
Twitter discloses national security letters - arkadiyt
https://blog.twitter.com/2017/transparency-update-twitter-discloses-national-security-letters
======
anw
This is a welcome message, especially seeing Twitter continue to fight for
their freedom of speech in court (Twitter v. Lynch), along with the host of
other Internet service companies.

While I understand government agencies' desires to investigate persons of
interest, the checks and balances of the system were put in place to do just
that – check and balance the power of the system. It's outrageous that
agencies feel they can side-step these checks and leave out the need to get a
judge's approval for these kinds of things.

A response from the Internet Archive (2016) also stated:

> The NSL we received includes incorrect and outdated information regarding
> the options available to a recipient of an NSL to challenge its gag.
> Specifically, the NSL states that such a challenge can only be issued once a
> year. But in 2015, Congress did away with that annual limitation and made it
> easier to challenge gag orders. The FBI has confirmed that the error was
> part of a standard NSL template and other providers received NSLs with the
> same significant error. We don’t know how many, but it is possibly in the
> thousands (according to the FBI, they sent out around 13,000 NSLs last
> year).

I wonder what kind of legal action could even be taken against this kind of
treatment (being given wrong / outdated information on legal options)?

~~~
moxious
I may be in the minority, but I still think these companies are being
cowardly.

They disclose as soon as they're permitted to, but the trouble with that is
that the permission is coming from the people who are the problem in the first
place.

An approach that would care about customers and show some more guts would be
simple refusal. In essence, civil disobedience in the face of someone who is
violating the law. Let the government take them to court, and let it be
disclosed in that way.

Before we applaud them too much, keep in mind they're also telegraphing that
this behavior is continuing. It doesn't take much skill to read between the
lines and see that this is an ongoing problem for them, there's just a lot
more of it that's happened that they're not allowed to disclose yet.

~~~
wfunction
> An approach that would care about customers and show some more guts would be
> simple refusal. In essence, civil disobedience in the face of someone who is
> violating the law. Let the government take them to court, and let it be
> disclosed in that way.

Is that how it works? You can refuse anything the government tells you to do
until they take you to court and the court orders you?

~~~
moxious
Perhaps. Perhaps not. Either way, you make it messy for them and you do
probably defeat their primary objective, which is secrecy.

How do you think they'd respond? With SEAL Team 6 while keeping everything
quiet?

When the government shows up to force you to turn over the information, no
violence is required, but you can make sure the newspapers are there when it
happens, and that the knowledge of it happening is not restricted to a few
execs, keeping key technical people in the dark (as happened at Yahoo)

~~~
wfunction
> How do you think they'd respond? With SEAL Team 6 while keeping everything
> quiet?

Possibly by taking you to court and convicting you of breaking some law by
refusing to provide the information the first time, perhaps even completely
independently of whether or not the order was actually constitutional. I can
imagine lots of bad outcomes that would land you in jail without giving you
the chance to take the actual issue to court.

~~~
therein
But when dealing with a corporate entity, who do you go after? Since this sort
of coercion seems to only work on an individual level, going after the entire
corporate entity won't invoke the same emotional response.

~~~
wfunction
I don't know how the law works. But my completely-unfounded guess is that
whoever is supposed to authorize this and who is refusing would be the one
convicted.

~~~
mirimir
So maybe they ought to be anonymous:
[http://www.cryptohippie.net/AnonAdmin.html](http://www.cryptohippie.net/AnonAdmin.html)

~~~
brokenmachine
You're giving system administrator status to an anonymous person on the
internet. What could possibly go wrong?

~~~
mirimir
You give them limited access and rights, to do what you want them to do. Here,
they would have access to communications with government agencies, ability to
tweet users or groups thereof, and perhaps responsibility for canary
management.

------
dmix
This is great Twitter is being open about these.

Do these releases get media coverage? Is anyone talking about the various
lawsuits and blog posts about public releases of NSLs by tech companies?

I wish the NYTimes and WaPo spent as much time caring about this stuff as they
did about being the non-critical mouthpiece for various "anonymous
intelligence officials". There is definitely a story that could be made out of
this plus the Cloudflare, Google, etc posts... so hopefully I'm proved wrong
in this assessment.

> While the actual NSLs request a large amount of data, Twitter provides a
> very limited set of data in response to NSL

I'm curious just how much they asked for here. I'm guessing it's the user plus
2 hops of anyone they talked to? Including:

\- DMs

\- t.co links clicked on

\- IP addresses when accessing twitter

\- device IDs, browser, OS, etc

\- phone numbers

\- visits to URLs of 3rd party web pages containing embedded tweets? (not sure
if this is tracked via cookie)

That could turn out to be plenty of data but I don't believe a single users
data would be referenced by Twitter as "a large amount of data", it's very
likely at least one hop or more, but who knows.

~~~
exp1orer
If you read the actual letters, you'll see they ask for

"the name, address, length of service, and electronic communications
transactional records for all services, as well as all accounts, provided to
the individual(s) or identifier(s) listed below."

The letter explicitly says not to provide information "that would disclose the
content of any electronic communication".

~~~
Neliquat
A clear endrun of the law, as 'transactional records' can easily be correlated
to posts, and therefore content.

~~~
madgar
Not all user-generated content on Twitter is public. I couldn't possibly know
what kinds of transactional records have been requested or the distribution
therein, but DMs seem like plausible targets.

