> "we are not even allowed to say if we've received zero of these reports—we can only report information about these types of requests in broad ranges"
Interesting. What are they really telling us with that range? Could they not get away with saying "1–249"?
Edit: Nevermind. The document they cite[0] clears it up.
This confuses me too. I am allowed (as a private citizen or company who has never had an interaction with the feds) to say that I've had zero reports/requests like this right? Or is just uttering that a federal crime (did I just fuck up by saying that?)
It would seem that it's perhaps illegal to say anything once you've gotten at least one of them, and they tell you that you can't do this anymore right?
Nope. Starting in 2013 the government agreed provides could report aggregate of official requests for customer data (including NSLs) in bands of 1000. In 2014 the agreement[0] was altered to provide two options
* fine-grained categorisation large bulk, separately reports on numbers of NSLs, customer affected by NSLs, content FISA, customers affected by content FISA, non-content FISA and customers affected by non-content FISA in bands of 1000 (for each category) starting from 0-999 inclusive
* coarse-grained categorisation finer bulk, report only the aggregate number of FISA and NSL orders and the number of customers affected by that aggregate, but do so in bands of 250 (starting from 0-249 inclusive)
So "0-249" means "between 0 and 249", they're not allowed to be more precise at this point
I believe this is what the security canary used to be that companies would use to skirt the rules until the rules were changed. It used to be that you couldn't say how many you received but you could say you hadn't received any. Now you aren't even allowed to say that.
No, nothing has changed on that front. If you have not received any National Security Letters, it is legal for you to say "I have never received an NSL" (as other commenters have suggested). Warrant canaries rely on the idea that it is much more legally difficult to compel speech than to restrict it. There is no (non-secret) case law indicating that a NSL recipient could be compelled to lie and include the warrant canary paragraph in a future transparency report, while there is case law indicating that NSL recipients can be prevented from actively disclosing the letter (gag orders are fairly well-established in particular aspects of our legal system).
The reason why warrant canaries are binary is that once an NSL has been issued, the case law that the parent commenter linked comes into play: companies may only indicate in buckets how many they have received (0-249, 250-499, etc). So you couldn't have your warrant canary say "I have never received more than 3 NSLs" then "I have never received more than 5 NSLs" etc.
If I understand your scenario, the problem is that you would have to remove all the canaries as soon as you receive your first NSL. As soon as you receive a NSL, you may only disclose the number of NSLs you have received in the buckets I mentioned above, so you would not be able to say "we have not received more than 50/100 requests;" you would only be able to say "we have received 0-249 requests." So the canary still only works to tell people that you have never received an NSL.
But I think the "novelty" in his scheme is that he has separate canaries for different time periods -- so it may not be helpful in letting users know the number of requests received, but it would allow them to know when they had been received.
Assume he had a scheme that just said the following:
We have received no NSL letters in Jan 2016
We have received no NSL letters in Feb 2016
We have received between 0 and 249 NSL letters in March 2016
We have received no NSL letters in Apr 2016
Oh, well that scheme wouldn't be legal for a few reasons: once you receive an NSL you aren't allowed to say you've received 0 NSLs in a given time period (you can only report in 0-249 buckets so you couldn't say "We have received no NSLs in Jan 2016") and the granularity with which you can report (on my read of the document: [1]) is per year or per six months depending on which option you choose (so you couldn't say "We have received 0-249 NSLs in March 2016", just "We have received 0-249 NSLs in 2016").
The only reason the canary "works" is as a binary option - if you say "We have never received an NSL" up until you receive one, the government cannot compel you to continue including that line in your report, because that would be compelled speech which is legally difficult and (as far as anyone knows) hasn't been attempted. But anything you say beyond that related to the quantity or existence of NSLs is subject to the linked guidelines. In other words, they cannot force you to continue including a paragraph (the canary) in your report, but they CAN regulate anything you do choose to include in your report.
Hmm that's really interesting. I guess I just wondered if somehow there was a case for trying to really stretch that idea of not being able to "compel" speech to its fullest limits by simply issuing separate canaries for different time periods, then simply removing it for the time period in question. By the logic you present, you still have a binary option -- you just restrict its scope. But I guess what would happen in this case is those separate "scopes" that I tried to create would simply all collapse into one, following the per-year/six-month option you cited above.
