Shining Light on National Security Letters

Transparency. We aim for it in most everything we do at Automattic.

When it comes to legal demands from the government, being fully transparent can be hard and even impossible in cases where we are prohibited by law from revealing information about a legal request we receive. Nowhere is the lack of transparency more controversial than in the area of National Security Letters (“NSLs”).

Today we are releasing and publishing redacted versions of five NSLs, which we hope will add to the public’s understanding of this legal tool and help inform the debate about their scope and use.

We would also like to share some information about the process we followed to lift the nondisclosure restrictions associated with these NSLs and provide copies of our correspondence with the government on this subject. We hope this information will be useful to other companies who may wish to take advantage of the legal options that are currently available to challenge NSL nondisclosure orders.

What is an NSL?

NSLs are a form of government legal process (like a subpoena) used to request information from communications service providers, like phone and internet companies, about their users in national security investigations.

NSLs are legally controversial because no judge reviews the information demands before they are issued, and they often come with a nondisclosure requirement (also known as a “gag order”) that lasts for an indefinite amount of time and can end up being permanent. An NSL gag order legally prohibits the recipient (often an internet company like Automattic) from sharing a copy of the NSL with the user whose account info is being requested. It also prevents the company from sharing any information about the NSL publicly, or from even making a public statement that they received the NSL at all. Instead, the government allows NSL recipients to report the number of NSLs they receive in a broad range, which is designed to give the public an idea of the number of NSLs received during a certain period of time. This is why we reported receipt of 0-249 NSLs for certain periods covered by our Transparency Report.

The EFF has published a comprehensive set of resources about NSLs here, if you’re interested in learning more about them.

National Security Letters Received by Automattic

Below are redacted copies of five National Security Letters received by Automattic between 2010 and 2013.

Each of the NSLs that we are publishing initially included an indefinite nondisclosure requirement that prohibited us from sharing any information about the letter or publicly acknowledging that we received an NSL.

We recently requested that these nondisclosure requirements be lifted, under the “reciprocal notice” procedures of the USA FREEDOM Act. More detail on the procedures that we followed is below.

In response to our requests, the FBI lifted the gag orders with respect to all information in each of the NSLs we are making available today. Before publishing the letters publicly, however, we decided to redact the following information from each letter: (1) the site URL about which the government requested information, (2) names of Automattic personnel to whom the request was addressed, and (3) name and contact information for the FBI personnel involved in making the information request.

We made these limited redactions in order to protect privacy interests. The NSLs are otherwise what we received when they were served onto us.

In response to four of the letters, we produced information that was responsive to the government’s request. We did not have user information that was responsive to one of the NSLs, and did not produce any information as a result.

Before publishing these letters publicly, we notified each WordPress.com account holder whose information was requested or produced under the NSLs we received, and provided them with a copy of the relevant NSL.

Legal Review of Nondisclosure Requirements

The USA FREEDOM Act, passed in 2015, includes two avenues under which an NSL nondisclosure requirement might be reviewed and lifted.

First, the Act requires the FBI to periodically review the NSLs that they have issued and determine whether their nondisclosure requirements are still necessary. As a result of these reviews, the FBI has terminated gag orders for at least a handful of NSLs. We know, for example, that two companies were able to discuss and publish NSLs for the first time as a result of this periodic review: Yahoo released three NSLs in June 2016 and Google released eight NSLs in December 2016.

Second, the statute provides a mechanism under which the recipient of an NSL, like Automattic, has the right to ask the FBI to review the nondisclosure requirement accompanying an NSL. This process is referred to as “reciprocal notice.” If an NSL recipient invokes reciprocal notice, the FBI must review the NSL within 30 days and decide whether the nondisclosure requirement is still necessary. If the FBI decides it is not, it lifts the gag order. If the FBI decides that secrecy is still needed, the government must seek review of the nondisclosure requirement in federal court. A judge then reviews the nondisclosure requirement to determine if it should stay in place, needs to be modified, or should be terminated.

It is our policy to invoke the reciprocal notice procedure for any NSLs we receive. If and when a nondisclosure requirement is lifted, our policy is to share the contents of the NSL with any affected users where possible, as well as to publish a version of the NSL.

