm-con and treating it like an IM… Also in part the use of ToR and mixnets was getting clamped down on at both ends. Oh and one major “free” provider did not like encrypted content and “virus checked” such messages out of existance “just in case”… And many of my social contacts did not use or want to use it either…

As for paid services the few I looked at in the UK for some reason wanted full tracability like “Direct Debit” or “full corespondance address and bank / business refrences” etc etc after yiu asked about VPN or ToR connectivity…

So personal & social e-mail accounts got the old heave ho, and for some strange reason life improved. It’s quite funny when the likes of bureaucracy “gate keepers” ask for “phone number” and get “sorry I’ve hearing problems can you look at me so I can see your lips” from me… and when they ask for “e-mail address” I put on a slight rube accent and start giving them my street address, when they stop me and ask about a mobile number I say “Do you want my pager number” even the old dragons give you one of those “does not compute” looks. For some reason there is a little devil in me that enjoys it 😉 Oh and when told “We don’t take cash” –which is actually illegal in the UK– I pull out an old very battered cheque book and say “cheque OK?” at which point if they even know what one is they develop a panicked look… You’ld be surprised how many managers make “Just for you Sir” comment and take the cash 🙂

That said I guess at some point I need to think about setting something up again for non work, non business and not personal or social, for the few who “do get it”.

Carl B Smith April 2, 2016 3:26 PM

@Clive Robinson,

That’s some fancy tricks you’ve got there. I suspect they wouldn’t fly as smoothly for someone younger (I take it that you are probably older than me because of “cheque books” and “pager”). But I like the idea.

With Gmail it used to be more ridiculous sometimes even without any “encrypted content.” Send somebody a PDF file or-god forbid-an executable one and it get simply dropped somewhere on the way, as if you never sent one. No idea if that still applies-I quit gmail. Couldn’t send my damn resume for sh*t.

Dan April 2, 2016 3:40 PM

One solution to NSLs is to design your system to have secure audit functionality. If the system cannot possibly comply with an NSL without leaving evidence in a public audit log, the government shouldn’t be able to sue you for leaking the NSL’s existence. The audit log should be signed by a Hardware Security Module and entries should be timestamped to protect the integrity of the audit log. This is probably better suited for companies that don’t need private knowledge to make a profit. Another approach is to have no information about customers that isn’t available publicly, so that there is no point to issuing a NSL. (This also isn’t well suited for for-profit companies)

Wael April 2, 2016 4:03 PM

@Carl B Smith,

I take it that you are probably older than me because of “cheque books” and “pager”

He’s roughly 733 years old[1]. Link omitted so I don’t raise his blood pressure.

Couldn’t send my damn resume for sh*t.

Makes little difference. It ends up in the trash anyway (not specifically your resume, but most resumes.)

[1] Make no mistake! These aren’t dog-year units! You may or may not want to duckduckgo this search string: “encyclopedic-knowledge-accumulation schneier”, then you can search for “730” within the first link.

Clive Robinson April 2, 2016 4:25 PM

@ Carl B Smith,

Contrary to @Wael’s assertion, I’m not that old even in “dog years”. AS I’ve said before I’m a older than Bruce and have less badger in my beard 🙂

With Gmail…

You got it in one, well done take +3 brownie points.

@ Wael,

Why “doggy years” what have canines ever done to you?

For that matter what have I ever done to be compared to a geriatric dog?

On second thoughts don’t answer that, it will only end up being something to do with the phases of the moon knowing you 8-D

Wael April 2, 2016 4:44 PM

@Clive Robinson,

Why “doggy years” what have canines ever done to you?

It’s a secret. Would you like me to expand on the bold text and get you to earn another yellow card? 😉

I’m a older than Bruce and have less badger in my beard 🙂

For sure!

Clive Robinson April 2, 2016 5:34 PM

@ Wael,

Your link reminds me…

@ Figureitout,

The search for what Slartbartfast replied to Arthur Dent, I know you found the answer, but I forgot to ask,

1) Did you have fun finding it?
2) Did it take your mind off other worries?

It was ment to do both, as well as demonstrate a little “British humour”.

