
GitHub's 2015 Transparency Report - Chris911
https://github.com/blog/2202-github-s-2015-transparency-report
======
ademarre
0–249 National Security Orders received?

> _" we are not even allowed to say if we've received zero of these reports—we
> can only report information about these types of requests in broad ranges"_

Interesting. What are they really telling us with that range? Could they not
get away with saying "1–249"?

Edit: Nevermind. The document they cite[0] clears it up.

[0]
[https://www.justice.gov/iso/opa/resources/422201412716042240...](https://www.justice.gov/iso/opa/resources/422201412716042240387.pdf)

~~~
icehawk219
I believe this is what the security canary used to be that companies would use
to skirt the rules until the rules were changed. It used to be that you
couldn't say how many you received but you could say you hadn't received any.
Now you aren't even allowed to say that.

~~~
schneidmaster
No, nothing has changed on that front. If you have not received any National
Security Letters, it is legal for you to say "I have never received an NSL"
(as other commenters have suggested). Warrant canaries rely on the idea that
it is much more legally difficult to compel speech than to restrict it. There
is no (non-secret) case law indicating that a NSL recipient could be compelled
to lie and include the warrant canary paragraph in a future transparency
report, while there is case law indicating that NSL recipients can be
prevented from actively disclosing the letter (gag orders are fairly well-
established in particular aspects of our legal system).

The reason why warrant canaries are binary is that once an NSL has been
issued, the case law that the parent commenter linked comes into play:
companies may only indicate in buckets how many they have received (0-249,
250-499, etc). So you couldn't have your warrant canary say "I have never
received more than 3 NSLs" then "I have never received more than 5 NSLs" etc.

~~~
forgotpwtomain
So what happens if you make a range of canaries? e.g.

\- We have not received any requests in Q1 of 2016.

\- We have not received more than 50 requests in Q1 of 2016.

\- We have not received more than 100 requests in Q1 of 2016.

~~~
schneidmaster
If I understand your scenario, the problem is that you would have to remove
all the canaries as soon as you receive your first NSL. As soon as you receive
a NSL, you may only disclose the number of NSLs you have received in the
buckets I mentioned above, so you would not be able to say "we have not
received more than 50/100 requests;" you would only be able to say "we have
received 0-249 requests." So the canary still only works to tell people that
you have never received an NSL.

~~~
ChicagoBoy11
But I think the "novelty" in his scheme is that he has separate canaries for
different time periods -- so it may not be helpful in letting users know the
number of requests received, but it would allow them to know when they had
been received.

Assume he had a scheme that just said the following:

We have received no NSL letters in Jan 2016 We have received no NSL letters in
Feb 2016 We have received between 0 and 249 NSL letters in March 2016 We have
received no NSL letters in Apr 2016

~~~
schneidmaster
Oh, well that scheme wouldn't be legal for a few reasons: once you receive an
NSL you aren't allowed to say you've received 0 NSLs in a given time period
(you can only report in 0-249 buckets so you couldn't say "We have received no
NSLs in Jan 2016") and the granularity with which you can report (on my read
of the document: [1]) is per year or per six months depending on which option
you choose (so you couldn't say "We have received 0-249 NSLs in March 2016",
just "We have received 0-249 NSLs in 2016").

The only reason the canary "works" is as a binary option - if you say "We have
never received an NSL" up until you receive one, the government cannot compel
you to continue including that line in your report, because that would be
compelled speech which is legally difficult and (as far as anyone knows)
hasn't been attempted. But anything you say beyond that related to the
quantity or existence of NSLs is subject to the linked guidelines. In other
words, they cannot force you to continue including a paragraph (the canary) in
your report, but they CAN regulate anything you do choose to include in your
report.

