Reddit may - or may not have - given intelligence agencies in the US information about some of its user base.
Technology blogs across the world are currently rife with speculation about something which Reddit may have or may not have done. The crime in question? Handing over ‘user data' as a result of receiving a ‘National Security Letter'.
Annually releasing a ‘Transparency Report', which lists the number and types of government requests it received in the previous year - this also includes requests for user information and requests to take down content from spooks in the US Government.
There is a some-what missing ‘elephant in the room' however - that entire section is missing in Reddit's transparency report for 2015.
Comparatively, Reddit's 2014 transparency report indicated in a section titled “national security requests” that it had received no National Security Letters during that year, or any order issued by the Foreign Intelligence Surveillance Court.
The report reads, “As of January 29, 2015, Reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information.”
Finishing the same section with, “If we ever receive such a request, we would seek to let the public know it existed.”
The letters - and why they matter
National security letter are sent to any internet service providers, credit companies, financial institutions etc. that the FBI would like to receive confidential metadata from. Such information is commonly about those organisations' customers including pieces of data like phone numbers, email addresses, websites visited, and so on.
Although in operation from the 1980s, the Patriot Act recently gave the data handover requests more power. Not requiring court approval, and coming with a built in gag order, this means the company getting such a letter would have to hand over the data, but not be allowed to tell anyone about them.
This makes them a potential candidate for government abuse - and the US Department of Justice has previously uncovered abuses of such requests by the FBI. Though recipients of a National Security Letter can challenge them in court, few have done so.
When the 2015 report was released in the section of the website reserved for Reddit announcements, user ‘slyf' said that, “Interesting to note that the national security Canary in the 2014 transparency report is no longer present in the 2015 transparency report.”
Reddit CEO Steve Huffman, who goes by the moniker of “spez” replied saying that, “Even with the canaries, we're treading a fine line.”
The canaries he is referring to is colloquial term for a regularly published statement that a service provider has not received legal process (like a national security letter) that it would be prohibited from disclosing to the public.
Looking closer to home
It is laws like this which privacy advocates are currently fearing. SCMagazineUK.com recently reported that the upcoming Investigatory Powers Bill is set to give phone hacking powers to UK intelligence agencies.
This would ban tech companies from revealing whether they had been made to install backdoor access routes, leaving customers unable to know whether their messages and search history have been under inspection.
Commenting on the planned phone hacking powers contained in the IP Bill, Dr Adrian Davis, managing director EMEA at (ISC)² said, “The debate has now moved on to ensuring authorities can have a backdoor, to whatever they feel they should have access to,” explaining that, "the biggest concern argued by security experts is that once the key to such a backdoor is created, it will be impossible to control who is able to get their hands on it.”
Also commenting on the phone hacking powers, Erka Koivunen, security advisor at F-Secure and expert witness to the Joint Committee scrutinising the Investigatory Powers Bill, told SC, “Let us be clear on the British Government's intentions and the consequences of those actions. ‘Equipment interference' is hacking. There is a reason there is a very large security industry dedicated to protecting businesses and their digital assets – because hacking damages businesses. Hacked companies are not the security services' target though – they are a stepping stone to the ultimate target. One imagines that it did little to ease Stellar's, Gemalto's or Belgacom's pain to learn that GCHQ had breached their security in an effort to spy on their customers.”
“No company wants their own government or government of a friendly partner to break into their systems or undermine the security of their services. We would encourage the Government to pause and consider the implications of its intentions before it irreparably damages British businesses."