Cloudflare Finally Able To Reveal FBI Gag Order That Congress Told Cloudflare Couldn't Possibly Exist
from the letter-that-dare-not-speak-its-[REDACTED-IN-FULL] dept
Another one of the FBI's thousands of National Security Letters has been made public -- along with its recipient. Cloudflare's latest transparency report (its seventh to date) contains a bonus: a 2013 NSL [PDF] the FBI felt no longer needed to kept secret.
This NSL was received in 2013, and was challenged by Cloudflare and the EFF. It's only now being made public, and that's largely due to litigation and the USA Freedom Act's changes to NSL review policies. Rather than review them every three years-to-never, the FBI must now review them more frequently. Better still, recipients are now allowed to challenge NSL gag orders within one year of receiving them. This places the burden back on the government to prove ongoing secrecy is needed.
Shortly before the new year, Cloudflare received a letter from the FBI rescinding the NSL's gag order.
The letter withdrew the nondisclosure provisions (the “gag order”) contained in NSL-12-358696, which had constrained Cloudflare since the NSL was served in February 2013. At that time, Cloudflare objected to the NSL. The Electronic Frontier Foundation agreed to take our case, and with their assistance, we brought a lawsuit under seal to protect its customers' rights.
In this particular case, the NSL itself was pulled by the FBI as a result of the lawsuit.
Early in the litigation, the FBI rescinded the NSL in July 2013 and withdrew the request for information. So no customer information was ever disclosed by Cloudflare pursuant to this NSL.
So much secrecy surrounds NSLs -- by default -- that Ken Carter of Cloudflare wasn't even able to correct a Senate staffer who told him things that were completely untrue.
In early 2014, I met with a key Capitol Hill staffer who worked on issues related to counter-terrorism, homeland security, and the judiciary. I had a conversation where I explained how Cloudflare values transparency, due process of law, and expressed concerns that NSLs are unconstitutional tools of convenience rather than necessity. The staffer dismissed my concerns and expressed that Cloudflare’s position on NSLs was a product of needless worrying, speculation, and misinformation. The staffer noted it would be impossible for an NSL to issue against Cloudflare, since the services our company provides expressly did not fall within the jurisdiction of the NSL statute. The staffer went so far as to open a copy of the U.S. Code and read from the statutory language to make her point.
That's what a gag order does: allows misinformation to go uncorrected. The staffer's interpretation of US Code may have been more to the letter of the law, but Cloudflare's Carter knew -- from personal experience -- that the FBI's interpretation was different.
Because of the gag order, I had to sit in silence, implicitly confirming the point in the mind of the staffer. At the time, I knew for a certainty that the FBI’s interpretation of the statute diverged from hers (and presumably that of her boss).
Not only does the default secrecy allow the FBI to continue to pursue questionable requests with NSLs, but it also allows it to deploy them in apparent violation of US law, right under the nose of its Congressional oversight.
Congratulations to both the EFF and Cloudflare, which worked together to protect a user's privacy against the FBI's self-issued NSL. Apparently the demand for information couldn't hold up when scrutinized by a judge for the first time. The fact that the USA Freedom Act only recently went into effect likely explains the three year-plus gap between the NSL's withdrawal and the lifting of the gag order.
While the USA Freedom Act's NSL-handling changes are an improvement, they're far from perfect. The burden of proof has been shifted to the government, but there's very little compelling it to respond to gag order challenges quickly, as the EFF points out.
Under the USA FREEDOM Act of 2015, the FBI is required to periodically review outstanding NSLs and lift gag orders on its own accord if circumstances no longer support a need for secrecy. As we’ve seen, this periodic review process has recently resulted in some very selective transparency by the FBI, which has nearly complete control over the handful of NSL gags it retracts, not to mention the hundreds of thousands it leaves in place. Make no mistake: this process is irredeemably flawed. It fails to place on the FBI the burden of justifying NSL gag orders in a timely fashion to a neutral third party, namely a federal court.
The EFF's legal battle against NSLs continues. We've seen incremental lifting of secrecy as a result of its multiple NSL challenges, but the EFF is hoping to see a court find the whole NSL scheme -- warrantless demands for user data and identifying information the FBI often uses to route around judicial rejection -- to be unconstitutional.