In May 2017, we sent letters to the FBI invoking the reciprocal notice procedure for each of the five NSLs that we are publishing today. Though each of the NSLs is several years old (the oldest letter dates back to 2010), we have a strong commitment to transparency and thought it was important to do what we could to disclose NSLs to our affected users and the public, even though these disclosures are several years after the fact.

In response to our letters, the FBI declined to seek judicial review of any of the five nondisclosure requirements. Instead, the government lifted the nondisclosure requirement for each letter, allowing us to share a copy of each letter publicly, with voluntary redactions to protect the privacy of the people involved.

Based on our correspondence with the government, we’ve developed a form reciprocal notice request here in Google Docs format. If your company has received an NSL in the past and you would like the government to review the letter’s nondisclosure requirement, this form may be useful to you. We have also included a copy of the FBI’s response to each of our request letters (see below).

Automattic’s Commitment to Transparency

We believe that the government does critically important work to protect our national security, and that investigative tools like NSLs are necessary to that work. At the same time, we take our commitment to transparency very seriously, and believe that our users and the public have a right to be informed about the nature of the tools that the government uses to conduct investigations and the scope of their use. That is why we worked to lift the gag orders on the NSLs that we are releasing today. We hope that the information we’ve published adds to the body of knowledge and helps inform the important public debate about NSLs.

We also continue to believe that NSLs pose serious constitutional concerns, particularly because they indefinitely prevent companies like us from speaking about them, and informing our users or the public about the NSLs that we receive. The procedures used to lift nondisclosure requirements are flawed because they put the burden of seeking an end to secrecy almost entirely on the companies, like Automattic, who receive NSLs. Though flawed, these procedures are all we have for now. We were able to use them to remove the nondisclosure orders on the letters we publish today and would like to see other companies who have received NSLs follow the same path.


Redacted NSLs (pdf)

NSL-10-287729_Redacted

NSL-10-288826_Redacted

NSL-12-355105_Redacted

NSL-12-355263_Redacted

NSL-13-365428_Redacted

Redacted FBI Response Letters (pdf)

NSL-10-287729_FBI Response_Redacted

NSL-10-288826_FBI Response_Redacted

NSL-12-355105_FBI Response_Redacted

NSL-12-355263_FBI Response_Redacted

NSL-13-365428_FBI Response_Redacted

Hall of Shame: Something Stinks in Abbotsford

For our latest Hall of Shame entry, we turn our gaze towards the City of Abbotsford in Canada. For reference, here’s their logo. Commit it to memory, as you’ll want to remember what it looks like for later:

city of abbotsford.jpg

City officials took issue with a 2013 post written by a homeless blogger that criticized them for reportedly “deliberately spread[ing] chicken manure on a homeless person’s camp” in an effort to deter people from congregating in the area. To demonstrate just how… dirty a move the blogger thought this was, he illustrated his post with a doctored image of the city’s logo, which had been modified to include a large … well, see for yourself:

City of Abbotsford Parody Logo

The accompanying text reads:

“Oh crap! Abbotsford already needs to update their new city logo.”

That seems to make the blogger’s feelings quite clear. Unhappy, however, with this depiction of their logo, a marketing firm purporting to act on behalf of the Abbotsford city council sent us a DMCA takedown notification earlier this January, claiming copyright over the image.

DMCA-Abbotsford.png

It is unclear why the city council decided to go down this particular route in an attempt to have the image removed, or why it took them almost four years to do so. What is clear, however, is that this stinks. Pardon the pun. It was glaringly obvious that the addition of the hilariously large feces was for the purposes of parody, and tied directly to the criticisms laid out in the post. As a result, it seems hard to believe that the city council took fair use considerations into account before firing off their ill-advised notice, and trying to wipe up this mess.

We rejected the complaint, and passed it on to the blogger for his perusal. In response, he updated the logo, just in case there was any doubt that the image was being used for the purposes of commentary or criticism:

City of Abbotsford Parody Logo

Much clearer now.

City of Abbotsford, welcome to the Hall of Shame.

