Reddit's Missing Warrant Canary: What IT Can Learn

...

There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins

It's tricky trying to figure out whether or not your preferred app, website, or service provider has received a federal subpoena demanding information. When a warrant canary vanished from Reddit's Transparency Report, it got folks talking. The incident holds important lessons for enterprise IT professionals trying to decipher whether or not a service provider's data is being trolled by the feds.

When Reddit released its second annual Transparency Report on March 31, it got the tech world buzzing.

The reason? It was lacking an important bit of legalese known as a "warrant canary."

Reddit's first annual Transparency Report – which covered calendar year 2014 and was issued January 29, 2015 – contained a warrant canary. That makes its absence from the latest report, which covers calendar year 2015, even more notable.

The vanishing canary holds an important lesson for anyone trying to figure out whether an app, website, or cloud service provider has been subpoenaed to provide information to the US federal government.

The use of a warrant canary by online businesses is a still-nascent trend. A warrant canary is basically a legal notice that an organization will update to alert its users that it has not received a National Security Letter (NSL). An NSL is an administrative subpoena by the US federal government demanding information. An NSL is usually accompanied by a gag order forbidding acknowledgement of receiving the NSL or discussing its contents.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Since a company cannot formally disclose when it has received an NSL letter, it will instead stop posting its warrant canary, letting users read between the lines. That's why the absence of a warrant canary in Reddit's latest report raised eyebrows.

ACLU lawyers teamed with the Calyx Institute's Nick Merrill – best known for successfully fighting an NSL gag order's constitutionality during years-long litigation – to participate in a Reddit "Ask Me Anything" session focused on warrant canaries, answering relevant questions of law, technology, and policy.

Many Redditors asked about the real-world impact here. Panelist responses addressed the heightened interest in data privacy that warrant canaries are instilling in users.

This isn't an issue reserved solely for organizations whose users may lean toward the libertarian side of world politics. Any corporation is at risk of alienating customers if word gets out that the US government is poking around in its data.

But the challenge is particularly felt by cloud vendors. Revelations by Edward Snowden and others about US government surveillance have cost US cloud companies tens of billions of dollars in lost revenue and other expenses. Consequently, enterprise cloud providers and their business customers keenly understand the growing importance of data privacy and data protection in this post-Snowden era.

"Service providers are realizing that it's good for business for them to stand up for the rights of their users," wrote Merrill during the AMA session, citing Apple's recent iPhone-encryption kerfuffle with the FBI and "behind-the-scenes" work being done by Google and Twitter. "We know that warrantless surveillance is widespread. But the big change here is that companies are resisting, en masse."

Did Reddit actually receive an NSL? ACLU attorney Alex Abdo told Redditors that one of two things probably happened: Reddit either removed its canary reactively because it received an NSL, or Reddit removed its canary preemptively so as to not "risk a future legal fight over [its] lawfulness."

Indeed, warrant canaries remain experimental, only recently seeing deployment by major enterprises. Many tech and legal pundits posit that ceasing to advertise the absence of an NSL is legally the same as affirmatively announcing an NSL. The Electronic Frontier Foundation (EFF), a cofounding member of CanaryWatch.org (an organization that tracks the status of warrant canaries), acknowledged that the warrant canary is an "untested legal theory."

According to Abdo, "Reddit presumably already weighed the pros and cons of having a canary in 2014, and it seems to have been a very deliberate (and privacy-conscious) decision."

The timing of Reddit's reports seem to buttress Abdo's suspicions. The EFF lauded Reddit last year for publishing its canary-containing 2014 Transparency Report "within 30 days of the reporting period."

"Lots of companies will publish transparency reports that cover … a period ending in December[,] but the report itself won't be published until March or April. [Reddit's] transparency report covers all of 2014 and was published in the first month of 2015," blogged the EFF last year. "That means more recent and potentially more relevant data."

Reddit published its current -- canary-free -- report more than 30 days after the reporting period ended, taking two months longer than it did last year. Is it possible an NSL-inspired series of legal deliberations could have played a role in this delay? As the participants in the Ask Me Anything session noted, Reddit can't comment.

Still, global IT departments can learn from the Reddit situation: Pay attention to your service providers' compliance with, and exposure to, warrantless surveillance, lest you find your own customers' data compromised.

The question remains: What good is a warrant canary if, when one goes missing, all we're left with is a guessing game?

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY

  • 5300c769af79e

    Four Different Motorola-Branded Verve Earbud Sets Launch Tomorrow

    Detailed on Amazon, as well as on a specially outfitted website, a lineup of Motorola–branded earbuds will launch tomorrow, ranging in price from $79 to $249.So, while Motorola’s “M” logo will appear on packaging, this isn’t Motorola developing and releasing the products.
  • 5300c769af79e

    Deconstructing the Software Business

    The disruption of the IT and software industry by the rapid rise of cloud and Software as a Service continues to take a toll on the biggest players in the business.Given HP's ongoing challenges selling its software solutions and establishing itself as a software leader, it makes sense that it would use its recent restructuring as an opportunity to rid itself of this unsuccessful business.
  • 5300c769af79e

    July Security Updates Arriving Today on Handful of Samsung Phones

    Now that the July Android security patch is rolling out to Nexus devices, Samsung has stepped up to start pushing it to their own phones.The first devices to receive the latest patch are the T-Mobile Galaxy Note 5 and S6 Edge+, along with the Verizon Galaxy Note 5.
  • 5300c769af79e

    RSA Data Access Governance Access Control and Visibility for Unstructured Data

    Download With the growth of the digital workplace, unstructured data such as documents, spreadsheets, images and media files accounts for 80% of enterprise data, and is continuing to grow exponentially.Governing access to data is an enormous challenge for organizations; there is often no easy way to understand where the data resides, who in the business has ownership of the data and who is entitled to access the data.