So even if before I received any letter I'd tried to be clever and just said: "No NSL letters in March, No NSL letters in April.... etc.", if I ended up receiving one during that time period at all, all of those WOULD HAVE to collapse to "We have received 0-249 letters in the first semester of 2016 (or 2016 altogether)"
> So even if before I received any letter I'd tried to be clever and just said: "No NSL letters in March, No NSL letters in April.... etc.", if I ended up receiving one during that time period at all, all of those WOULD HAVE to collapse to "We have received 0-249 letters in the first semester of 2016 (or 2016 altogether)"
Sort of. There's also a required 6 month delay. So if you received an NSL today, but had "No NSLs in Jan" , "No NSLs in Feb", "No NSLs in Mar", etc, you would need to remove all those and could not report the 0-249 number until 2017.
Twelve canaries with different colors representing each of the months. Remove the canaries where the color corresponds with the month. Make absolutely no claims beforehand as to what the colored canaries represent - people should be able to figure it out (3 green, 3 red, 3 brown, 3 blue: take a guess?)
You are saying nothing at all. Just adding/removing images on a page called /canary/
IANAL, but I'd be interested how the above would be illegal.
They would contend that this is just a wink-and-a-nod way of providing the information you aren't allowed to provide. It doesn't matter if you disclose the information in English, French, or binary, it's still illegal. If you have it in a page called /canary/ and it obviously corresponds with NSLs you'd be in some hot water.
People tend to assume the court system is like a machine when it's very human at its core. A judge isn't going to say "well you technically didn't reveal any info so you're kosher," a judge is going to be pissed that you decided to low-key defy his/her order.
AFAIK, even a binary "canary" has been untested in court and might not even stand on its own (yet many companies have one).
There are countless loopholes in various legal systems across the world that "get a pass". It's often a matter of finding the right loopholes.
One example is gambling in Japan. Illegal. But if you play at a pachinko slot for a chance to win some tokens you can go next door and there is a business that will buy the tokens from you! It really is convenient someone is willing to buy these otherwise useless tokens. :)
I'm sure if I put some thought into it I could find a few more loopholes that are a "wink and a nod" away of being illegal. Of course, my suggestion might be too blatant and the company would be dragged to the courts. But even a single canary could still warrant being dragged to court over.
This is true, but there's a core fundamental issue. There has never been any legal support for the idea that the government can compel speech (such as forcing the continued false inclusion of a "binary" canary). There is a clear basis of support for the idea that the government can regulate speech, whether it's English or cryptic colored circles. So trying to speak (publish canary info) in any sort of cryptic way will still always be more risky than choosing not to speak (omit your canary). The government could always drag you to court over anything, but you still want to keep them at the downhill end of the battle.
There might be a case for it, the whole gag order regime is pretty sketchy constitutionally if you ask me (not a lawyer). You could violate the law, go to court, spend lots of on laywers, and maybe win eventually. The cost of losing would be high to your company, heck the cost of winning would be pretty high too. Few companies are interested in taking on this risk.
How does that work then? If I were American (I'm not) is it illegal for me to simply say or publish the sentence "I have received no National Security Orders"?
Presumably not. But it is illegal for you to say "I have received one National Security Order this year".
Hence warrant canaries: they basically consist of creating a strong expectation of a (permitted) negative statement, such that its absence will be noticed. So far it's believed that you can't be compelled to maintain a no-longer-accurate canary against your will.
edit: Wait, I see what you're referring to. [citation needed], because as far as I know warrant canaries remain legal.
Holy shit. People in the land of the free discussing what they are legally allowed to say. Such tricks sound like stories from Soviet Russia that still linger around.
I still don't grok the dos and don'ts of NSLs and canaries, but that document establishes the origin of the range 0–249, which is expressly permitted. See also: https://canarywatch.org/faq.html
I suspect they would not be using the 0–249 band if they were not gagged by a previous order. My uninformed interpretation is that they have received an NSL or FISA order, but not necessarily in 2015. So the 2015 number might be zero after all.
Maybe someone more informed could confirm or debunk this interpretation.
Since nobody else has mentioned it, let me just point out that it's really great that Github is taking the time to compile and publish this kind of information.
Contact your Senator/Representative if you don't want that to happen. Even though a similar amendment failed in the Senate last week, it was a close call.
Also, next there they are supposed to vote on the renewal of the FISA Amendments Act, and I'm sure they'll try to further expand their spying powers some more then, too.
As a former TA, I can say that finding out if a student completed a project/exercise on its own is _very_ easy. Poking around the code asking questions for around 2 minutes is largely enough. Instead of DMCA-ting github repos, I find it way more effective to have a five minute talk about what is "cheating" and what is not at the beginning of the semester. Collaborative brainstorming is encouraged, helping struggling others is fine, giving them solutions is not (because you're just stealing their reward).
