Let's Encrypt Releases Transparency Report -- All Zeroes Across The Board

from the now-let's-watch-if-anything-changes dept

We've talked a bit about the important security certificate effort being put together by EFF, Mozilla and others, called Let's Encrypt, which will offer free HTTPS security certificates, making it much easier to encrypt the web. They've been busy working on the project which is set to launch in a few months. But first... Let's Encrypt has released its first transparency report. Yes, that's right: before it's launched. As you might expect, there are a lot of zeros here: This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there's even been a chance for the government to request information, Let's Encrypt is actually able to say "0." That may seem like a strange thing to say but, with other companies, the government has told them that they're not allowed to claim "0," but can only give ranges -- such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment.

Let's Encrypt is, smartly, getting this first report out there -- with all the zeroes -- before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well.

Filed Under: fisa orders, nsls, security certificates, surveillance, transparency, transparency report, warrant canary, warrants
Companies: let's encrypt

Twitter Says DOJ's Settlement On National Security Requests Not Good Enough; It Will Fight For The Right To Disclose

from the good-for-twitter dept

We've pointed out in the past that Twitter deserves kudos for standing up to the government when it asks for info on users, something it has done multiple times. And now it's making it clear that it intends to keep doing that.

We pointed out last week that the feds had reached a settlement with a bunch of tech companies that had sued the government on First Amendment grounds over their ability to release details of numbers of FISA requests and National Security Letters they had received. Twitter was not a part of that lawsuit, and while it has released its own transparency report, it has also come out strongly for more transparency, saying that the settlement deal is not nearly good enough and that it is pushing back on the government's limitations and considering picking up the First Amendment fight that Google, Microsoft, Facebook, Yahoo and Linkedin dropped.

Last week, the U.S. Department of Justice and various communications providers reached an agreement allowing disclosure of national security requests in very large ranges. While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests.

As previously noted, we think it is essential for companies to be able to disclose numbers of national security requests of all kinds – including national security letters and different types of FISA court orders – separately from reporting on all other requests. For the disclosure of national security requests to be meaningful to our users, it must be within a range that provides sufficient precision to be meaningful. Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency. In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.

Unfortunately, we are currently prohibited from providing this level of transparency. We think the government’s restriction on our speech not only unfairly impacts our users’ privacy, but also violates our First Amendment right to free expression and open discussion of government affairs. We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns. Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights.

Obviously, Twitter is used more for public communications than private communications, so it's likely that it receives less attention on these issues, but it's great to see the company continue its strong history of standing up for its users' right to basic due process, and being quite explicit about its stance. Once again, Twitter deserves kudos where other companies have fallen short.

Filed Under: first amendment, fisa orders, fisc, government requests, transparency
Companies: twitter

NSA/FBI Got Access To Content Of Around 40,000 Yahoo/Google User Accounts In First Six Months Of 2013

from the it's-a-lot dept

Last week, we noted that the DOJ and various internet companies had settled their legal fight, which concerned whether or not those companies could reveal the details of how many FISA Court requests they were receiving -- both in terms of how many requests they get and how many accounts are impacted. While Apple immediately released their information, showing very few users impacted, the real interest is in Google, Yahoo and to a lesser extent Facebook. Both Google and Yahoo have put out blog posts updating their transparency report numbers. It appears that both Yahoo and Google decided to go with "option 1" in the settlement, which lets them reports NSLs and FISA orders separately, but in bands of 0-999. The big question with both of them, really, was just how many "customer accounts affected" there would be, and both presented numbers (in slightly different formats). Google showed a historical listing: Yahoo just shows the most recent: If you remember, by choosing Option 1, the companies could actually show "customer accounts affected" -- if they had chosen option 2, they could only show targeted customers, leaving out others who were affected as well. But here we see that the number of accounts affected is much larger than the number of requests (though certainly much more limited than some assumed). That is, these requests (which make up a large part of the PRISM program) impact thousands of users, but not millions or "all" as some have claimed. There may very well be other NSA surveillance programs that get data from many more users, but not the FISA orders/PRISM.

Concerning the Google data, you can see that there's been a pretty big increase in the number of users impacted over the past few years, peaking at the end of 2012, but that drop in the beginning of 2013 may be just seasonal. Meanwhile, it's interesting to see that a much larger number of Yahoo accounts have been impacted. Of course, for all we know, there could have been one FISA order to Google and three to Yahoo and then the number of accounts impacted would be around 10,000 per order. But, without more granularity, it's impossible to tell.

What does seem clear is that there are about 40,000 accounts on Yahoo or Google to which the NSA/FBI and others in the intelligence community have access.

Update: Facebook and Microsoft have updated their info as well and it's more of the same:

Microsoft, a major surveillance partner for the US government, received fewer than 1,000 orders from the Fisa court for communications content during the same period, related to between 15,000 and 15,999 “accounts or individual identifiers”.

The company, which owns the internet video calling service Skype, also disclosed that it received fewer than 1,000 orders for metadata – which reveals communications patterns rather than individual message content – related to fewer than 1,000 accounts or identifiers.

[....] Facebook disclosed that during the first half of 2013, it turned over content data from between 5000 and 5999 accounts – a rise of about 1000 from the previous six month period – and customer metadata associated with up to 999 accounts.

Filed Under: accounts, content, fbi, fisa, fisa orders, fisc, nsa, prism, surveillance, transparency report
Companies: google, yahoo

Feds Reach Settlement With Internet Companies Allowing Them To Report Not Nearly Enough Details On Surveillance Efforts

from the too-bad dept

It appears that the lawsuit that a bunch of big internet companies had filed against the NSA in an attempt to reveal just how often they get FISA court information requests and how many of their users are impacted is now over, as the government has reached a settlement with the companies, allowing them slightly more leeway in sharing information, but in a very limiting way.

Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.

Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.

This is a step forward, but it's not nearly far enough. As Kevin Bankston notes:

"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."

Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.

Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.

There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.

Apple has already updated its transparency report to note 0 - 249 "national security orders" and 0 - 249 "total accounts affected." Since they're doing ranges of 250, they're clearly lumping together both national security letters and FISC orders as "national security orders" though that's a bit confusing. Also, I don't think Apple is actually allowed to say "total accounts affected" from the terms of the agreement. When it comes to FISC orders, they can only list "customer selectors targeted," and saying "accounts affected" would suggest more information than the agreement appears to allow. Still, the obvious suggestion is that the government isn't requesting that much information directly from Apple, though other reports suggest it gets plenty of information, not directly via Apple, but by hacking their way into iOS devices....

Filed Under: doj, fisa orders, fisc, internet companies, national security letters, nsls, transparency, transparency report
Companies: apple, facebook, google, linkedin, microsoft, yahoo