Maybe a better question is how to prepare in advance. You can design your systems to avoid retaining user data. Or you can do business from a jurisdiction that doesn't recognize NSLs. Or perhaps from an unknown jurisdiction.
Yes, it's certainly not a viable option for mass-market business. But there are niches where such OPSEC is standard practice. Some, such as drugs and arms dealing, were huge well before Bitcoin. Also hosting services for spam and botnets.
What Silk Road and Bitcoin demonstrated is the huge popularity of dark markets for retail drug sales. With product authenticity and seller reliability attested through customer reviews. And without risk of meatspace violence (except if busted, of course).
And sure, that stuff is still widely illegal. However, when laws are ignored by substantial minorities, their legitimacy becomes questionable. African Americans didn't end segregation in the US through petitioning legislatures. They broke the laws, creating a crisis, and forcing the federal government to act. Lesbian and gay activists did much the same, at least initially.
Given that even payment processors like Stripe are removing it because the verification time is too long, it is sadly not satisfying solution in any way.
Also, again, good luck getting any b2b when you tell them they need to pay in bitcoin only.
Stripe removed it primarily because they got almost no adoption (most merchants I know using stripe weren’t even aware they offered it; merchants had to opt in).
Verification times are clearly an engineering problem, not a fundamental issue. Long-term solutions are currently under experimentation (lightning, DAG currencies, etc.)
Luckily that's no longer an issue now that interest has faded and the mempool has cleared. Also, reducing on-chain transactions (and thus keeping the mempool clear, on-chain fees low, and verification times low) is pretty much the main use case of Lightening Network. The massive rise in fees and tx congestion was caused by the massive interest in BTC at the end of 2017. Something tells me if you are doing B2B in a shady jurisdiction, the companies you are doing work with would be more than willing to jump through hoops to deal exclusively in BTC
Yes, that's been a benefit of the collapse in speculative interest. Now transactions are affordable again. And regardless of Bitcoin's eventual fate, I'm rather confident that something like it or better will be available ongoingly.
Not necessarily. One can earn cryptocurrencies. That's especially so for coders and such. But yes, conversion with "real money" is problematic.
For small amounts, meatspace trades are doable using LocalBitcoins.com etc. For huge amounts, I suspect that expert assistance is available. It's the middle ground that's nontrivial.
I'm interested to see if the US is able to do anything to Bitfinex now as a litmus test to see how wide their reach is in 2018. As far as I know they have zero US presence, and don't offer services to US customers.
BTC-e went down hard for example. But they had some much more obvious links with criminal enterprise.
Although even if it is possible to stay outside of the reach of the US, losing access to the international banking system is quite the handicap for any business.
The NSA has made direct targeted attacks at US companies in the past. Just look at Google, they got NSLs and had to cooperate with PRISM yet at the same time the NSA still dug up their fiber and tapped it.
With the NSA's twisted logic that a search is not a search unless it matches and it's fine to search data so long as there's a chance it involves a non-US citizen I think jurisdiction is largely irrelevant for attacks other than the necessity of one seeing as the NSA has access to a secret court that has a history of never siding against them.
I'd view eliminating tyrannical government orders as a plus.
Indeed. The NSA has also intercepted device shipments, in order to install backdoors. And some US firms have resorted to shipping through more-or-less anonymous intermediaries to circumvent that.
For someone outside the USA, a targeted attack by the NSA is no different than a targeted attack by anyone else. They are breaking the law, and you are allowed and supposed to defend against them. If you are within the USA, however, they can use things like these National Security Letters which you are not allowed to go against.
This is incorrect for a few reasons: you can certainly defend against NSLs, even those that you can't defend against are targeted (see the ones Twilio received), they're from the FBI and not the NSA, and as hackers the NSA is more skilled and more well-funded than most other attackers you're defending against.
Most countries will happily throw anyone under the bus if the US intelligence services ask them too. Besides if you're doing something the NSA doesn't like local law enforcement probably won't like it either.
