Modernizing Authentication — What It Takes to Transform Secure Access
National Security Letters (NSLs), which give the FBI the power to compel banks, Internet service providers and other companies to offer access to customer records, have been in the spotlight since Reddit's recent annual transparency report, in which the company omitted its "warrant canary" (a legal notice to users that the company did not receive any NSLs, secret FISA court orders "or any other classified request for information") – suggesting Reddit did receive such a request in 2015.
Why is this important? Because typically when a person or organization receives any of those privacy-busting items, a gag order comes with it -- preventing them from ever discussing it.
Enterprises are right to be concerned about being transparent with their customers about government surveillance efforts and data privacy. Since NSA whistleblower Edward Snowden released documentation on domestic U.S. government surveillance programs three years ago, U.S. companies have incurred costs in the tens of billions of dollars as foreign companies and individuals became leery of storing or sharing their information where G-Men might easily and surreptitiously access it.
What's more, the issue is just as much about data security as it is about data privacy. "A court order is an insider attack [f]rom a purely technological standpoint," writes Ed Felten, a Princeton computer science professor and now Deputy US CTO. Accordingly, court orders and other government data demands must be treated as such.https://o1.qnsr.com/log/p.gif?;n=203;c=204634421;s=15939;x=7936;f=201702151714490;u=j;z=TIMESTAMP;a=20304455;e=i
Few weeks go by without new debates over possible federal government overreach. Notably, Apple recently balked at the FBI's request to hack into an iPhone used by Syed Farook before he and his wife killed 14 people in San Bernardino, Calif., then died in a shootout with authorities. An unidentified third party helped the FBI access the data on the phone.
Here are five pieces of advice for IT organizations wishing to preemptively combat NSLs and government gag orders on behalf of their users or customers, through warrant canaries or other methods.
Assess Options Before Employing a Warrant Canary
A big issue in Reddit's case is that it is unclear whether the company actually did receive an NSL or other gag-ordered demand for information. It remains a possibility that the company removed its warrant canary preemptively on the advice of legal counsel because warrant canaries are legally untested. Indeed, some argue that they are of dubious legality because, logically, the removal of a warrant canary is still a form of advertising the receipt of a gag-ordered surveillance or information request.
"[Either] Reddit received a national-security request and decided to remove the canary [or] Reddit decided ... that they did not want to risk a future legal fight over the lawfulness of their canary, and so removed it preemptively," Alex Abdo, an ACLU attorney, commented last month. Consequently, Abdo noted, "The truth is that we know virtually nothing about 'the case.' All we know is that Reddit's warrant canary from its 2014 transparency report does not appear in its 2015 transparency report."
The moral of the Reddit story: Don't bother with a warrant canary if you're not willing to see it through with a potential legal battle. Otherwise, your users will be left in the dark should you ever get cold feet -- and you may face legal risk anyway for the period of time you did use a canary.
Publish Regular Transparency Reports
Whether or not you decide to publish a warrant canary, releasing regular transparency reports -- informing your users and customers about the number and type of government requests you received, the extent to which you complied with them and other permissible details related to your organization's relationship with government surveillance -- remains an important step both legally and practically.
Such reports carry a twofold benefit. First, they enhance trust between your customer or user base and your organization. Second, as Yale law student Rebecca Wexler observed in a 2014 Yale Law Journal note, there is a grander social benefit because the more organizations that issue transparency reports and speak out about government surveillance and information requests, the more likely federal courts will strike down NSLs, related gag orders and other speech restrictions as unconstitutionally overbroad.
(Note that these types of transparency reports are currently subject to several legal limits. For example, companies less than two years old are disallowed from making these types of disclosures for a period of two years; others must still wait a period of six months or more to make such disclosures.)
Don't Get Too Specific with Disclosure
As tempting as it may be to craft as specific and all-encompassing a warrant canary as possible, governing every conceivable situation and every user or account individually, experts agree this is impractical and ineffective. ACLU lawyer Brett Max Kaufman has commented that canaries specifically tailored for individual users or groups may invalidate themselves.
"[T]he government's arguments ... that removing a canary would jeopardize an investigation and harm national security start to look a little more plausible when a canary speaks to an individual very close in time to when legal process was issued," explains Kaufman. The same goes for transparency reports in general. The U.S. government has outlined that it only allows reporting receipt of certain information requests by type in bands on 1,000 (e.g., 0-999) or generalized in bands of 250 (e.g., 0-249), pursuant to reporting delays and restrictions as addressed above.
Consider Allowing and Using Hidden Services
Nicholas Merrill, an activist who works with warrant-canary aggregator CanaryWatch.org, indicated to Redditors in an "Ask Me Anything" session last month that much of the information that NSLs usually seek to obtain is the same type that can be obscured via IP-blocking technologies like proxies and VPNs and hidden services like Tor and I2P.
Accordingly, Merrill advises encouraging users/customers to use these services and/or actively using them yourself in your IT organization; you can't, after all, be compelled to disclose information you never collected in the first place. (Companies like Facebook and ProPublica already use hidden services, Merrill notes.)
"From a technical standpoint, a ... service accessible only as a Tor hidden service might seem more likely to get around court orders because it would keep the identity and location of the service provider hidden," observed Merrill.
Encrypt Data to Protect Privacy
Strong encryption is imperative to this type of data privacy, Merrill and others agree. For all the brouhaha surrounding the iPhone encryption battle between Apple and the FBI, federal agencies have been unable to keep up with encryption technology and still struggle to crack strong encryption.
While code can always be subverted, notes security expert Bruce Schneier, math cannot.
"Trust the math. Encryption is your friend," Schneier observed in the wake of the Snowden leaks. "Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the [federal government]."
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.
(Disclaimer: This article is provided for informational, educational and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication or confirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.)