Shining Light on National Security Letters

Posted on by Paul Sieminski

Transparency. We aim for it in most everything we do at Automattic.

When it comes to legal demands from the government, being fully transparent can be hard and even impossible in cases where we are prohibited by law from revealing information about a legal request we receive. Nowhere is the lack of transparency more controversial than in the area of National Security Letters (“NSLs”).

Today we are releasing and publishing redacted versions of five NSLs, which we hope will add to the public’s understanding of this legal tool and help inform the debate about their scope and use.

We would also like to share some information about the process we followed to lift the nondisclosure restrictions associated with these NSLs and provide copies of our correspondence with the government on this subject. We hope this information will be useful to other companies who may wish to take advantage of the legal options that are currently available to challenge NSL nondisclosure orders.

What is an NSL?

NSLs are a form of government legal process (like a subpoena) used to request information from communications service providers, like phone and internet companies, about their users in national security investigations.

NSLs are legally controversial because no judge reviews the information demands before they are issued, and they often come with a nondisclosure requirement (also known as a “gag order”) that lasts for an indefinite amount of time and can end up being permanent. An NSL gag order legally prohibits the recipient (often an internet company like Automattic) from sharing a copy of the NSL with the user whose account info is being requested. It also prevents the company from sharing any information about the NSL publicly, or from even making a public statement that they received the NSL at all. Instead, the government allows NSL recipients to report the number of NSLs they receive in a broad range, which is designed to give the public an idea of the number of NSLs received during a certain period of time. This is why we reported receipt of 0-249 NSLs for certain periods covered by our Transparency Report.

The EFF has published a comprehensive set of resources about NSLs here, if you’re interested in learning more about them.

National Security Letters Received by Automattic

Below are redacted copies of five National Security Letters received by Automattic between 2010 and 2013.

Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

In response to four of the letters, we produced information that was responsive to the government’s request. We did not have user information that was responsive to one of the NSLs, and did not produce any information as a result.

Before publishing these letters publicly, we notified each WordPress.com account holder whose information was requested or produced under the NSLs we received, and provided them with a copy of the relevant NSL.

Legal Review of Nondisclosure Requirements

The USA FREEDOM Act, passed in 2015, includes two avenues under which an NSL nondisclosure requirement might be reviewed and lifted.

First, the Act requires the FBI to periodically review the NSLs that they have issued and determine whether their nondisclosure requirements are still necessary. As a result of these reviews, the FBI has terminated gag orders for at least a handful of NSLs. We know, for example, that two companies were able to discuss and publish NSLs for the first time as a result of this periodic review: Yahoo released three NSLs in June 2016 and Google released eight NSLs in December 2016.

Second, the statute provides a mechanism under which the recipient of an NSL, like Automattic, has the right to ask the FBI to review the nondisclosure requirement accompanying an NSL. This process is referred to as “reciprocal notice.” If an NSL recipient invokes reciprocal notice, the FBI must review the NSL within 30 days and decide whether the nondisclosure requirement is still necessary. If the FBI decides it is not, it lifts the gag order. If the FBI decides that secrecy is still needed, the government must seek review of the nondisclosure requirement in federal court. A judge then reviews the nondisclosure requirement to determine if it should stay in place, needs to be modified, or should be terminated.

It is our policy to invoke the reciprocal notice procedure for any NSLs we receive. If and when a nondisclosure requirement is lifted, our policy is to share the contents of the NSL with any affected users where possible, as well as to publish a version of the NSL.

In May 2017, we sent letters to the FBI invoking the reciprocal notice procedure for each of the five NSLs that we are publishing today. Though each of the NSLs is several years old (the oldest letter dates back to 2010), we have a strong commitment to transparency and thought it was important to do what we could to disclose NSLs to our affected users and the public, even though these disclosures are several years after the fact.

In response to our letters, the FBI declined to seek judicial review of any of the five nondisclosure requirements. Instead, the government lifted the nondisclosure requirement for each letter, allowing us to share a copy of each letter publicly, with voluntary redactions to protect the privacy of the people involved.

Based on our correspondence with the government, we’ve developed a form reciprocal notice request here in Google Docs format. If your company has received an NSL in the past and you would like the government to review the letter’s nondisclosure requirement, this form may be useful to you. We have also included a copy of the FBI’s response to each of our request letters (see below).

Automattic’s Commitment to Transparency

We believe that the government does critically important work to protect our national security, and that investigative tools like NSLs are necessary to that work. At the same time, we take our commitment to transparency very seriously, and believe that our users and the public have a right to be informed about the nature of the tools that the government uses to conduct investigations and the scope of their use. That is why we worked to lift the gag orders on the NSLs that we are releasing today. We hope that the information we’ve published adds to the body of knowledge and helps inform the important public debate about NSLs.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs. Though flawed, these procedures are all we have for now. We were able to use them to remove the nondisclosure orders on the letters we publish today and would like to see other companies who have received NSLs follow the same path.

