Cloudflare Finally Able To Reveal FBI Gag Order That Congress Told Cloudflare Couldn't Possibly Exist

from the letter-that-dare-not-speak-its-[REDACTED-IN-FULL] dept

Fri, Jan 13th 2017 10:47am — Tim Cushing

Another one of the FBI's thousands of National Security Letters has been made public -- along with its recipient. Cloudflare's latest transparency report (its seventh to date) contains a bonus: a 2013 NSL [PDF] the FBI felt no longer needed to kept secret.

This NSL was received in 2013, and was challenged by Cloudflare and the EFF. It's only now being made public, and that's largely due to litigation and the USA Freedom Act's changes to NSL review policies. Rather than review them every three years-to-never, the FBI must now review them more frequently. Better still, recipients are now allowed to challenge NSL gag orders within one year of receiving them. This places the burden back on the government to prove ongoing secrecy is needed.

Shortly before the new year, Cloudflare received a letter from the FBI rescinding the NSL's gag order.

The letter withdrew the nondisclosure provisions (the “gag order”) contained in NSL-12-358696, which had constrained Cloudflare since the NSL was served in February 2013. At that time, Cloudflare objected to the NSL. The Electronic Frontier Foundation agreed to take our case, and with their assistance, we brought a lawsuit under seal to protect its customers' rights.

In this particular case, the NSL itself was pulled by the FBI as a result of the lawsuit.

Early in the litigation, the FBI rescinded the NSL in July 2013 and withdrew the request for information. So no customer information was ever disclosed by Cloudflare pursuant to this NSL.

So much secrecy surrounds NSLs -- by default -- that Ken Carter of Cloudflare wasn't even able to correct a Senate staffer who told him things that were completely untrue.

In early 2014, I met with a key Capitol Hill staffer who worked on issues related to counter-terrorism, homeland security, and the judiciary. I had a conversation where I explained how Cloudflare values transparency, due process of law, and expressed concerns that NSLs are unconstitutional tools of convenience rather than necessity. The staffer dismissed my concerns and expressed that Cloudflare’s position on NSLs was a product of needless worrying, speculation, and misinformation. The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.

That's what a gag order does: allows misinformation to go uncorrected. The staffer's interpretation of US Code may have been more to the letter of the law, but Cloudflare's Carter knew -- from personal experience -- that the FBI's interpretation was different.

Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer. At the time, I knew for a certainty that the FBI’s interpretation of the statute diverged from hers (and presumably that of her boss).

Not only does the default secrecy allow the FBI to continue to pursue questionable requests with NSLs, but it also allows it to deploy them in apparent violation of US law, right under the nose of its Congressional oversight.

Congratulations to both the EFF and Cloudflare, which worked together to protect a user's privacy against the FBI's self-issued NSL. Apparently the demand for information couldn't hold up when scrutinized by a judge for the first time. The fact that the USA Freedom Act only recently went into effect likely explains the three year-plus gap between the NSL's withdrawal and the lifting of the gag order.

While the USA Freedom Act's NSL-handling changes are an improvement, they're far from perfect. The burden of proof has been shifted to the government, but there's very little compelling it to respond to gag order challenges quickly, as the EFF points out.

Under the USA FREEDOM Act of 2015, the FBI is required to periodically review outstanding NSLs and lift gag orders on its own accord if circumstances no longer support a need for secrecy. As we’ve seen, this periodic review process has recently resulted in some very selective transparency by the FBI, which has nearly complete control over the handful of NSL gags it retracts, not to mention the hundreds of thousands it leaves in place. Make no mistake: this process is irredeemably flawed. It fails to place on the FBI the burden of justifying NSL gag orders in a timely fashion to a neutral third party, namely a federal court.

The EFF's legal battle against NSLs continues. We've seen incremental lifting of secrecy as a result of its multiple NSL challenges, but the EFF is hoping to see a court find the whole NSL scheme -- warrantless demands for user data and identifying information the FBI often uses to route around judicial rejection -- to be unconstitutional.

NSL 12 358696 Redacted (PDF)NSL 12 358696 Redacted (Text)

NSL 12 358696 Unsealing Letter (PDF)NSL 12 358696 Unsealing Letter (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: congress, fbi, gag order, nsl
Companies: cloudflare, eff

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

zerosaves (profile), 13 Jan 2017 @ 12:13pm

Anything else I'm wrong on?
I would hope he finds that staffer and gives her the copy of the NSL letter.
[ link to this | view in chronology ]
Anonymous Coward, 13 Jan 2017 @ 12:14pm

They should name and shame the staffer. This kind of shit will never end if these people are allowed to continue spewing misinformation with no direct consequences to their reputations.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Jan 2017 @ 12:36pm
  
  Re: Naming the staffer
  
  They should name and shame the staffer.
  
