Sometimes, saying nothing says quite a lot.
At the end of January 2015, the online bulletin board reddit issued a 鈥渢ransparency report鈥 that informed its users, and the broader public, about the law enforcement requests for user data that the site鈥檚 operators had received over the course of the preceding year. Compared to thousands of requests listed in the similar reports issued by tech giants like Google and Facebook, the total number of requests reported by reddit was tiny: just 55 in total. But reddit鈥檚 report was not just an informational document 鈥 it was a statement of commitment, a promise to its users that the company would defend and protect its users鈥 privacy to the maximum extent possible.
A critical aspect of that promise was a legally experimental, categorical statement known as a 鈥渨arrant canary.鈥 A warrant canary, as the Electronic Frontier Foundation , 鈥渋s a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed,鈥 thereby informing the public that the process has been received.
reddit鈥檚 canary looked like :
As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
Thus, reddit set up a warrant canary that would expire upon the receipt of any legal process related to national security. At the time the canary was published, it drew from EFF and garnered much attention in (e.g., and ) the technology press. Many other technology companies .
Now, though, it is the disappearance of reddit鈥檚 canary 鈥 in the company鈥檚 , issued last week, covering law enforcement requests made during 2015 鈥 that is getting attention from the site鈥檚 users and the broader public.
Indeed, that is exactly what a warrant canary is supposed to do: alert the public that a government request for information has been made to a particular provider. But the mysterious flight of the reddit bird raises several important questions.
First, what sort of information might the government be seeking from reddit through a national security subpoena?
Because reddit is a public bulletin board, it may seem a bit strange that a secret government request would land there at all. But reddit does have (optional) user accounts, and its systems do log information, such as the IP addresses of users, that could potentially be of interest to government agents in a national security investigation.
Last fall, Nick Merrill 鈥 who, with the help of the 老澳门开奖结果, won an important court ruling narrowing the scope of national security letters and the gag rules that accompany them 鈥 finally won, with the help of Yale Law School鈥檚 Media Freedom and Information Access Clinic, the right to publish of the kinds of 鈥渟ubscriber information鈥 that the government had sought through the NSL that it had served on him. Glancing at that list, IP addresses and other account information appear to be the most likely answer here, but, of course, we are still in the dark about the details (and might be for a long time).
Second, why is the news that reddit (probably) received a national security request important?
Most of all, the news is important because it draws attention to the information vacuum in which we debate the wisdom, necessity, and utility of these kinds of requests. The public remains woefully under-informed about the scope of government surveillance, almost entirely due to government rules governing transparency reporting and government gag orders that accompany national security requests. The disappearance of reddit鈥檚 canary shines a new light on the expansiveness of this surveillance, and allows the public to ask questions about what, exactly, is going on.
As I have previously , the government鈥檚 position is that providers can only report their receipt of specific types of national security requests in large bands (from 0 to 999, 1000 to 1999, and so on). That 鈥渞equirement鈥 originally stemmed from a , reached in January 2014, between the government and major providers like Google and Microsoft. (Technically, it applies to providers 鈥渟imilarly situated鈥 to the parties to the settlement, though that term is not defined.) But technology companies, including some of the parties to the agreement, have almost universally continued to lobby for more leeway to provide further information about the national security requests they receive. When Congress passed the USA Freedom Act, it codified this 鈥渂ands鈥 requirement and gave companies several other options for reporting the numbers of requests they received.
In fact, Twitter 鈥 which was not a party to the settlement but which the government claimed was bound by it anyway 鈥 is litigating a challenge to those rules in federal court in California. Specifically at issue in that suit is the government鈥檚 rule addressing warrant canaries. Under the government鈥檚 rule, if a company has receivedsome form of national security request (say, a Foreign Intelligence Surveillance Act order), it cannot publicly say that it has not received a different form of national security request (say, a national security letter). In other words, as far as warrant canaries are concerned, the government puts all national security requests into the same basket.
But this rule doesn鈥檛 apply to a company that has never received any type of national security request. It appears that while reddit was not bound by the canary rule at the time it issued its 2014 transparency report, things have now changed. That鈥檚 presumably why, if (for example) reddit received a single national security letter, it cannot say that it has still received 鈥渮ero鈥 FISA orders.
Notably, though, the reddit case does not raise the most interesting legal question posed by the increasing popularity of warrant canaries: whether the government could force a company that had issued a warrant canary to continue publishing that canary afterserving a request covered by the canary. In other words, whether the government could force a company to lie to the public. Whether such a demand would violate the First Amendment鈥檚 compelled-speech doctrine is a thorny question. Because reddit has eliminated the canary in its new report, it seems unlikely that the government sought to force that issue here.
Finally, as Bruce Schneier , 鈥渘ow what?鈥
Schneier, a warrant canary skeptic, suggests that the information we now have as a result of the disappearance of the reddit canary is not all that useful:
We know that NSLs can affect anywhere from a single user to millions of users. Which kind was this? We have no idea. Is Reddit fighting? We have no idea. How long will this go on? We don鈥檛 know that, either. When I think about what we can do to be useful here, I can鈥檛 think of anything.
On the one hand, it鈥檚 hard to argue with what Schneier is saying 鈥 it鈥檚 not as if, now, users will (or should) abandon reddit en masse because it is somehow 鈥渃ompromised.鈥 That the site may have received a national security request does not really change the fact that it was always possible that reddit would receive such a request. In terms of changing user behavior, then, the warrant canary is likely of little utility.
But on the other hand, the reddit example makes clear that even though they plainly cannot be the only solution to the information vacuum in which we debate these requests, warrant canaries can be useful in ensuring that people are paying attention and asking questions. After all, we wouldn鈥檛 be national security letters today had reddit never included a warrant canary in its 2014 transparency report. And, in time, the answers to Schneier鈥檚 questions 鈥 what kind of request was this? is reddit fighting? etc. 鈥 will become clear. Had reddit never published its warrant canary, we wouldn鈥檛 even know that we should be asking these questions at all.
This was originally posted on .