Reddit's Missing Warrant Canary: What IT Can Learn

...

There is a renewed focus on risk data aggregation and reporting (RDAR) solutions, as financial ins

It's tricky trying to figure out whether or not your preferred app, website, or service provider has received a federal subpoena demanding information. When a warrant canary vanished from Reddit's Transparency Report, it got folks talking. The incident holds important lessons for enterprise IT professionals trying to decipher whether or not a service provider's data is being trolled by the feds.

When Reddit released its second annual Transparency Report on March 31, it got the tech world buzzing.

The reason? It was lacking an important bit of legalese known as a "warrant canary."

Reddit's first annual Transparency Report – which covered calendar year 2014 and was issued January 29, 2015 – contained a warrant canary. That makes its absence from the latest report, which covers calendar year 2015, even more notable.

The vanishing canary holds an important lesson for anyone trying to figure out whether an app, website, or cloud service provider has been subpoenaed to provide information to the US federal government.

The use of a warrant canary by online businesses is a still-nascent trend. A warrant canary is basically a legal notice that an organization will update to alert its users that it has not received a National Security Letter (NSL). An NSL is an administrative subpoena by the US federal government demanding information. An NSL is usually accompanied by a gag order forbidding acknowledgement of receiving the NSL or discussing its contents.

Gain insight into the latest threats and emerging best practices for managing them. Attend the Security Track at Interop Las Vegas, May 2-6. Register now!

Since a company cannot formally disclose when it has received an NSL letter, it will instead stop posting its warrant canary, letting users read between the lines. That's why the absence of a warrant canary in Reddit's latest report raised eyebrows.

ACLU lawyers teamed with the Calyx Institute's Nick Merrill – best known for successfully fighting an NSL gag order's constitutionality during years-long litigation – to participate in a Reddit "Ask Me Anything" session focused on warrant canaries, answering relevant questions of law, technology, and policy.

Many Redditors asked about the real-world impact here. Panelist responses addressed the heightened interest in data privacy that warrant canaries are instilling in users.

This isn't an issue reserved solely for organizations whose users may lean toward the libertarian side of world politics. Any corporation is at risk of alienating customers if word gets out that the US government is poking around in its data.

But the challenge is particularly felt by cloud vendors. Revelations by Edward Snowden and others about US government surveillance have cost US cloud companies tens of billions of dollars in lost revenue and other expenses. Consequently, enterprise cloud providers and their business customers keenly understand the growing importance of data privacy and data protection in this post-Snowden era.

"Service providers are realizing that it's good for business for them to stand up for the rights of their users," wrote Merrill during the AMA session, citing Apple's recent iPhone-encryption kerfuffle with the FBI and "behind-the-scenes" work being done by Google and Twitter. "We know that warrantless surveillance is widespread. But the big change here is that companies are resisting, en masse."

Did Reddit actually receive an NSL? ACLU attorney Alex Abdo told Redditors that one of two things probably happened: Reddit either removed its canary reactively because it received an NSL, or Reddit removed its canary preemptively so as to not "risk a future legal fight over [its] lawfulness."

Indeed, warrant canaries remain experimental, only recently seeing deployment by major enterprises. Many tech and legal pundits posit that ceasing to advertise the absence of an NSL is legally the same as affirmatively announcing an NSL. The Electronic Frontier Foundation (EFF), a cofounding member of CanaryWatch.org (an organization that tracks the status of warrant canaries), acknowledged that the warrant canary is an "untested legal theory."

According to Abdo, "Reddit presumably already weighed the pros and cons of having a canary in 2014, and it seems to have been a very deliberate (and privacy-conscious) decision."

The timing of Reddit's reports seem to buttress Abdo's suspicions. The EFF lauded Reddit last year for publishing its canary-containing 2014 Transparency Report "within 30 days of the reporting period."

"Lots of companies will publish transparency reports that cover … a period ending in December[,] but the report itself won't be published until March or April. [Reddit's] transparency report covers all of 2014 and was published in the first month of 2015," blogged the EFF last year. "That means more recent and potentially more relevant data."

Reddit published its current -- canary-free -- report more than 30 days after the reporting period ended, taking two months longer than it did last year. Is it possible an NSL-inspired series of legal deliberations could have played a role in this delay? As the participants in the Ask Me Anything session noted, Reddit can't comment.

Still, global IT departments can learn from the Reddit situation: Pay attention to your service providers' compliance with, and exposure to, warrantless surveillance, lest you find your own customers' data compromised.

The question remains: What good is a warrant canary if, when one goes missing, all we're left with is a guessing game?

Categories
APPLICATIONS
0 Comment

Leave a Reply

Captcha image


RELATED BY