Elizabeth Banker, Twitter’s Associate General Counsel for Global Law Enforcement, published “#Transparency update: Twitter discloses national security letters.” The Twitter lawyer’s post brought up interesting points with relevance to events on Reddit in general and the darknet market subreddit, /r/darknetmarkets. More importantly though, or at least with respect to Banker’s Transparency update, Twitter released two redacted National Security Letters from 2015 and 2016. The Federal Bureau of Investigation issued both letters with information requests for the accounts of two Twitter users. Those accounts, to the dismay of many, appeared only underneath black censorship bars.
In theory, government agencies issue National Security Letters to companies that host vital information on a suspect (or many suspects) but want to keep the individual uninformed. Unfortunately, and in practice, National Security Letters became a blanket gag order that left the company in a compromising—if not ethically challenging—position. The company, Twitter in this scenario, received two orders from the Federal government that required names, addresses, length of service (account age), transaction records. Presumably, the transaction records request applied to any potential advertising. The FBI asked for said data for both accounts. Companies struggle with these gag orders routinely; violating them and publishing information places the company in hot water, legally. But, if the company values the privacy of their user’s, leaving them in the dark can seriously compromise public image.
National Security Letters often last far beyond the length of the investigation. In some cases, the NSLs function similarly to non-disclosure agreements some companies sign with employees. I.e., Google, before the release of Android TV devices—theoretically—sent a batch of test units to a select number of developers. That non-disclosure agreement lasted a specific number of years. But the first Android-based TV device hit the shelves long before the agreement expired. Those developers, unless contacted by Google, lacked the ability to speak about the development units for the remainder of the non-disclosure agreement. This example applies to any company of the same sort, but tech companies fit the bill perfectly.
In the transparency update, Banker mentioned that the FBI “recently informed us that the gag orders have been lifted and that we may notify the account holders.” Twitter, unlike some companies, lucked out received permission to disclose details before anything damaging occurred due to the NSL.
The transparency report explained:
We’re encouraged by the lifting of these two gag orders and those recently disclosed by Cloudflare, Google, the Internet Archive, and Yahoo. However, Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We continue to push for the legal ability to speak more openly on this topic in our lawsuit against the U.S. government, Twitter v. Lynch.
Google recently released eight NSLs—a groundbreaking moment as those eight marked the first NSL disclosure by Google.
Last year, the Reddit warrant canary vanished from their 2015 Transparency Report. A “Warrant Canary” refers to a company’s ability to notify users without breaching the NSL. When the government issues a warrant CA smart, they order the company to remain silent about the issue entirely. But they do not require the company lie to the public. Some companies, like Reddit, began implementing yearly transparency reports that said the government issued no warrants or subpoenas during that year. That way, the next year, if the transparency report’s writers removed the “warrant canary” clause, users knew that the company received requests for information. And the company never said anything. This method received blowback from the EFF and similar groups, but the government never challenged a case where a company used warrant canary to notify users.
Gwern Branwen, somewhat of a famed member of the community, received a message from Reddit in 2015 that the government issued a subpoena for the /u/gwern account. Along with Gwern, four other users received similar messages. Gwern’s account appeared connected to the other four because he offered to verify some information to resolve ongoing drama. In the end, the details came out. An ICE agent wanted their user information based for Reddit drama involving fraud, of sorts. The rest of the tale can be found here on DeepDotWeb.
This serves as yet another reminder to prioritize safety over convenience. Use the marketplace list. Use encrypted messaging. Use Tails. In today’s world, the companies that value your privacy are essential.