[1]:
[https://www.justice.gov/iso/opa/resources/422201412716042240...](https://www.justice.gov/iso/opa/resources/422201412716042240387.pdf)

Edit: NSL letter, ATM machine, blah

~~~
ChicagoBoy11
Hmm that's really interesting. I guess I just wondered if somehow there was a
case for trying to really stretch that idea of not being able to "compel"
speech to its fullest limits by simply issuing separate canaries for different
time periods, then simply removing it for the time period in question. By the
logic you present, you still have a binary option -- you just restrict its
scope. But I guess what would happen in this case is those separate "scopes"
that I tried to create would simply all collapse into one, following the per-
year/six-month option you cited above.

So even if before I received any letter I'd tried to be clever and just said:
"No NSL letters in March, No NSL letters in April.... etc.", if I ended up
receiving one during that time period at all, all of those WOULD HAVE to
collapse to "We have received 0-249 letters in the first semester of 2016 (or
2016 altogether)"

~~~
squeaky-clean
> So even if before I received any letter I'd tried to be clever and just
> said: "No NSL letters in March, No NSL letters in April.... etc.", if I
> ended up receiving one during that time period at all, all of those WOULD
> HAVE to collapse to "We have received 0-249 letters in the first semester of
> 2016 (or 2016 altogether)"

Sort of. There's also a required 6 month delay. So if you received an NSL
today, but had "No NSLs in Jan" , "No NSLs in Feb", "No NSLs in Mar", etc, you
would need to remove all those and could not report the 0-249 number until
2017.

~~~
Nadya
Twelve canaries with different colors representing each of the months. Remove
the canaries where the color corresponds with the month. Make absolutely no
claims beforehand as to what the colored canaries represent - people should be
able to figure it out (3 green, 3 red, 3 brown, 3 blue: take a guess?)

You are saying _nothing_ at all. Just adding/removing images on a page called
/canary/

IANAL, but I'd be interested how the above would be illegal.

~~~
schneidmaster
They would contend that this is just a wink-and-a-nod way of providing the
information you aren't allowed to provide. It doesn't matter if you disclose
the information in English, French, or binary, it's still illegal. If you have
it in a page called /canary/ and it obviously corresponds with NSLs you'd be
in some hot water.

People tend to assume the court system is like a machine when it's very human
at its core. A judge isn't going to say "well you technically didn't reveal
any info so you're kosher," a judge is going to be pissed that you decided to
low-key defy his/her order.

~~~
Nadya
AFAIK, even a binary "canary" has been untested in court and might not even
stand on its own (yet many companies have one).

There are _countless_ loopholes in various legal systems across the world that
"get a pass". It's often a matter of finding the right loopholes.

One example is gambling in Japan. Illegal. But if you play at a pachinko slot
for a chance to win some tokens you can go next door and there is a business
that will buy the tokens from you! It really is convenient someone is willing
to buy these otherwise useless tokens. :)

I'm sure if I put some thought into it I could find a few more loopholes that
are a "wink and a nod" away of being illegal. Of course, my suggestion might
be _too_ blatant and the company would be dragged to the courts. But even a
single canary could still warrant being dragged to court over.

~~~
schneidmaster
This is true, but there's a core fundamental issue. There has never been any
legal support for the idea that the government can compel speech (such as
forcing the continued false inclusion of a "binary" canary). There is a clear
basis of support for the idea that the government can regulate speech, whether
it's English or cryptic colored circles. So trying to speak (publish canary
info) in any sort of cryptic way will still always be more risky than choosing
not to speak (omit your canary). The government could always drag you to court
over anything, but you still want to keep them at the downhill end of the
battle.

------
ghettoimp
Since nobody else has mentioned it, let me just point out that it's really
great that Github is taking the time to compile and publish this kind of
information.

------
mtgx
The FBI is trying to make it easier to give out NSLs as well:

[http://www.wyden.senate.gov/news/press-releases/wyden-
places...](http://www.wyden.senate.gov/news/press-releases/wyden-places-hold-
on-intelligence-authorization-bill-that-needlessly-expands-fbi-surveillance-
undermines-independent-oversight)

Contact your Senator/Representative if you don't want that to happen. Even
though a similar amendment failed in the Senate last week, it was a close
call.