Wael April 2, 2016 6:53 PM

@Clive Robinson,

On second thoughts don’t answer that…

I’m afraid I’ll have to!

For that matter what have I ever done to be compared to a geriatric dog?

This doesn’t compare you to a dog. It’s an expression that means the years spent in the industry were hard years. One year in some industries is equivalent to 7.some years of a “normal” year. That would be one dog year in human life.

Had a colleague a while back who was celebrating 19 years on the job, and we were asked to sign a card for him. My note on the card said: Wow! 19 years! These aren’t dog years, are they? Meaning he only spent less than 3 years on the job — but they are “hard” dog-years. Slavery, in other words.

Just want to make sure you didn’t see it as an insult.

it will only end up being something to do with the phases of the moon knowing you 8-D

You’d better believe it! Full moon is approaching, so Buckle the f##k up 😉

Nicholas M April 2, 2016 8:36 PM

@ Carl B Smith, “With Gmail it used to be more ridiculous sometimes even without any “encrypted content.””

It seems to do a lot of “fancy work” behind the scenes with your email contents especially after they added SaaS and google drives, not to mention all sorts of linguistic and binary analytics done in the name of spam-fighting and giving us the custom tailored experience.

Mark April 2, 2016 8:51 PM

I think whether it’s a high school trick depends on the mechanism. If you actively remove it, that is an active expression.

But if you just have a list that says “We did not receive a warrant on these dates” and every day list the date…they can’t compel you to keep adding dates, as that’s compelled speech.

What you could illegalize across the board, maybe, would be illegalizing such lists of “days I haven’t received a secret warrant” for everybody, even people who never will receive such a warrant.

But that seems pretty chilling on free speech. Banning a topic for everyone, forbidding anyone from (truthfully) denying something, merely because asserting this creates a “baseline” against which not saying it could be interpreted as saying the opposite.

Sorry, but that would be the end of free speech.

Figureitout April 2, 2016 9:10 PM

Bruce
When I think about what we can do to be useful here, I can’t think of anything.
–Get the info of the NSL’s out in the public, make its outing deniable (so secure channels to journalists is probably #1 way, but that responsibility relies on leaker). Secretive law is wrong, you can follow secret laws. These days there’s no way to keep it secret, during the approach (person delivering NSL) info will be leaked and it can be leaked by third parties.

Clive Robinson
–It was silly, and not what I wanted, you were just trolling me lol. So just a little fun, and it just delayed my worries I was trying to relieve (making secure system). Rather see these systems you’re so daft to call “secure” than look up frickin’ slartibartfast quotes lol.

Nick P April 2, 2016 10:31 PM

@ Figureitout

NSL’s arent secretive law: just a secret order to obtain info allowed by public law. If it’s an individual person, it’s basically like a warrant but Patriot Act style. Public is OK enough on that post-911 for it to be legal. If backdoors or master keys or whatever, then yeah leak that request or order by all means cuz they didnt tell us THAT during Congress briefs.

Figureitout April 3, 2016 12:45 AM

*can’t follow secret laws

Nick P
NSL’s arent secretive law
–So I can just voluntarily not follow the “secret order” and be cool?

Nick P April 3, 2016 2:03 AM

@ Figureitout

You can voluntarily not follow a public order from a court or law from any branch of government for that result. No need to worry about NSL’s if one is practicing anarchy. It’s all the same at that point. 😛

Alarm April 3, 2016 5:58 AM

In the meanwhile another canary looks dead without anyone noticing. Logitech used to have everyone know that their wireless keyboards supported AES-128 encryption. Now their web pages mention nothing on the subject of encryption and the same holds for the boxes of their keyboards which used to mention encryption specifically.

Figureitout April 3, 2016 10:00 AM

Nick P
–I’d follow the law like always, I’m just saying an unknown third party via all the existing surveillance everywhere, somehow someway, would probably leak disturbing “public orders” (not law I guess?) were such things pushed on me (I doubt it lol). Also something about free speech and the like, I like exercising that right. :p

Dirk Praet April 3, 2016 10:26 AM

A gag order is serious, and this sort of high-school trick won’t fool judges for a minute.