------
CaptSpify
Although they could have just sent it onto the intended target and gone
quietly about their day, I'm really glad that Twitter made this an
announcement. Do they have any kind of warrant canary system?

~~~
thinkloop
I was just thinking about this - what kind of system could work in these
circumstances? Say someone had to press a button every hour otherwise an
automatic public release gets sent - the government could simply imprison the
person for not pressing it. Say no-one knew who is supposed to press it
because of some system of randomness and crypto, then you just threaten the
CEO with imprisonment for not dismantling the whole thing. It seems only a
fully decentralized organization could get away with it. Thoughts?

~~~
corvus_sapiens
Warrant canaries are a thing [1]. For example, see Reddit's one which
disappeared last year [2].

1\.
[https://en.wikipedia.org/wiki/Warrant_canary](https://en.wikipedia.org/wiki/Warrant_canary)
2\.
[https://www.reddit.com/r/worldnews/comments/4ct1kz/reddit_de...](https://www.reddit.com/r/worldnews/comments/4ct1kz/reddit_deletes_surveillance_warrant_canary_in/)

------
algesten
Given the size of their user base, makes you wonder how many of these they are
not allowed to talk about...

------
wfunction
I have a related question:

Is there some kind of database anyone is keeping that helps the public figure
out what information companies have been ordered to produce in the past, and
what they have actually produced? (I don't specifically mean NSLs here --
subpoenas and any other things would all be included in my question.)

This would be useful in several respects, because it would not only provide a
check on the government, but it would also provide a check on the companies.
For example, can I be sure that if I delete something, and a company with my
data claims it is deleted in 60 days, can I rely on it to be true? If the
company has been ordered to produce such information in the past, knowing
whether or not it has done so would seem to be the most foolproof way to
figure out how much data the company retains or discards. Is anyone keeping
such records publicly (insofar as the information is available)?

------
boomboomsubban
Like the internet archive letters, these are only released as a legal error on
the part of the FBI made regarding the ability to challenge the order. This is
not the government deciding to lift the order voluntarily, and is not a sign
of more transparency from their end.

------
martinvol
Wait a minute, Do they still really use typewriters?

~~~
ycmbntrthrwaway
They stick to plain ASCII and the same font everywhere to reduce metadata
leakage.

~~~
krzrak
> They stick to plain ASCII and the same font everywhere to reduce metadata
> leakage.

Could you please elaborate?

~~~
nutschig
Knowing what fonts / styles any one author uses could be used to group
together internal intelligence structures.

------
awqrre
They disclosed what they were allowed to disclose... that doesn't tell you
much...

------
bitslave
"The FBI recently informed us that the gag orders have been lifted and that we
may notify the account holders"

How recently? Why?

------
freshyill
I wonder how many NSLs they're going to start getting because of all the rogue
government agencies.

------
ensiferum
And Americans think that they have freedom.

In general for anyone conscious about freedom of speech and press it should
alarming how certain agencies breach people's data and then put gag orders in
place. This isn't freedom, this is tyranny.

The citizens of North-Korea probably have more freedom that then the citizens
of USA.

~~~
Analemma_
Comments like this are worse than useless, in that people see them and dismiss
them as hysterical hyperbole-- because they are-- and thereby become
inoculated against more credible warnings of real danger.

------
thedevil
Is this the same Twitter that has allegedly shadowbanned Scott Adams multiple
times for his political positions? If Twitter is interested in transparency,
how about some transparency on that? Twitter's actions make me distrust any
"transparency" talk, even if I disagree with Adams on certain things.

~~~
vkou
Is this the same Scott Adams that claims to have been shadowbanned, without
any proof?

Might his lower Twitter engagement have something to do with people getting
sick of hearing from him about Trump?

~~~
teddyh
How would anyone actually _prove_ something like this, short of getting
Twitter to admit it? What he _has_ seen is:

> _my tweets only go out to a subset of my followers. The rest don’t know I
> tweeted. My followers tell me this is the case. They have to visit my
> timeline to see my tweets._

What other proof could anyone realistically provide?

~~~
phpnode
That is how twitter works - it doesn't show every tweet from everyone you
follow in your timeline, it shows a subset based on what it considers most
relevant.

~~~
busted
It's interesting to me that you probably don't care that this isn't true, nor
is it true that Twitter ever decides to not show your tweets to a subset of
your followers through a "shadowban". You just say whatever. Doesn't affect
you whether it's true or not and if other people believe you, hey that's
pretty funny that people just believe things you make up or misunderstood.

~~~
phpnode
Pardon?

------
dgrealy
It's important to remember that these orders serve a real and necessary role
in investigating serious criminals; these individuals are not named prior to
trial or if the investigation does not lead to a trial. It should not be
assumed that they were being unlawfully persecuted - rather that there was a
serious reason for them to be under investigation.

~~~
jpmattia
> _these individuals are not named, but it should not be assumed that they
> were being unlawfully persecuted - rather that there was a serious reason
> for them to be under investigation._

If only there were some way of determining whether they were being unlawfully
persecuted or validly investigated.

~~~
smoothgrammer
I know, right? Who could possibly judge one way or the other?

~~~
dgrealy
Do you think it might be a judge? Upon a completed investigation? One which is
effective and protects the identities of the investigated prior to any
criminal prosecution?

Do you think there should maybe be an oversight board and a congressional
committee? Because these things exist. Do you propose something different?

These are the functions which these authorities serve in society.

~~~
kodablah
Why all of these rhetorical questions? There have been hundreds of thousands
of these, with only a handful released upon completed investigation. I think a
transparent judge, a transparent oversight board, a transparent congressional
committee, etc is what is proposed. This is how _we know_ these functions are
even being served by authorities in society. Or not being served, such as up
until recently where the gag was interminable making your "upon a completed
investigation" comment misinformed at the least and your blind faith
misplaced.