Most countries, yes. But some countries, clearly no. Snowden is still in Russia, for example. And China typically doesn't cooperate with the NSA and its friends.
Right. They pretty much do whatever they want, and lie as necessary to frustrate oversight, and protect operational methods. They are, after all, a branch of the military.
Right, that's why Lavabit shut down. And that's why ProtonMail operates from Switzerland, and CounterMail from Sweden. But the best hardcore option is not being vulnerable to coercion.
Astounded that this doesn’t say ‘immediately call the legal team, and do not say anything’. Does Twilio’s employee handbook also include ‘a developer’s guide to Defusing bombs’ and ‘a developer’s guide to performing open heart surgery’?
Well since our honest feedback, they added a footnote “Please note that these best practices do not constitute legal advice. You should consult an attorney if you have any questions in how to respond to requests for information from government agencies. For example, even with the nondisclosure requirement, National Security Letters expressly permit the recipient to consult “an attorney to obtain legal advice or legal assistance with respect to this letter.”
>In the National Security Letter dated May 19, 2017, the US Department of Justice withdrew the request entirely rather than proceed with judicial review.
if the DOJ would rather not get any information at all rather than have their request for information scrutinized by a court, there is something seriously wrong with the national security letter process. people who have had a pulse in recent years will chime in that there are many other problems with the NSL process.
but this one is a bit different, because shows that the FBI is explicitly avoiding the rule of law as a policy. aren't they the ones responsible for upholding the rule of law as part of the department of justice? why yes, yes they are. they have dirt to hide, and they are not good at deflecting guilt. they know they can consistently over-reach with these NSLs to violate the rights of companies and individuals. so they do it.
this behavior implies ongoing abuse that they would rather have covered up than accomplish their agency's goals, even if those goals are wrong.
i guess my solution would be to clean house. fire people (and revoke security clearance) starting at the top and work your way down while promoting people who weren't abusers. at the same time, start firing from the bottom, targeting those who complied with bad orders from above. replace them with new recruits who can be trained to have their heart in the right place. the agency is back to citizen-friendly operating order within 5 years or so. a blink of the eye in the timeline of the twilight years of a former empire.
IMHO, a NDA should always be limited in time. I am pretty sure twillio would not request a judicial review for a NDA lasting a couple of weeks. For a NDA lasting more than a year, a judicial review seems justified. Avoidind judicial review may be a good motivation for FBI to use shorter NDA. This would benefit to transparency.
The "A" in NDA stands for "agreement", but NSLs are not jointly agreed upon: they are the one-sided assertion of the government's authority.
Not disagreeing with the idea that there aren't a variety of reforms that seem mutually beneficial, such as shorter timeframes — just noting that there are not equivalent to NDAs.
Do not deal with it yourself. It's cool to read about how a company (with a team of legals) can respond to the letter. "A Developer's Guide" is not the same as "A Company's Guide". "A [d]eveloper" is an individual, not an organization entity.
I was surprised to see this post never mention the terms “lawyer” or “general counsel.” If you are a developer at a company and receive an NSL, it’s a company legal matter. Do not address it yourself. It would be prudent to also ask your own lawyer for advice around what you should and should not do, on your own volition or at the company’s direction. If you are personally served an NSL, absolutely retain a lawyer.
OK, but as an individual you are extremely unlikely to receive such a request. You are probably only going to see an NSL if you are working for a company that stores or processes user data.
Of course if you're an individual dev, and you host your project in the cloud, then the cloud provider may get served with an NSL that covers your users, without you even learning this happened (unless the company, like Twilio, has a really well-thought-out process for dealing with these and is willing to negotiate them a bit where the law permits).
Sure, I agree with you. But the title appears to advise what developers should do. It doesn't even address "how to verify the letter", and certainly doesn't seem to suggest seeking legal help. In the worst language, this blog post is only addressing what Twilio, which is the standard procedure for a company to do anyway, and therefor the title is misleading and is inaccurate. Anytime we find ourselves in trouble with law enforcement, please seek legal help.
