CREDO and Cloudflare argue against national security letter gag orders

Earlier this week, the FBI finally allowed Cloudflare and CREDO Mobile to identify themselves as recipients of national security letters, which allow the agency to secretly order tech companies to hand over customer data. (The FBI initially allowed Cloudflare and CREDO to disclose some but not all of their NSLs; TechCrunch reported in January the two companies had received additional NSLs and were gagged from discussing them.)

This means CREDO and Cloudflare can admit for the first time that they are the companies behind one of the longest-running legal challenges against NSL gag orders. Their case, which was argued at the 9th Circuit Court of Appeals yesterday, is officially renamed “CREDO & Cloudflare v. Jefferson Sessions” rather than “Under Seal v. Jefferson Sessions” and if Cloudflare and CREDO prevail, it could have a massive impact on the FBI’s use of the secret orders and the gag orders that accompany them.

But even though the companies can now admit they received these secret requests, Cloudflare and CREDO are still arguing in the 9th Circuit that the years-long gag orders preventing them from discussing the NSLs violate their right to free speech. The claim is a bit threadbare now that the gag orders are mostly lifted — Judge Sandra Ikuta opened yesterday’s hearing by asking if the entire case is now moot — but the two firms say the case must continue because they’re still gagged from discussing some of the details of the NSLs, like the identity of the subscriber whose data was requested.

The FBI, on the other hand, says that most companies are perfectly happy to keep the NSLs they receive secret. “Most of the entities that receive NSLs do not have this interest in publicly speaking,” Justice Department senior counsel Lewis Yelin said.

This claim seems bananas to me. Set aside the ideological contortions that go into arguing that someone doesn’t enjoy free speech protections because other people don’t want to discuss the same topic, and you still have to confront the fact that every major tech company publishes a transparency report detailing the kinds of requests they receive from law enforcement. Even Slack put out a transparency report, although they only had one government request to disclose.

When the FBI does allow companies to discuss their NSLs, the companies often go back and add them in to previous transparency reports. All of this transparency reporting seems to indicate that companies very much want to talk about the NSLs they receive.

Here’s some stuff that major tech firms have said about NSLs recently:

  • Yahoo: “We believe there is value in making these documents available to the public to promote an informed discussion about the legal authorities available to law enforcement.”
  • Google: “We have fought for the right to be transparent about our receipt of NSLs. This includes working with the government to publish statistics about NSLs we’ve received, successfully fighting NSL gag provisions in court, and leading the effort to ensure that Internet companies can be more transparent with users about the volume and scope of national security demands that we receive.”
  • Twitter: “Twitter remains unsatisfied with restrictions on our right to speak more freely about national security requests we may receive. We would like a meaningful opportunity to challenge government restrictions when ‘classification’ prevents speech on issues of public importance.”
  • Facebook: “We’ll also keep working with partners in industry and civil society to push governments around the world to reform surveillance in a way that protects their citizens’ safety and security while respecting their rights and freedoms.”

You get the idea.

I asked Yelin about his argument after yesterday’s hearing and he very politely referred me to DoJ’s press office (seriously, it was one of the nicest “no comments” I’ve ever received) which has not yet responded to a request for comment.

“The FBI issues tens of thousands of national security letters every year and receives very few requests for disclosure,” Yelin argued in court. “Not all recipients of national security letters wish to disclose the national security letters.”

I also asked Cloudflare and CREDO’s lawyer, Andrew Crocker of the Electronic Frontier Foundation, and he offered a theory about what the government’s position might be: Because not many companies challenge the gag orders in court, the government can argue that companies don’t mind being gagged.

“It allows the government to make the argument that companies don’t want to talk about it, because where are all the companies filing lawsuits? But the reason there aren’t these lawsuits being filed is it’s very costly to file a lawsuit, it’s intimidating to stand up to the FBI,” Crocker said. “You shouldn’t have to stand up to the FBI. When the government wants to gag you, the government should have to justify that gag order. I don’t think it’s a legally proper argument to say we can assume they don’t want to talk if they don’t exhibit a desire to speak.”

We’ll see if the 9th Circuit agrees.