Last week, a major player in the social media forum world used a legal hack to alert its subscribers that it had been served a National Security Letter (NSL). NSLs are a legal tool used by federal agencies when those agencies are seeking information about an American company’s customers or subscribers. Part of all such letters is a “gag order” forbidding the company from disclosing the existence of the NSL.
But after the Snowden leaks made headlines and more of the general population became aware of NSLs, many Internet companies launched a legal hack to allow them to stay within the law while still alerting users. While the NSL — and the laws which govern its use — forbid companies to say when they are served an NSL, nothing prohibits them from saying when they have not been served. So what many of those companies have done, as a matter of course, is publish regular “transparency reports” which include a statement that they have not received an NSL. If they do receive one, they remove that language from the next report.
It’s called a “warrant canary,” though that term is misleading since an NSL is a legal demand from a federal agency and allows the agency to avoid applying for a warrant. It’s the same idea as a canary in a mine shaft as an early warning signal that toxic gas is building up. When the canary dies, everyone knows to get out of the mine. When the “warrant canary” disappears from a website, users know that the site or service is no longer safe for privacy. It may be time to leave the mine.
In this case, Reddit — a social media forum with millions of users — listed the following statement in its 2014 transparency report:
national security requests
As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
That paragraph is conspicuously absent in the most recent transparency report, indicating that though Reddit cannot say it has received an NSL, it can also no longer say it hasn’t. It appears the company has kept its promise that, “If we ever receive such a request, we would seek to let the public know it existed.”
In Reddit threads about the lack of the “canary” in the recent report, the administrator “spez,” whose name appears at the bottom of the report, discussed the “fine line” companies tread where NSLs are concerned. In one thread, spez says, “I’ve been advised not to say anything one way or the other.” Another thread includes this comment from spez: “Even with the canaries, we’re treading a fine line. The whole thing is icky, which is why we joined Twitter in pushing back.”
Since Reddit would only be forbidden from saying it had received an NSL, but not that it hadn’t, spez’s statement about being “advised not to say anything one way or the other” taken together with the statement about “treading a fine line” could be taken as the closest thing to a confirmation that could ever be made. The statement about joining Twitter in “pushing back” is in reference to a lawsuit filed by Twitter and later joined by other companies to allow disclosing information on NSLs.
While it may be reasonably “known” that this means Reddit is the recipient of an NSL, there are still some things that cannot be known or even inferred:
• When the NSL was received: It could have happened anytime after January 29, 2015. For this reason, sites may want to consider issuing transparency reports on a more regular basis, pehaps even monthly.
• The scope of the NSL: It could have sought only the information on one user, or it could demand data on all users. Since that data could include the IP addresses of the users, it could be used to identify users who have fictitious usernames. It would also identify their location.
• The duration of the NSL: Did the NSL seek only data pertaining to a certain timeframe? Or was it open-ended and still applicable?
Even though the NSL could likely seek to impact all users of Reddit, there are ways in which users could protect their identities. By using the Tor Browser Bundle properly, users could create an account on Reddit (or nearly any other site, for that matter) and remain anonymous and private. There are other tools — which The New American has reported on previously — which, when used properly, allow anyone to surf the web and maintain their privacy.
News of Reddit almost certainly having been served an NSL should underscore the fact that everyone needs to take responsibility to learn to use the proper tools and protect their own privacy. While the tech companies push back, private citizens need to do the same.