  Nothing in the quoted story indicates the staffer was willfully ignorant of the FBI's misconduct in this case or knowingly protecting the FBI's unconstitutional activities. Rather, it appears that this staffer had far too much faith that the FBI would interpret the law as Congress had intended it be interpreted. Certainly, that staffer, her superiors, and the colleagues of both ought to be contacted and pointed to the news about this as evidence that they were wrong.
  [ link to this | view in chronology ]
- That One Guy (profile), 13 Jan 2017 @ 1:40pm
  
  Re:
  Besides sounding like they were just a wee bit condescending the staffer's only 'crime' was that they were under the (hilarious if it wasn't so dangerous) mistaken belief that the FBI actually cares about what the law says when it might limit what they can do.
  
  'Believing that a major government agency cares one bit about the laws they are tasked to uphold' may be more than a little naive these days, but I wouldn't say it reaches the point where a name and shame is appropriate.
  [ link to this | view in chronology ]
That One Guy (profile), 13 Jan 2017 @ 1:47pm

Boiling down the absurdity
Getting to the root of the matter, I'd say that the most important take-away from this is that via a gag order a company in general, and one of the people from it was legally bound from telling the truth to a government representative'.

They were put in a position where it would be illegal for them to tell the truth of what was happening, or even correct a mistaken belief about what couldn't possibly be happening, all because of the gag order.

Lawmakers can only fix problems that they are aware of, and cases like this demonstrate that gag orders can prevent that from happening, leaving lawmakers thinking one thing is happening when that is very much not the case. While I know that 'that's a feature, not a bug' as far as those issuing the gag orders are concerned, it should be all that's needed to find the practice unconstitutional and flat out dangerous, and prohibited for good.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Jan 2017 @ 2:10pm
  
  Re: Boiling down the absurdity
  "Lawmakers can only fix problems that they are aware of"
  
  You seriously sit there and think this is true? The so call "lawmakers" already know that this shit is happening. Hell, the knew that their new law would create this fucking mess. Not only that, they don't give a flying fuck about it either, or at least not enough of them.
  
  This game is so fucking old hat it has been going on for longer than the child that is America has been around. It is the order of the day for elected politicians to allow evil agents to bend their ears to word laws is such a way as to allow government to recklessly abuse the fuck out of its power.
  
  This is so pervasive that no one seems to recognize these things. We are so accustomed to corruption in government that we notice nothing when it occurs right in front of our eyes with our complete and undivided attention.
  
  So get with the program, there is a constant pressure to write law in such a way as to look like they are serving the American people while just exactly doing the opposite. It's not like this shit is some secret!
  [ link to this | view in chronology ]
  - Thad, 13 Jan 2017 @ 4:15pm
    
    Re: Re: Boiling down the absurdity
    I'm a Hanlon's Razor guy. While there are some people in the government that are willfully evil (Cheney's "work the Dark Side" comment comes to mind), I think most legitimately believe they're doing what they're doing for the good of the American people.
    
    And you'll find a lot of folks, not just in Congress but out of it, are more trusting and deferential to authority and law enforcement than they reasonably should be. All you need to do to see any evidence of that is go to the comments section of any story about police brutality.
    
    Thinking that the FBI wouldn't abuse its power is naive. But a lot of people do think that.
    [ link to this | view in chronology ]
    - Anonymous Coward, 13 Jan 2017 @ 9:17pm
      
      Re: Re: Re: Boiling down the absurdity
      I think most legitimately believe they're doing what they're doing for the good of the American people.
      
      The road to hell is ordered by the righteous, planned by the well meaning, cemented with ignorance, and paved with their good intentions.
      
      Or, as one of Jim Butcher's characters put it:
      
      "Hell son, I'll take evil any day. It only gets uppity now and again. Stupid is all the time."
      
      or words to that effect. The quote isn't exactly right. I don't disagree with your point that they believe they are serving the people, only that one needs must be very careful with the club that is governance. While it is good to keep people from harming themselves, most wish to seek their hell in a manner of their own choosing. They seldom thank you for saving themselves from themselves.
      [ link to this | view in chronology ]
      - Thad, 16 Jan 2017 @ 9:44am
        
        Re: Re: Re: Re: Boiling down the absurdity
        I think we're getting off track here. (Could be my fault; I'm the one who brought up Cheney, who has absolutely nothing to do with this story.) We're specifically talking about a staffer who explained (correctly) that the gag order did not fit the statutory requirements and therefore (incorrectly) couldn't exist. Such a person is naive, perhaps, but likely well-meaning. Importantly, it's quite possible that, once someone like that finds out that he was wrong, he can adjust and do better in the future.
        [ link to this | view in chronology ]
      - Anonymous Coward, 4 Dec 2018 @ 6:29pm
        
        Butcher quote
        “Evil isn’t the real threat to the world. Stupid is just as destructive as Evil, maybe more so, and it’s a hell of a lot more common. What we really need is a crusade against Stupid. That might actually make a difference.” - JB
        [ link to this | view in chronology ]
  - That One Guy (profile), 13 Jan 2017 @ 4:21pm
    
    Re: Re: Boiling down the absurdity
    The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.
    
    Unless you want to say that the staffer was just making a fool of themself by going through that whole song and dance, it seems pretty clear that no, that individual, and likely several others at least did not 'know that this shit was happening'. They, and likely several others, staff and lawmakers 'thought' the law applied one way, the FBI 'disagreed', and thanks to the gag order the company was prohibited from telling the lawmakers that the FBI's 'interpretation' differed notably from their's.
    
