Posts

Is Twitter EFF’s Second NSL Client?

In the past, I’ve tracked the efforts of a telecom — which WSJ convincingly argued was Credo — to challenge a 2011 National Security Letter. It has the support of EFF on that challenge. I also noted language in Credo’s Transparency Report (which was issued after DOJ permitted providers to give broad bands for NSLs, but before DOJ permitted them to give broad bands for other national security demands) saying it was prohibited from giving more information about NSLs and Section 215 orders.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information. [my emphasis]

Today, EFF noted that it has filed what should be its response to the government’s appeal in that case.

Only, it makes it it representing not just the known telecom client, but also an Internet client.

The Electronic Frontier Foundation (EFF) filed two briefs on Friday challenging secret government demands for information known as National Security Letters (NSLs) with the Ninth Circuit Court of Appeals.  The briefs—one filed on behalf of a telecom company and another for an Internet company—remain under seal because the government continues to insist that even identifying the companies involved might endanger national security.

While the facts surrounding the specific companies and the NSLs they are challenging cannot be disclosed, their legal positions are already public: the NSL statute is a violation of the First Amendment as well as the constitutional separation of powers.

Now, one obvious potential Internet client would be Google. It is known to have fought NSLs in Judge Susan Illston’s court and lost.

But I wonder whether it isn’t Twitter.

I say that, first of all, because of the cryptic language in Twitter’s own Updated Transparency Report, which was released after the DOJ settlement which should have permitted it to report NSLs. But instead of doing so, it pointed out that it can’t report its national security orders, if any, with enough particularity. It called out NSLs specifically. And it used a language of prohibition.

Last week, the U.S. Department of Justice and various communications providers reached an agreement allowing disclosure of national security requests in very large ranges. While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests.

As previously noted, we think it is essential for companies to be able to disclose numbers of national security requests of all kinds – including national security letters and different types of FISA court orders – separately from reporting on all other requests. For the disclosure of national security requests to be meaningful to our users, it must be within a range that provides sufficient precision to be meaningful. Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency. In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.

Unfortunately, we are currently prohibited from providing this level of transparency. We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs. We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns. Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights. [my emphasis]

It was a defiant Transparency Report, and it discussed prohibitions in a way that no one else — except Credo — had done.

Moreover, it would make sense that EFF would be permitted to represent Twitter in such a matter, because it already had a role in Twitter’s challenge of the Administrative subpoena for various WikiLeaks’ associates Twitter data.

Finally, EFF notes that this Internet client is fighting just 2 NSLs; Google is fighting 19.

The very same day that the district court issued that order striking down the statute, a second EFF client filed a similar petition asking the same court to declare the NSL statute to be unconstitutional and to set aside the two NSLs that it received.

Notwithstanding the fact that it had already struck down the NSL statute on constitutional grounds in EFF’s first NSL case, but indicating that it would be up to the Ninth Circuit to evaluate whether that evaluation was correct, the district court denied EFF’s client’s petitionand ordered them to comply with the remaing NSL in the interim.

If Twitter is the client, it would present real First Amendment issues. It would suggest that, after Twitter took the rare step of not just challenging but giving notice in an Administrative subpoena, DOJ decided to use NSLs, which are basically Administrative subpoenas with additional gags, in response.

Update: in potentially related news, Verizon just updated its Transparency Report, claiming it can’t provide details on some bulk orders.

We note that while we now are able to provide more information about national security orders that directly relate to our customers, reporting on other matters, such as any orders we may have received related to the bulk collection of non-content information, remains prohibited.

It Turns Out CREDO Will Respond to Administration Subpoenas

It turns out CREDO will respond to simple administrative subpoenas.

That’s one thing their new Transparency Report — the first of its kind in the industry — reveals. They complied with 5 administrative subpoenas last year: 3 from the DEA, one from a police department, and one from a DA, a full third of all the disclosed requests they got and complied with.

So they’re not opposed, in principle, to information requests lacking any judicial review.

That’s not in the least bit surprising, but it is significant because CREDO is almost certainly the telecom that challenged an NSL asking solely for subscriber information back in 2011; Judge Susan Illston ruled in their favor last March.

That may or may not say anything new about its challenge. I had considered whether this suggested it got some kind of bulk request (my new obsession). But the actual request in the NSL doesn’t leave much space for any bulk request.

Screen shot 2014-01-10 at 2.35.48 PM

The reference to what the government had required on page 11 of its reply to the government is redacted, and the reference to subscriber information on the following page lacks any pronoun to qualify it. Its language attesting to its preference to notice its subscriber uses “the,” which seems to suggest an entity rather than a person. A quotation from the FBI’s declaration on page 27 suggests the target is a plural noun.

But most of the rest of the discussion in the provider’s filings and the opinion suggest CREDO (if it is CREDO) challenged the NSL because it deemed the request on a CREDO subscriber to infringe on that subscriber’s First Amendment rights which are implicated in choosing CREDO (see pages 24-5), as well as CREDO’s ability to fight NSLs and PATRIOT more generally.

There’s two more related items of interest in CREDO’s Transparency Report. It includes two passages on related legislation — one mapping out things it can’t comment on, and one mapping out its stance on various pieces of legislation.

It is important to note that it may not be possible for CREDO or any telecom carrier to release to the public a full transparency report, as the USA PATRIOT Act and other statutes give law enforcement the ability to prevent companies from disclosing whether or not they have received certain orders, such as National Security Letters (NSLs) and Section 215 orders seeking customer information.