Also, next there they are supposed to vote on the renewal of the FISA
Amendments Act, and I'm sure they'll try to further expand their spying powers
some more then, too.

------
codezero
I noticed a bunch of DMCA takedowns coming from UCSD's CSE131 class in the
DMCA repo: [https://github.com/github/dmca](https://github.com/github/dmca)

If you search for cse131 you'll find a bunch of repos still up.

This kind of whack-a-mole is typical of DMCA and requires a lot of resources
to manage.

~~~
AdmiralAsshat
Can you DMCA a student's repo for hosting their own solution to a coding
exercise? In programming books, when the exercise is often closely related to
the sample code submitted (e.g. "Exercise 3.2. Rewrite the above sample to use
a for loop instead of a while loop"), I imagine a large number of
independently-derived solutions might look very similar.

~~~
lettergram
Yes, kinda. At least UIUC did that to students who had libraries from the
coding exercises.

For example, the cs225 course provides an image processing library, and you
need it for the assignment, so if you put the library in the repo they DMCA'd.

Similarly, many courses give you a framework of code. If you filled in the
framework they would DMCA.

They did this a bit, but there was a pretty massive back lash. I don't think
they are doing it atm

------
danbmil99
I don't get why employees don't leak the real stats anonymously. Perhaps
companies should not try so hard to compartmentalize this information - trust
40 or 50 key people, enough to spread suspicion and enable plausible
deniability.

When a law is clearly unethical, don't work so hard to abide by it.

~~~
anchpop
The government could easily prevent that by punishing the company whenever
there is a leak, instead of trying to punish the specific person. This may be
what they do already

~~~
nitrogen
Unfortunately (or fortunately?) not everyone cares whether their actions harm
their employer.

------
jnewland
While we're here, [http://www.nytimes.com/2015/03/31/technology/china-
appears-t...](http://www.nytimes.com/2015/03/31/technology/china-appears-to-
attack-github-by-diverting-web-traffic.html) also happened in 2015. Not a
legal request to remove content, per-say, but something...slightly different.

------
Sir_Cmpwn
If any GitHub folks are watching this thread: please sue the government for
the right to disclose the number of NSLs you've received, or better yet to
have NSLs declared unconstitutional in general.

~~~
nsqe
Twitter's already suing the federal government for the right to disclose NSLs.
In March, their lawsuit was dismissed. However, the EFF is still working on
it...

[https://www.eff.org/deeplinks/2016/04/disappointing-
ruling-n...](https://www.eff.org/deeplinks/2016/04/disappointing-ruling-
national-security-letters-not-last-word)

[http://thehill.com/policy/technology/278448-judge-
dismisses-...](http://thehill.com/policy/technology/278448-judge-dismisses-
twitters-lawsuit-against-government)

------
ryanmarsh
Oh my god the "fast die" take down request from Russia. Is that a real
business?

[https://github.com/github/gov-
takedowns/tree/master/Russia/2...](https://github.com/github/gov-
takedowns/tree/master/Russia/2015)

[http://fast-die.github.io/](http://fast-die.github.io/)

~~~
ComodoHacker
You mean request or Fast-Die? The former is a real business. The latter is an
example of trolling of Russian internet censorship agency.

------
embiggen
At least they still publish it. That's worth _something_ , right?

------
biogeneration
Does anyone have any idea what happened with all of the DMCA takedown requests
in September?

~~~
zardeh
Among other things, someone sent 20 requests for removal of their fonts (each
request contained numerous files), and jetbrains requested the removal of ~500
product keys from across GH.

~~~
voltagex_
It looks like JetBrains got a whole lot of keygens removed, plus one poor
person's Hadoop demo code (which happened to have a filename of keygen.java).

------
hartator
0-249 for national security orders. I think it's safe to assume 249.

~~~
mod
If you read elsewhere in the comments here, you'll see that it's not a safe
assumption at all--"0-249" is the specificity allowed by the law.

Your assumption was also my own until reading here.