The underlying reason may be that courts, and thus judges, are currently split over the constitutionality of NSL gag orders and the FBI (or other entity) issuing the order reluctant to push the envelope. A company being served may decide to remove its canary but not challenge the NSL in court. Suing them for doing so cannot but result in a legal challenge that may land them in front of an unsympathetic judge thoroughly scrutinizing the case, which, if not hard enough, may force them to withdraw their demand for records. It’s happened before.

When I think about what we can do to be useful here, I can’t think of anything.

From a legal vantage, there is little that can be done. NSL’s and the statutes they’re based on are entirely legal and the Obama administration has done pretty much everything in its power to block reforms. To the best of my knowledge, there is currently no single case involving NSL’s and gag orders that has been filed with SCOTUS, which is the only entity in the US with the power to rule on the constitutionality of things. Although this will eventually happen (e.g. the EFF’s 2011 petition) , the only way to speed things up in my opinion is through high-profile warrant canaries, continued media attention and civil disobedience as suggested by @Figureitout and put into practice by people like Lavabit’s Ladar Levison. But which can carry substantial criminal penalties up to 5 years in jail for obstruction of justice.

@ Alarm

Logitech used to have everyone know that their wireless keyboards supported AES-128 encryption.

This is probably more related to the fact that Logitech was one of the vendors of wireless mice and keyboards that were revealed to be seriously flawed and vulnerable to hacking in February this year.

Clive Robinson April 3, 2016 2:20 PM

@ Nick P, Figureitout,

NSL’s arent secretive law: just a secret order to obtain info allowed by public law.

And that is their Achilles heal…

To come into effect they have to be served on the right party…

Which means you can set things up so that the “visit” by paper servers becomes public knowledge before the papers are served on the right party…

Carl B Smith April 3, 2016 2:23 PM

@Wael,

In my case I had to submit it just for the sake of submitting-I had already discussed all the details with the guy who’d be supervising me. Something something paper loving bureaucracy. Even when there are no papers.

@Clive Robinson,

Only three? So much for privacy.
(But yeah, I was really careless in the past days.)

@Nick P,

That was a really bad joke.

@Nicholas M,

I suspected as much, that’s why I quit. Although I am unsure if that had any tangible impact, with a fair share of my contact list still on gmail. Apart from feeling as if I’m in control. Gmail had been bugging me to give them my phone number for too long anyway.

Wael April 3, 2016 2:52 PM

@Carl Smith,

Something something paper loving bureaucracy. Even when there are no papers.

Sometimes it’s formalities, sometimes it’s the need to comply with regulations and provide a path of traceability.

Mr C April 3, 2016 4:05 PM

NSLs are prior restraints on speech issued by an executive agency following a procedure that in no way resembles the Supreme Court’s strict scrutiny analysis, with no notice and no hearing until after the recipient’s free speech rights have already been infringed. Of course they’re unconstitutional.

The feds have never won an NSL case. Rather, they seem to be following a strategy of delaying tactics to prevent a conclusive loss at a Circuit Court or SCOTUS — procedural wrangling, appealing everything, amending the law while an appeal is pending to force remand back to the District Court, and finally settling with individual parties when their cases cannot be dragged on any longer. (Although a Circuit Court’s decision declaring a law unconstitutional is technically only binding in that one case, because it is a controlling precedent for District Courts in that Circuit, it has the practical effect of invalidating the law in that Circuit.)

I think Dirk Praet falls very close to the mark with his point that a warrant canary pretty much dares the feds to stop dancing around and fight it out — they don’t get to play delaying games in a criminal prosecution.