Note: Our use of the Abbotsford city logo in this post is also for the purposes of commentary or criticism, and therefore falls under fair use protections. If anybody on the council happens to be reading, please don’t send us another DMCA takedown. 🙂

Reforming the DMCA

We at Automattic are firm believers in legitimate copyright protection. We are also vigilant about shielding our users from abuse, particularly in cases in which the abuse aims to censor legitimate criticism or ignores fair use of copyrighted materials. As an online service provider, balancing these diverse interests and rights is important to us and requires careful review and diligence. Section 512 of the DMCA was enacted to provide online service providers like Automattic with guidance on handling these issues; however, in the almost 30 years since the law was passed, the Internet landscape has evolved significantly, leaving deficiencies in the safeguards of Section 512.

To help remedy these deficiencies, the US Copyright Office started an initiative last year to study and propose reforms to the DMCA. We were grateful to have an opportunity to submit our feedback and to highlight the issues we commonly experience with the current system—namely, abusive DMCA notices, a deficient counter-notice process, and the impact of copyright bots on fair use. As a follow up, the Copyright Office recently solicited empirical data and analyses to help shed light on the effectiveness and impact of the current Section 512 safe harbors – and Automattic was happy to share the data we’ve gathered on the subject in recent years.

Some key findings that we highlighted:

  • With three years of data relating to the copyright infringement notices we receive, it was particularly striking to see how consistent the figures are year after year on subjects such as counter notices, fair use, and procedural mistakes that we reject.
  • 10% of the notices of claimed infringement we receive are directed at clear fair uses or uncopyrightable content, or contain clear misrepresentations regarding copyright ownership. If our experience is representative of other online service providers in the industry, the overall volume of abuse is significant.
  • The number of counter-notices we receive is remarkably low, which we believe is not the result of a correspondingly low number of false or mistaken assertions of infringement, but instead results from the concern that sending a counter notification is likely to result in costly litigation, even if that litigation would ultimately turn out to hold that no infringement had occurred.
  • More than a third of the notices we receive simply do not contain the required information—they either include incorrect information, leave out pertinent information, or fail to provide a clear description of the unauthorized material.
  • Automattic has spent a significant amount on legal fees in bringing lawsuits against blatant violators of the DMCA, but has been unable to recover these costs or collect on judgments in our favor because the remedies available under the law are often illusory even in cases of clear abuse.

Our data shows a continuing issue with the current DMCA system, which allows abuse to go unfettered due to a lack of real statutory consequences. Internet users need a more effective remedy than the counter-notice to adequately safeguard their legitimate content. Stricter form-of-notice requirements, opportunity for targets to respond before content is removed, and statutory damages for abusive notices are some possible solutions that would provide increased protection for Internet users.

We are hopeful that our feedback and data will help guide reforms toward creating a more equitable environment for Internet users. We look forward to seeing how the law evolves and will continue to work hard to make the DMCA process as fair and balanced as possible.  

For more information about the data we collect, you can view our transparency reports related to section 512 here.

You can read our full comments here: Section 512 Comments

Automattic at RightsCon 2017

Automattic’s mission is to democratize publishing, part of which involves fighting for digital rights online. As a result, we are proud to sponsor RightsCon 2017 — a conference starting today, centred around “how to keep the internet open, free, and secure.”

RC2017-official-logoSeveral members of our legal and policy teams are happily in Brussels to join the
summit.

On Thursday at 4 pm, we will host a session on the day-to-day realities of dealing with takedown demands from all over the world. If you are interested in the practical perspective of a service provider fighting for bloggers’ rights, we hope you will come and ask us tough questions.

Later, on Thursday at 6:15 pm, we invite all conference attendees to continue the conversation over drinks and snacks at a cocktail reception on-site immediately following the programming.

If you are not at the conference in person, you can follow along on social media with #rightscon and hopefully many sharp blog posts to come.

Transparency Report Update: July–December 2016. Consistency is Key.

Today we launch our seventh bi-annual transparency report, covering the period between July 1 and December 31, 2016.

As usual, we detail the number of takedown demands and requests for information received from governments, as well as the intellectual property (IP) takedown notices we have received.