After a while they would eventually stop looking up solutions and just ask their peers for some advice/code review. My job became surprisingly easy when I started treating students like adults.
Can't one just write new assignments each year? Of course the students will share the answers. These ones are just sharing the answers publicly. You can DMCA all the public repos but there will still be groups of students who pass the answers on to next year's class.
In fact, I'd argue that in the case of the solutions being shared publicly, at least everyone can benefit equally instead of only those who are part of the clique doing the sharing.
The only real answer is to either write new assignments each year, OR, simply assume that all students will have the solutions to the assignments.
A good way to tell if students are really doing the homework is to have a 10 minute homework quiz in class where the students answer a question very similar to a homework problem. Those who have truly done the homework will be done quickly and those who haven't will struggle mightily.
Can you DMCA a student's repo for hosting their own solution to a coding exercise? In programming books, when the exercise is often closely related to the sample code submitted (e.g. "Exercise 3.2. Rewrite the above sample to use a for loop instead of a while loop"), I imagine a large number of independently-derived solutions might look very similar.
Yes, kinda. At least UIUC did that to students who had libraries from the coding exercises.
For example, the cs225 course provides an image processing library, and you need it for the assignment, so if you put the library in the repo they DMCA'd.
Similarly, many courses give you a framework of code. If you filled in the framework they would DMCA.
They did this a bit, but there was a pretty massive back lash. I don't think they are doing it atm
I'm not 100% sure. I do know that sets of questions are able to be DMCAed, so solutions to problem sets are likely to fall under that, though IANAL. I have worked for a company that took down answers to such questions in response to a DMCA. Our lawyer pointed out a specific clause that made it risky. In almost any DMCA case, there is some set of case law that backs up one side or the other, and all you're doing is deciding whether you think the content is valuable enough to go to court over to protect. It's usually not worth going to court over :/
To be really tested, it'd have to go to court.
I noticed when searching a lot of solutions were still up for this course, so maybe the solutions alone are OK, and it's only the base code being DMCAed. That said, there is a lot of base code still up too, so it's likely that this person just hasn't come around on their whack-a-mole cycle yet.
That's interesting. I can understand a professor wanting to control access to the starter code they provide to students, mostly to prevent cheating, but I've never heard of it coming with an explicit license. I know a few of my former UCSC classmates have school projects up on GitHub and haven't gotten any grief about it.
Speaking from experience, it may not be a professor's concerns. Campus administration occasionally runs amok and specifies licensing and IP standards for individual courses out of fear of lawsuits, producing all sorts of weird results like this.
Yeah, I am pretty sympathetic to the instructor (a license is a license after all!), but at the same time wonder if the starter code and subsequent exercises being open makes the course too easy, and/or harder for the professor to grade aptitude, it may be a problem with the course itself.
I'm not sure what the point grading aptitude in intro courses even is though? Either you learn the material or you don't - in case of the later you are going to really struggle in upper level courses.
In which case the department would much rather have your lack of learning cause you to fail the lower division course, so you either retake the course and learn the material or switch to a different field of study.
I don't get why employees don't leak the real stats anonymously. Perhaps companies should not try so hard to compartmentalize this information - trust 40 or 50 key people, enough to spread suspicion and enable plausible deniability.
When a law is clearly unethical, don't work so hard to abide by it.
The government could easily prevent that by punishing the company whenever there is a leak, instead of trying to punish the specific person. This may be what they do already
If any GitHub folks are watching this thread: please sue the government for the right to disclose the number of NSLs you've received, or better yet to have NSLs declared unconstitutional in general.
Twitter's already suing the federal government for the right to disclose NSLs. In March, their lawsuit was dismissed. However, the EFF is still working on it...
Among other things, someone sent 20 requests for removal of their fonts (each request contained numerous files), and jetbrains requested the removal of ~500 product keys from across GH.
It looks like JetBrains got a whole lot of keygens removed, plus one poor person's Hadoop demo code (which happened to have a filename of keygen.java).
> "we are not even allowed to say if we've received zero of these reports—we can only report information about these types of requests in broad ranges"
Interesting. What are they really telling us with that range? Could they not get away with saying "1–249"?
Edit: Nevermind. The document they cite[0] clears it up.
[0] https://www.justice.gov/iso/opa/resources/422201412716042240...