Redacted NSLs (pdf)

NSL-10-287729_Redacted

NSL-10-288826_Redacted

NSL-12-355105_Redacted

NSL-12-355263_Redacted

NSL-13-365428_Redacted

Redacted FBI Response Letters (pdf)

NSL-10-287729_FBI Response_Redacted

NSL-10-288826_FBI Response_Redacted

NSL-12-355105_FBI Response_Redacted

NSL-12-355263_FBI Response_Redacted

NSL-13-365428_FBI Response_Redacted

Automattic and WordPress.com Stand with Apple to Support Digital Security

Posted on by Paul Sieminski

At Automattic, we’re very mindful of the trust our users place in us to keep their information private and secure, and we work hard to build systems, software, and legal policies to safeguard that information. We’re also very mindful of threats to user trust and security, and we believe that the recent federal court order, issued against Apple in the San Bernardino case, poses just such a threat.

The order requires Apple to write code to deliberately weaken standard security measures on an iPhone, in furtherance of the federal criminal investigation. Though the investigation is very important, the court’s order could pose a great threat to the security of all digitally stored information, and undermine the trust that users have placed in companies, like Automattic or Apple, to keep their sensitive personal information and data safe.

Apple has challenged the order, and today, Automattic has joined many leading Internet and technology companies in filing an amicus brief in support of Apple’s legal challenge.

Weaker Security Hurts Everyone

Like Apple, we respect the rule of law, and honor the valid government orders we receive to furnish data in connection with criminal investigations. But deliberately weakening information security, as Apple has been asked to do here, is a step too far that makes everyone less safe.

Undermining security measures – even in situations where there appear to be good intentions – will inevitably have unintended consequences for regular people. As Apple said in a letter to its customers, intentionally weakening security at the government’s request “would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data.” The fact is that if a security flaw exists, there is no way to ensure that only trusted governments, investigating a crime, can exploit that vulnerability. Improving security for everyone means aggressively finding and closing holes, not creating new ones.

Dangerous Legal Precedent

This case is not simply about access to one iPhone. It’s a decision that will serve as a (possibly global) precedent for what software, and the companies that build it, can and can’t do to protect user information. These protections exist to thwart anyone that seeks unauthorized access to user information (like hackers), and they need to be as strong and sophisticated as possible. If the San Bernadino order stands, the precedent it sets – that companies can be forced to weaken their own security – will be a dangerous one. Future orders could apply to not just smartphones and other hardware, but also to Internet services like those provided by Automattic.

Standing With Apple

Automattic takes great pride in building software that is not only free and open, but also secure. We stand with Apple in both condemning terrorism and defending the privacy and security of our users. If Automattic was faced with a government order like the one issued in San Bernadino, we, like Apple, would do everything within the law to challenge it. That’s why we’re joining with a sizable group of leading tech companies today to support Apple in this case.

You can read our full legal brief below.

 

Defending Net Neutrality

Posted on by Paul Sieminski

Net neutrality – the principle that providers of internet service must treat all traffic equally – is a cornerstone of the free, open internet. This once-obscure principle has been in the news, as federal agencies, Congress, and even the President debated the proper scope of net neutrality regulations.

Automattic supports net neutrality. We recently joined our users to advocate strong net neutrality rules, and cheered the FCC’s decision to reclassify broadband service under Title II of the Communications Act; a decisive move that supplies a sturdy legal foundation for real net neutrality. Even with this victory, we knew the battle for net neutrality was far from over.

The ink was barely dry on the FCC’s rules when opponents of net neutrality rushed to court in an attempt to dismantle what we, and much of the internet, fought so hard to win. The fate of net neutrality is now in the hands of a Washington DC appeals court, and we’re now adding our voice the case.

Today, we filed an amicus brief with the Court of Appeals for the DC Circuit in the case of United States Telecom Assn. v. FCC (the full brief is below). We’re proud to be joined on the brief by five other leading internet companies: Medium, Reddit, Squarespace, Twitter, and Yelp. Our tools, along with many others, have helped make the internet a global engine of free expression. We deeply appreciate the critical role net neutrality plays in ensuring that speech and expression, on all platforms, is free from interference, throttling or blocking by the gatekeepers who provide access to the internet. Very simply: net neutrality is necessary for free speech to flourish online. On behalf of Automattic, and especially the millions who rely on WordPress to speak to the world, we submit our brief in support of strong, enforceable, net neutrality rules.

WordPress.com, and the WordPress open source project are living examples of what is possible on a neutral internet, open for creation, collaboration, and expression. We urge the court to consider our example, as well the voices of internet users worldwide, as it considers this important case.

 

Transparency Report Update

Posted on by Paul Sieminski

We’re pleased to release the latest update to our transparency report, covering the period of January 1 – June 30, 2015.

We try to make each new transparency report more…transparent, by adding new and more detailed information about the legal demands we receive, our responses to them, and the internal policies that guide our actions.