    Now, I'll fully agree that some lawmakers likely do know about this sort of thing, I distinctly remember a story a few years back when the Snowden stuff started coming out about one of the members of the 'oversight' groups deliberately withholding information from the others. They knew, they didn't want the others to know because what was differed from what was presented.
    
    Later on, when it became harder to just ignore the leaks some of them came forward claiming that they had no idea this sort of thing was happening, and while I'm sure some of them were just putting into play their 'I'm shocked, shocked I say!' practice it's quite likely that at least a few didn't actually know, because they'd been kept in the dark.
    
    Sometimes it is malicious intent(and while in politics 'assuming malicious intent' is a pretty safe bet, you need to be careful with it), but sometimes it really is incompetence and/or thinking one thing is perfectly clear, while someone else thinks that there's 'room for a different interpretation' and running with their 'interpretation'.
    
    At the same time though, even assuming that every single lawmaker involved knew exactly how the law would really be used, making it public forces them to scramble and pretend that their actual intent matches their professed intent, possibly closing the 'accidental loophole'.
    [ link to this | view in chronology ]
- Ninja (profile), 16 Jan 2017 @ 4:17am
  
  Re: Boiling down the absurdity
  I dunno but it seems to me that the legislative knows better than the executive about laws and takes precedence over less important tools like NSLs. It seems to me that the correct approach would be to tell her that Cloudflare had received an NSL with a gag order that he would only be able to discuss directly with the representative given he was under oath to tell the truth but the NSL had a gag order. Then if said representative wanted HE/SHE could make it public because the NSLs are not above laws. Or at the very least make the Congress and the Senate aware and challenge the order if it's improper.
  
  It's a matter of degrees of importance. The NSLs are subject to a law created by the Congress. And speaking under oath to the Congress seems to trump any other mechanism.
  [ link to this | view in chronology ]
oliver, 14 Jan 2017 @ 9:08am

Does/Did CF have a warrant cacnary, that died that time in 2013?
Just to piss off the government?
[ link to this | view in chronology ]
DNY (profile), 14 Jan 2017 @ 9:09am

A modest proposal
Perhaps all companies subject to NSL's should make a practice of keeping them on a server used only for governmental communications and secured with a trivial-to-guess username and password so amateur hackers who have not been issued a gag order can "hack" the governmental communications server and pass them on to wikileaks.
[ link to this | view in chronology ]
David, 14 Jan 2017 @ 9:32am

We need at least one limit on a gag order
Congress has oversight, and especially legislative oversight, over the Executive. In Cloudflare's case, the Executive mis-read a statute from Congress and the Judicial failed to act properly. As part of the government, and integrally part of the check-and-balances of the system, and such Gag Order should not apply if the party directly addresses an office of a Senator or Representative, so they can take action or address it with the proper oversight committee.
[ link to this | view in chronology ]
Richard (profile), 14 Jan 2017 @ 7:48pm

Huzzah (a vast improvement?)!?
"Better still, recipients are now allowed to challenge NSL gag orders within one year of receiving them."

This statement alone most perfectly limns the current picture. To interpret: in America, you're now required to wait ONLY a year to appeal suppressions of civil rights without terror of reprisals by the secret police.

Who knows but that soon (nay, even possibly within a few generations!) one might not need to be a major corporation assisted by a major, public policy interest group to accomplish the enforcement of fundamental, Constitutional rights?
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

acerte na lotofacil, 16 Jan 2017 @ 7:17am

acertenalotofacil.org
Tank you…
[ link to this | view in chronology ]
Miranda Nal, 14 Mar 2017 @ 11:08am

Very cool, I always try to follow with this logical reasoning, thank you!
[ link to this | view in chronology ]
patricia camargo, 16 May 2017 @ 10:24am

patricia
Very cool, I always try to follow with this logical reasoning, thank you!
[ link to this | view in chronology ]
beatriz diniz, 16 May 2017 @ 10:55am

beatriz
very good article. thanks for shared!
[ link to this | view in chronology ]
tiago silva, 16 May 2017 @ 11:06am

tiago
We need at least one limit on a gag order
[ link to this | view in chronology ]
paulo smith, 16 May 2017 @ 11:21am

paulo
Very cool, I always try to follow with this logical reasoning, thank you
[ link to this | view in chronology ]
Alex Vaz, 16 May 2017 @ 11:28am

Alex
We need at least one limit on a gag order.
Very cool, I always try to follow with this logical reasoning, thank you
[ link to this | view in chronology ]
Alex Smith, 16 May 2017 @ 11:34am

Alex
Very cool. Thanks for shared!
[ link to this | view in chronology ]
Ana Lucia, 16 May 2017 @ 11:39am

Lucia
Likewise, the constant dissemination of information compels us to analyze the impact on decision-making agility.
[ link to this | view in chronology ]
Janaina, 21 Jul 2017 @ 5:34am

Thanks. You post is awesome.
[ link to this | view in chronology ]