Providing a template so one (individual or an organization) can talk to FBI and whatnot is wrong because that's encouraging people NOT to seek help. This is not some insurance appeal letter. Your lawyer should know what to do, not you. If the NLS is accompanied with a gag order, the gag order will never prevent the recipient to seek legal help.
There are very few lawyers who have any experience dealing with an NSL. Let's see, Marcia Hoffman, and... well, you could always try contacting Marcia Hoffman.
This post may be just as helpful, if not moreso, to a lawyer than to a developer! But as a developer, I would think you would find some comfort using twilio in knowledge that they put a lot of thought into privacy. Like, maybe that is the real intent here, some pretty high-quality marketing -- not so much an instructional.
And as a secondary thing, any organization that has a spine when it comes to user privacy wants some company. If the industry as a whole gets behind a standard approach, then no one is going to get singled out for unwanted special attention.
Yes, and I think what you are providing is very helpful, and that was my point to Twilio: the author should provide more information on how to get help as an individual (or for any startup founders). This is a serious matter, download a template is really not helpful.
There's still a huge cloud of uncertainty around NSLs, to the point that many people seem uncertain about whether they can even disclose having received one to their counsel.
The letters Twilio has posted say, "In accordance with 18 U.S.C. § 2709(c)(2), you ... are prohibited from disclosing this letter or disclosing that the FBI has sought or obtained access to information, other than to those to whom disclosure is necessary to comply with the letter or to an attorney to obtain legal advice or legal assistance with respect to this letter."
Because whether or not we like it, the law is non-obvious to people who haven't studied it deeply, this is a particularly non-obvious area of the law, and you will be better off with an expert.
Same reason you want to find someone who knows C very well to review your security-sensitive C code. It would be nice if C didn't come with rules about undefined behavior that are surprising to people who haven't deeply studied C, but it does, and no amount of wishing it didn't will change the fact that you are inviting immense and needless risk by not finding an expert (or, if you'd prefer, spending years becoming one yourself, which you can certainly do if you have the luxury of years).
People need attorneys for DUIs, and often for less serious moving violations. So for NSLs, having an attorney is essential. There are two primary reasons. First, you want to comply only as legally required. And second, you want to avoid making mistakes that have criminal penalties.
Edit: Even if your firm has general counsel, it's not uncommon to hire outside attorneys for specific matters.
There's some confusion here about what "you" means. I can't imagine how an individual developer at some firm would receive an NSL individually. So it's the firm that would be deciding whether or not to hire outside counsel.
Because the government has at its disposal many legal tools of which an individual developer may not be properly equipped or knowledgeable enough to deal with.
Is there any forum in which the justifications used to diminish the impact of NSLs can be shared? It strikes me that one of the daunting aspects of objecting to NSLs is that precedents are not well-known. Is it legal to share any details about the circumstances under which nondisclosure, scope, or other impacts of NSLs have been reduced or removed from the DoJ's demands?
I wonder why a company which is at risk of getting such a letter and willing to inform their customer does not work in multiple jurisdictions.
Any unusual access to data in one country automatically informs customers (or triggers an alert), with this information being sourced from the other country.
This protects both the employees in the US (they did not say anything) and bypasses the letter requirements
Congress shall make no law respecting an establishment of religion or prohibiting the free exercise thereof, or abridging the freedom of speech or of the press, or the right of the people peaceably to assemble and to petition the government for a redress of grievances.
Given that the above is the law of our land, how can a recipient of an NSL be barred from publishing it in its entirety or giving it to a news outlet to do so? "No law" is clear in both meaning and intent.
Even those judges that claim to follow a strict interpretation of the constitution as written (as opposed to the spirit) have recognized there are legitimate exceptions to the first amendment with regards to free speech, which include fighting words, obscenity, defamation (slander/libel), some court proceedings (gag orders), and national security concerns.
Most of these are fairly narrow. National security letters are generally the most questionable limitation, although their use has been clarified somewhat.
Just a guess: The constitution is interpreted by the Supreme Court, which decides about reasonable exceptions, for instance in the case of national security.