In this report, we’ve added a few new pieces:

  • We’ve identified our top DMCA complainants. From here on out, we’ll include a chart showing the organizations that submitted the greatest number of DMCA notices in a reporting period. Not surprisingly, the list is dominated by third party take down services, many of whom use automated bots to identify copyrighted content and generate takedown notices. We’ve written in the past about the many potential pitfalls of this practice. In the future, we may report statistics on the success rate of notices submitted by each of our top reporters, in hopes of identifying those who use automated tools thoughtfully, as they should be used: in conjunction with human review to ensure that they’re not targeting things like fair use (or even their own clients!).
  • We added more information on the processes we follow for reviewing and acting on (or rejecting) the DMCA notices we receive. The Copyright and DMCA page includes information on how our DMCA process works, for both users and copyright holders. The Our DMCA Process page explains the steps we follow to review and act on the DMCA notices that we receive. We’ve also published all of our DMCA forms, emails, and notifications on Github under a Creative Commons license. We hope this furthers our goal of transparency and serves as a useful resource for other website owners and companies who want to comply with the DMCA in a user-friendly fashion.
  • For DMCA notices, we are now reporting more granular data on the content we remove in response to a notice. In some cases, we receive a DMCA notice for content posted to a site that violates our Terms of Service (like a spam or warez site, for example). In prior reports, we counted both the suspension of these types of sites and the takedown of individual copyrighted files from legitimate sites, in the category of “notices where some or all content was removed.” Beginning with this report, we are separately reporting the percentage of notices where we remove copyrighted content from legitimate sites. In this reporting period, for example, if we counted suspended sites as rejected notices, the percentage of notices where some or all content was removed would be 33% (down from 57%).
We hope you find the transparency report useful and informative. If you have suggestions for how we can improve the report, or information you’d like to see included in future reports, please let us know!

Standing Up for Bitcoin

Posted on by Paul Sieminski

We strongly believe in the power of open source software, and have seen first hand how it can empower communities to build better software for an endless variety of applications, from the ground up.

Bitcoin, and other digital currencies, are great examples of how open, community driven development can spark innovations that would be very difficult to replicate under a top down, proprietary development model.

BC_Logo_That’s one of the main reasons why we accepted bitcoin as payment for Automattic upgrades. Though we paused Bitcoin support earlier this year, due to resource constraints, we still strongly support its mission. It’s also why we’ve recently engaged in the policy realm to champion policies that will foster, not impede future innovations in open, digital currencies like Bitcoin.

We’re proud to have filed comments in response to New York State’s proposed Bitlicense, which is a state-level attempt to regulate the decentralized, open source technology with highly prescriptive cybersecurity and licensing requirements. We’d also emphasize that many of these comments also apply to similar efforts to regulate digital currencies currently underway in other states, such as California’s AB 1326.

Bitcoin Should be (Un)regulated Like Open Source Software—Not Burdened By Misguided Licenses

We view the New York regulator’s efforts as deeply misguided. They needlessly stifle development of very promising open technologies, and potentially threaten free speech, privacy, and security.

Key reasons we oppose the proposed rules include:

  • Regulation of any kind at this stage of Bitcoin’s development is a mistake. Adding burdensome regulatory requirements that do more harm than good will surely succeed only in stifiling new innovations in Bitcoin and blockchain technologies.
  • Regulating digital currencies will have unintended consequences on free speech, especially anonymous speech online. Many of our users, especially those residing in countries lacking freedom of expression, choose to publish their sites anonymously. New York’s BitLicense proposal would require these publishers to risk revealing their identities for even small payments.
  • States should not be in the business of regulating digital currencies. New York’s proposed law is bad enough, but imagine a world in which every state had its own version of the bitlicense – we’d have an unmanageable thicket of dozens of state laws. This situation would be ill-suited to a technology without borders. If digital currencies are to be regulated, it should be at the federal, not state, level.
  • The cybersecurity provisions create more problems than they solve. These provisions would entrust the New York agency with so much data that the agency would become a top cybsersecurity target, and we are not sure the agency has the expertise to protect that data.

We are scarcely at the dawn of understanding the possibilities of open technologies like Bitcoin, and the blockchain. It is hasty to regulate digital currencies in the manner the BitLicense proposes, especially when we are not fully aware of what’s at stake. We believe that current laws, applied well, likely will address the consumer harms that New York is concerned about. Once the technologies have matured, it may be sensible to adopt a uniform, reasonable set of rules at the federal level.

Read our full letter to New York’s Department of Financial Services:

Cheers to the FCC for Supporting Title II to Protect the Open Internet

Posted on by Paul Sieminski

WordPress.com aims to democratize publishing – to build the tools that give writers, bloggers, and creators of all sizes a way to get their voices to the world. Today we see that our voices were heard, and that they had a big impact on the future of the internet.

This morning, FCC chairman Tom Wheeler announced his support for strong network neutrality rules, by proposing to reclassify internet service under Title II of the telecommunications act. We applaud Chairman Wheeler for today’s announcement. It’s a historic step, and one that would not have been possible without the support of the millions of internet users – from individual WordPress.com bloggers to the President of the United States – who voiced their support for the open internet for the past several months. At Automattic, we’re proud to have participated in this historic effort, and pledge to continue supporting this important cause until rules that truly protect the free, open internet that we know and love are firmly in place.