
A Developer’s Guide to Responding to National Security Letters - tonyztan
https://www.twilio.com/blog/2018/02/developers-guide-to-nsl.html
======
mirimir
Maybe a better question is how to prepare in advance. You can design your
systems to avoid retaining user data. Or you can do business from a
jurisdiction that doesn't recognize NSLs. Or perhaps from an unknown
jurisdiction.

~~~
jonnybgood
> Or you can do business from a jurisdiction that doesn't recognize NSLs. Or
> perhaps from an unknown jurisdiction.

That means not doing business in the US at all.

~~~
JetSpiegel
Which makes it fair game for direct targeted attacks by the NSA.

~~~
cesarb
For someone outside the USA, a targeted attack by the NSA is no different than
a targeted attack by anyone else. They are breaking the law, and you are
allowed and supposed to defend against them. If you are within the USA,
however, they can use things like these National Security Letters which you
are not allowed to go against.

~~~
geofft
This is incorrect for a few reasons: you can certainly defend against NSLs,
even those that you can't defend against are targeted (see the ones Twilio
received), they're from the FBI and not the NSA, and as hackers the NSA is
more skilled and more well-funded than most other attackers you're defending
against.

~~~
mirimir
The NSA does have lots of skilled hackers. But so do other national TLAs. And
there are many freelance hackers.

------
jameshart
Astounded that this doesn’t say ‘immediately call the legal team, and do not
say anything’. Does Twilio’s employee handbook also include ‘a developer’s
guide to Defusing bombs’ and ‘a developer’s guide to performing open heart
surgery’?

~~~
drspacemonkey
Maybe it's just me, but this reads like an attempt to say they recently
received another national security letter.

------
cryoshon
>In the National Security Letter dated May 19, 2017, the US Department of
Justice withdrew the request entirely rather than proceed with judicial
review.

if the DOJ would rather not get any information at all rather than have their
request for information scrutinized by a court, there is something seriously
wrong with the national security letter process. people who have had a pulse
in recent years will chime in that there are many other problems with the NSL
process.

but this one is a bit different, because shows that the FBI is explicitly
avoiding the rule of law as a policy. aren't they the ones responsible for
upholding the rule of law as part of the department of justice? why yes, yes
they are. they have dirt to hide, and they are not good at deflecting guilt.
they know they can consistently over-reach with these NSLs to violate the
rights of companies and individuals. so they do it.

this behavior implies ongoing abuse that they would rather have covered up
than accomplish their agency's goals, even if those goals are wrong.

i guess my solution would be to clean house. fire people (and revoke security
clearance) starting at the top and work your way down while promoting people
who weren't abusers. at the same time, start firing from the bottom, targeting
those who complied with bad orders from above. replace them with new recruits
who can be trained to have their heart in the right place. the agency is back
to citizen-friendly operating order within 5 years or so. a blink of the eye
in the timeline of the twilight years of a former empire.

~~~
ballenf
Or there were developments in the case that obviated the need for the
information.

It could have simply been: what's the fastest way to get the info and there
were two options. One quickly became the slow option and was ruled out.

That's my charitable interpretation.

------
Nrbelex
From a slightly different perspective, perhaps more useful to a legal team:
Legal Responses and Countermeasures to National Security Letters,
[https://openscholarship.wustl.edu/cgi/viewcontent.cgi?articl...](https://openscholarship.wustl.edu/cgi/viewcontent.cgi?article=1867&context=law_journal_law_policy)
[PDF]

------
reacweb
IMHO, a NDA should always be limited in time. I am pretty sure twillio would
not request a judicial review for a NDA lasting a couple of weeks. For a NDA
lasting more than a year, a judicial review seems justified. Avoidind judicial
review may be a good motivation for FBI to use shorter NDA. This would benefit
to transparency.

~~~
Cyranix
The "A" in NDA stands for "agreement", but NSLs are not jointly agreed upon:
they are the one-sided assertion of the government's authority.

Not disagreeing with the idea that there aren't a variety of reforms that seem
mutually beneficial, such as shorter timeframes — just noting that there are
not equivalent to NDAs.

------
yeukhon
So how does one verify the letter?

I propose a tl;dr version: get a lawyer.

Do not deal with it yourself. It's cool to read about how a company (with a
team of legals) can respond to the letter. "A Developer's Guide" is not the
same as "A Company's Guide". "A [d]eveloper" is an individual, not an
organization entity.

~~~
themodelplumber
You still haven't stated why an attorney is necessary...

~~~
mirimir
People need attorneys for DUIs, and often for less serious moving violations.
So for NSLs, having an attorney is essential. There are two primary reasons.
First, you want to comply only as legally required. And second, you want to
avoid making mistakes that have criminal penalties.

Edit: Even if your firm has general counsel, it's not uncommon to hire outside
attorneys for specific matters.

~~~
wolco
Some firms will pull the company lawyer and costs will be on you personally if
you decide you need your own lawyer.

~~~
mirimir
There's some confusion here about what "you" means. I can't imagine how an
individual developer at some firm would receive an NSL individually. So it's
the firm that would be deciding whether or not to hire outside counsel.

------
Cyranix
Is there any forum in which the justifications used to diminish the impact of
NSLs can be shared? It strikes me that one of the daunting aspects of
objecting to NSLs is that precedents are not well-known. Is it legal to share
any details about the circumstances under which nondisclosure, scope, or other
impacts of NSLs have been reduced or removed from the DoJ's demands?

------
BrandoElFollito
I wonder why a company which is at risk of getting such a letter and willing
to inform their customer does not work in multiple jurisdictions.

Any unusual access to data in one country automatically informs customers (or
triggers an alert), with this information being sourced from the other
country.

This protects both the employees in the US (they did not say anything) and
bypasses the letter requirements

------
crb002
Or tell them to piss off, find a magistrate, and get a warrant. In the history
of NSLs has DOJ ever not done this when pressed?

------
ISL
Amendment I:

Congress shall make no law respecting an establishment of religion or
prohibiting the free exercise thereof, or abridging the freedom of speech or
of the press, or the right of the people peaceably to assemble and to petition
the government for a redress of grievances.

Given that the above is the law of our land, how can a recipient of an NSL be
barred from publishing it in its entirety or giving it to a news outlet to do
so? "No law" is clear in both meaning and intent.

~~~
dandare
Just a guess: The constitution is interpreted by the Supreme Court, which
decides about reasonable exceptions, for instance in the case of national
security.

~~~
dboreham
'And thirdly, the code is more what you'd call "guidelines" than actual
rules.'

