ZwillGen Attorneys Comment on Non-Disclosure Litigation

Published On February 3, 2015 | By Abby Liebeskind and Marc Zwillinger | General, Litigation

Twitter Inc.’s declaratory-judgment action against the U.S. Department of Justice is the latest salvo brought by protransparency service providers seeking to publish more information about the secret government demands for user data they receive pursuant to national security and foreign intelligence authorities. Through this litigation, Twitter is seeking permission to publish a transparency report with the exact number of surveillance demands it receives, rather than disclosing within the pre-approved ranges that the DOJ has recently authorized.

It has been popularly reported that Twitter is also seeking permission to publish what has become known as a “warrant canary,” or an affirmative announcement that it has not been served with a particular type of demand, like an order under the Foreign Intelligence Surveillance Act (FISA). An announcement would presumably be removed if or when Twitter were served with such an order in the future.

But the case is not really about the lawfulness of a warrant canary, because no restrictions on speech can be imposed when a provider has not received an order containing a nondisclosure provision, and there is no indication that the government is attempting to suppress such disclosures.

Instead, the case is about whether the individual nondisclosure provisions included in FISA orders or national security letters prevent the recipient service providers from reporting on the total or aggregate quantities and types of lawful requests it receives from the government.

Twitter’s efforts to inform its users about government requests for data are commendable, but Twitter may not fully prevail in this suit, which is much like the prior lawsuits brought by providers in the Foreign Intelligence Surveillance Court (FISC) in the summer of 2013. However, this case was brought in federal district court, rather than the FISC, and it challenges the nondisclosure provisions of national security letters as well as FISA orders.

In the prior case, several electronic communications service providers, including Facebook Inc., Google Inc., LinkedIn Corp., Microsoft Corp. and Yahoo! Inc. raised similar arguments that the nondisclosure provisions in FISA orders either did not prohibit the disclosure of aggregate numbers, or that such provisions were unconstitutional.

Rather than test this proposition in litigation, just before last year’s State of the Union address, the government revised its position. It clarified that providers that disclosed information about the orders they had received in newly approved ranges — 0-250 (for all types of legal process lumped together), or from 0-1,000 (for individual types of process) — would not be alleged to have violated the nondisclosure provisions of the orders.

This shift in DOJ policy was accompanied by a letter from the deputy attorney general, known as the “DAG letter,” to the providers that had filed suit. The change embodied in the DAG letter was merely a statement of the government’s position — it had no force of law as actual rulemaking, except to bar the government from taking a contrary position later. But it is the restrictions allegedly imposed by this letter that Twitter is challenging.

The providers involved in the FISC suit had accepted the new ranges as sufficient to allow them to communicate what they wanted — namely, that the amount of national security process they received and responded to was relatively small. These companies have since published transparency reports following the approved format and dropped their cases. The end of the FISC litigation indicated that the companies were at least temporarily satisfied by the balance struck between informing their users and the government’s national security interest in maintaining a level of secrecy, but not that the new DOJ position correctly stated the law.

Twitter’s suit picks up where the prior case left off, by challenging the government’s new position as still incorrectly describing the limits of what a provider can say under the law. And Twitter is correct in at least one respect. Even though the ranges the government “approved” start with zero, there is no authority that could prohibit Twitter from accurately publishing a warrant canary. Indeed, Twitter’s complaint notes that since the DAG letter was published, other providers have “disclosed either that they have never received any FISA orders or National Security Letters, or any of a certain kind of FISA order.” Twitter could make a similar disclosure without any sort of approval. But it is using the warrant-canary argument to point out why the DAG letter ranges are inherently flawed.

THE REAL LEGAL ISSUE

Notwithstanding this rhetoric, the real legal issue boils down to a simple question: Are the nondisclosure provisions of particular FISA orders violated if a company discloses how many orders it has received in a given time? The most direct way to answer this question is for Twitter to make the planned disclosures and let the government decide whether and how to press its case. But the consequences of a finding that such disclosures were unlawful may be too risky, especially for the people who have signed individual nondisclosure agreements to obtain their security clearances, and whose liberty and professions could be put in jeopardy as a result. Thus, the litigation is an attempt to resolve that question without taking on any risk.

The lawsuit, however, is unlikely to resolve the issue because of the significant procedural hurdles it faces in its present posture, for some of the reasons the government recently raised in its motion to dismiss. The DAG letter does not have the force of rulemaking and likely cannot be directly challenged under the Administrative Procedure Act. And as to the nondisclosure provisions contained in FISA orders, the FISC may be deemed to be the only court that can hear that claim.

As a result, despite Twitter’s efforts, the substantive legal questions may well remain unanswered after this litigation. Until a provider risks an enforcement action by publishing aggregate numbers outside of the approved format, there may be no effective mechanism to resolve the remaining legal uncertainty about precise aggregate reporting.

Originally published in The National Law Journal on Feb. 2, 2015

About The Authors

Abby’s practice focuses on the legal issues that companies face related to user data and the obligations that arise under ECPA, FISA, the DMCA, and similar foreign laws; she also has experience with child exploitation matters. She frequently advises clients on how to respond to requests for user data or electronic surveillance from domestic and foreign law enforcement, as well as content take-down requests and third party requests in civil litigation. Abby also assists clients as they establish law enforcement compliance programs and transparency reporting.

Marc is the founder and managing member of ZwillGen PLLC and has been regularly providing advice and counsel on issues related to the increasingly complex laws governing Internet practices, including issues related to Electronic Communications Privacy Act (“ECPA”), the Wiretap and Communication Acts, privacy, CAN-SPAM, FISA, spyware, adware, Internet gambling and adult-oriented content. He also helps Internet Service Providers and other clients comply with their compliance obligations pertaining to the discovery and disclosure of customer and subscriber information.

Comments