But there’s something to the concept of a warrant canary that’s a shade different and even more important. Warrant canaries shift attention towards what an effective NSL enforcement regime would really entail. Because the only effective steps to defeat a warrant canary would be profoundly unconstitutional, they provide a wake-up call to judges who might otherwise get lost in abstractions. There are only two ways to stop a warrant canary from working: outlaw all warrant canaries in the first place (like Australia), or compel the NSL recipient to issue a false warrant canary. The first way could be called a “super prior restraint.” This would never withstand First Amendment scrutiny because the government’s interest in silencing any given warrant canary is purely speculative (“We might want to censor some people later under an NSL, so we need to perpetually preemptively censor everybody to make sure the NSL will be effective.”). The second way is coerced false speech. SCOTUS really dislikes coerced speech, and rarely uphold such laws. Those cases have two threads running through them: First, in all but one case, the speech at issue was commercial speech (usually advertising) and the law was upheld in part because commercial speech historically has not received full First Amendment protection. By contrast, a warrant canary is inherently political speech criticizing government action and secrecy. Second, in every case in which SCOTUS has upheld a law coercing speech, the law has required the speaker to make certain additional true factual statements in a context where such speech is prone to being misleading if those facts go unmentioned. That the government could compel false speech is absolutely unheard of. It is constitutionally unthinkable. (There’s also a Free Exercise issue here, since many religions forbid dishonesty (and thanks to Hobby Lobby, even corporations have religious rights these days).)

Some scholars believe that, from a jurisprudence standpoint, “information privacy” and “sexual privacy” are two leaves on the same branch. I’m not sure about that, but I do find it interesting that an argument about how effective enforcement would require deeply unconstitutional acts holds an important place in the history of sexual privacy law. Griswold v. Connecticut, 381 U.S. 479, 485-86 (1965).

Sancho_P April 3, 2016 5:57 PM

I have a bad feeling with the idea of NSLs being unconstitutional.
They don’t compel anybody to lie, or reduce free speech in general, or coerce to false speech.
The only thing is “This is a National Security, refrain from anything that could make that order public or known to the target”.

It’s the companie’s decision how to achieve that, to lie or not.
This order is personally submitted to the legal representative, I guess not easy to cheat with, and easy to predict what will happen then.
Probably this is why certain companies have killed their canary in advance, the legal representative being (close to) a lawyer.

The other point is, what would it help to know that e.g. Google got a NSL (or 10), I want to know if such an order would compromise my account.
I’m not interested in Ed Snowden’s account at all.

But I’m against any secrecy here.
When they tap my calls or data I want to be informed about (and why), at least after 2 weeks, and I want to have a stand to challenge that order.

Alarm April 3, 2016 10:28 PM

@Dirk Praet

Actually Microsoft was affected even harder, but they still boast they offer AES encryption for most of their current keyboards.

My suspicion is that maybe Logitech has silently dropped AES at the request of some influential entity. It makes no sense they eliminated any reference to AES from their website or product box.

Mark April 4, 2016 3:58 AM

Bruce, we need to be fighting back against mass surveillance. NSLs have no meaningful oversight or prior judicial review. We all know that the USA will claim that anything is “in the interest of national security” to scare companies into providing data.

What can we do that is useful, you ask? Not that I use Reddit — or any American company if I can avoid it — but I would now not give them any personal data. Or I’d access it over Tor if required.

We have choices as consumers of these companies’ products and services. We can either vote for change, or we can not use these companies. I choose not to use them.

Jeremy April 4, 2016 3:11 PM

@ Matt: “A strict view of either approach to canaries (upon receipt of an NSL, remove it; or put an expiration date on it and simply fail to update it) would be that both cases betray an obvious intention to communicate the receipt of an NSL.”

And why is that significant?

I don’t think there’s anything illegal about declaring your intent to break the law in a hypothetical scenario that may or may not ever happen.

For example, I can say “if the government ever passes a new law requiring me to kick at least one puppy per day, I intend to break that law” and that statement is not, itself, illegal.

Lev April 4, 2016 3:54 PM

The “NSL Canary” letter is because of two different laws against each other. On the one is the National Security Letter they get asking for info and gagging them on telling about it, but the other is Sarbanes Oxley act requiring them to be honest and tell any adverse actions and risks to profitability. Giving The Man info on users tends to chill users from using your product when found out. You can’t follow both. So the Canary method lets you cover the Sarbanes Oxley requiment, and removing it does as well, and yet doesn’t actually divulge anything about the NSL you recieved.

late to the party June 10, 2016 12:15 PM

That Canary gave its life for a great cause: informing millions of otherwise unaware people that NSLs are real and they affect services that everyday people use. The only “useful” thing to be done is the generation of popular pushback against this form of authoritarian secrecy.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.