[snip]

CREDO supports the repeal the USA PATRIOT Act of 2001 and the FISA Amendments Act of 2008, and the passage of Rep. Rush Holt’s Surveillance State Repeal Act. Until full repeal can be achieved, CREDO has worked specifically to reform the worst abuses of both acts. This includes fighting to roll back the National Security Letter (NSL) provisions of the USA PATRIOT Act, and fighting to make FISA Court opinions public so that the American people know how the secret FISA court is interpreting the law. CREDO endorses the USA Freedom Act and the Amash Amendment, both aimed at halting the indiscriminate dragnet sweeping up the phone records of Americans. CREDO also opposes Senator Feinstein’s FISA Improvements Act which would codify the NSA’s unconstitutional program of surveillance by bulk collection.

Note it points to USA PATRIOT that prevents it from fully responding because it would be gagged in the case of both NSLs and Section 215 orders. (It made me wonder whether the government went and got a Section 215 order after Illston’s ruling.)

Then it describes opposing both PATRIOT and the FISA Amendments Act, which highlights FAA’s absence from CREDO’s list of statutes that limit its ability to fully respond.

Most telecoms would also be subject to FAA orders (incidentally: did you know telecom orders have been going up since 2012?). But CREDO is apparently not, for this reason.

Customer information refers to non-content information such a customer’s name, address, bill information, or handset or account information. Regarding the content of customer communications, CREDO does not receive or store the content of customer communications. This report includes only CREDO’s requests and does not include requests that may have been directed to another carrier.

I assume that Sprint (from which CREDO leases access) retains all CREDO’s customers’ content. If that’s right (and given the reference to “requests that may have been directed to another carrier,”) I wonder if the FBI initially served Sprint for this customer information based off content already collected.

Screen shot 2014-01-10 at 4.52.24 PM

It’s one possibility, I guess (though that would obviously weaken CREDO’s case, if they made it, that the FBI was infringing on its customer’s First Amendment choice to work with CREDO).

In any case, there are a few interesting new tidbits. And just as importantly, CREDO’s catalog of the requests it did get does lay an excellent standard for Verizon’s upcoming report.

A 15-Month Fight for Subscriber Information

The WSJ today presents a Whodunnit behind an NSL submitted to a cell company in spring 2011.

Early last year, the Federal Bureau of Investigation sent a secret letter to a phone company demanding that it turn over customer records for an investigation. The phone company then did something almost unheard of: It fought the letter in court.

The U.S. Department of Justice fired back with a serious accusation. It filed a civil complaint claiming that the company, by not handing over its files, was interfering “with the United States’ sovereign interests” in national security.

This is just the second time a challenge to an NSL has become public–the other being Calyx’s Nicholas Merrill, whom the WSJ also profiles this morning.

WSJ makes a compelling argument the company challenging the NSL is Credo, based in part on details that reveal the company has associational aspects in addition to its phone service. Assuming they’re right, I find it all the more interesting Credo is challenging not just the gag on this NSL, but the underlying order, particularly since the order asks for just the subscriber information–but not the call data–of the subscriber.

all subscriber information, limited to name, address, and length of service, for all services provided to or accounts held by the named subscriber and/or subscriber of the named account.

That is, this is by far the least invasive kind of NSL. Note, information elsewhere in this case is consistent with the possibility that this order seeks information on a group and not just an individual, though that may be boilerplate.

I’d be shocked if this were the first NSL Credo received, so there must be something about the request that makes it particularly worthwhile, from a Constitutional standpoint, to challenge (indeed, thus far a judge has not thrown out their challenge, so the possibility this subscriber is tied to a national security investigation can’t be obvious).

Credo may, after all, be challenging the order to protect the political speech of someone who has chosen to work with Credo because the company supports social causes. Or, if this is a group, it might be challenging an NSL to find out about the group’s recognizably political activities–though subscriber information doesn’t say much about that, unless this NSL would return, effectively, a membership list of a political organization.

But I’m wondering if Credo is also serving as a gate-keeper here. Credo doesn’t own its own lines; it’s just a reseller. And unless something has changed, it resells Sprint’s services. And Sprint is unique–at least as far as we know–for having set up a portal, L-Site, letting law enforcement access information, including precision location, directly.

I attended an invitation-only surveillance industry conference in Washington DC. It was at that event where I recorded an executive from Sprint bragging about the 8 million GPS queries his company delivered via a special website to law enforcement agencies in a 13 month period.

At that same event, Paul W. Taylor, the manager of Sprint/Nextel’s Electronic Surveillance team revealed that the wireless carrier also provides a next-generation surveillance API to law enforcement agencies, allowing them to automate and digitally submit their requests for user data:

“We have actually our LSite [Application Programming Interface (API)] is, there is no agreement that you have to sign. We give it to every single law enforcement manufacturer, the vendors, the law enforcement collection system vendors, we also give it to our CALEA vendors, and we’ve given it to the FBI, we’ve given it to NYPD, to the Drug Enforcement Agency. We have a pilot program with them, where they have a subpoena generation system in-house where their agents actually sit down and enter case data, it gets approved by the head guy at the office, and then from there, it gets electronically sent to Sprint, and we get it … So, the DEA is using this, they’re sending a lot and the turn-around time is 12-24 hours. So we see a lot of uses there.”

This case is noteworthy because it is a rare public challenge. It’s noteworthy because the government has claimed the telecom has no legal means to challenge the NSL.

But there seems to be more to the challenge which, given the likelihood WSJ correctly identified Credo as the company, seems to get at underlying political speech as well.