Having published these reports for a number of years now, something that is particularly striking is just how consistent the intellectual property figures are from one period to the next. To demonstrate this point, here are the percentages for the number of DMCA takedown requests we have rejected for each period, on the basis of being incomplete or abusive. The graphs include the total overall number of requests to provide some more context:

Looking just at the percentage of abusive notices received per reporting period, we see an even tighter range:

We believe that these numbers demonstrate a persistent and ongoing issue with the current copyright takedown system, which allows abuse to go unchecked due to a lack of real statutory consequences. Ten percent of notices on a single platform may not appear like much of a concern, but if our experience is representative of other similar hosts in the industry, the overall volume of abuse would amount to a huge number.

The same consistency seen in the IP numbers is not reflected in the percentage of government takedown demands that result in some or all content being removed as a result. Rather, these figures show a marked increase. This is partly due to a steadily climbing number of demands from countries such as Turkey and Russia, and also to a shift in our approach to handling these.

We encourage you to spend time looking through the data that we have collected, and dig in for yourselves. We’d also call on all hosts — big or small — to publish their own figures, and add their voice to the conversation.

The full transparency report is available here.

Automattic is an ORG Sponsor

This week we were proud to be unveiled as an official corporate sponsor of the Open Rights Group (‘ORG’), the very same week that the controversial Investigatory Powers Bill is being debated in the British Parliament.

Open Rights Group
ORG has been fighting tirelessly for digital rights in the UK since 2005. Despite their relatively small size, they have achieved some significant victories. They have campaigned against damaging legislation such as ACTA (which was rejected by the European Parliament in 2012); been instrumental in the implementation of the HTTP Error 451 status code to highlight sites that are rendered inaccessible for legal reasons; challenged mass surveillance in court; helped secure a ‘right to parody’ in the UK; and particularly close to our heart… fought for the rights of bloggers when they’ve been threatened with frivolous copyright takedown demands.

The work that ORG do is vital to protecting many of the online values Automattic shares, and we’re happy to support their mission.

Find out more about the Open Rights Group on their site.

Automattic and WordPress.com Stand with Apple to Support Digital Security

At Automattic, we’re very mindful of the trust our users place in us to keep their information private and secure, and we work hard to build systems, software, and legal policies to safeguard that information. We’re also very mindful of threats to user trust and security, and we believe that the recent federal court order, issued against Apple in the San Bernardino case, poses just such a threat.

The order requires Apple to write code to deliberately weaken standard security measures on an iPhone, in furtherance of the federal criminal investigation. Though the investigation is very important, the court’s order could pose a great threat to the security of all digitally stored information, and undermine the trust that users have placed in companies, like Automattic or Apple, to keep their sensitive personal information and data safe.

Apple has challenged the order, and today, Automattic has joined many leading Internet and technology companies in filing an amicus brief in support of Apple’s legal challenge.

Weaker Security Hurts Everyone

Like Apple, we respect the rule of law, and honor the valid government orders we receive to furnish data in connection with criminal investigations. But deliberately weakening information security, as Apple has been asked to do here, is a step too far that makes everyone less safe.

Undermining security measures – even in situations where there appear to be good intentions – will inevitably have unintended consequences for regular people. As Apple said in a letter to its customers, intentionally weakening security at the government’s request “would hurt only the well-meaning and law-abiding citizens who rely on companies like Apple to protect their data.” The fact is that if a security flaw exists, there is no way to ensure that only trusted governments, investigating a crime, can exploit that vulnerability. Improving security for everyone means aggressively finding and closing holes, not creating new ones.

Dangerous Legal Precedent

This case is not simply about access to one iPhone. It’s a decision that will serve as a (possibly global) precedent for what software, and the companies that build it, can and can’t do to protect user information. These protections exist to thwart anyone that seeks unauthorized access to user information (like hackers), and they need to be as strong and sophisticated as possible. If the San Bernadino order stands, the precedent it sets – that companies can be forced to weaken their own security – will be a dangerous one. Future orders could apply to not just smartphones and other hardware, but also to Internet services like those provided by Automattic.

Standing With Apple

Automattic takes great pride in building software that is not only free and open, but also secure. We stand with Apple in both condemning terrorism and defending the privacy and security of our users. If Automattic was faced with a government order like the one issued in San Bernadino, we, like Apple, would do everything within the law to challenge it. That’s why we’re joining with a sizable group of leading tech companies today to support Apple in this case.

You can read our full legal brief below.