Photo: JIM WILSON, NYT
It has been six months since the Justice Department backed off on demands that Apple help the FBI break the security of a locked iPhone.
But the government has not given up the fight with the tech industry. Open Whisper Systems, a San Francisco maker of a widely used encryption app called Signal, received a subpoena in the first half of the year for subscriber information and other details associated with two phone numbers that came up in a federal grand jury investigation in Virginia.
The subpoena arrived with a court order that said Open Whisper Systems was not allowed to tell anyone about the information request for one year.
Technology companies contend that court-imposed gag orders are being used too often by law enforcement and that they violate the Bill of Rights. The companies also complain that law enforcement officials are casting a wide net over online communications — often too wide — in their investigations.
Justice Department officials argue that these gag orders are necessary to protect developing cases and to avoid tipping off potential targets. The officials say that they are simply following leads where they take them.
The Justice Department declined to comment on the case.
The information request made of Open Whisper Systems is particularly sensitive, since its encryption app is used around the world, and it is often recommended to journalists and human rights activists.
Microsoft sued the Justice Department over the gag order practice in April, arguing that law enforcement was relying on these orders too often. Specifically, the software giant said the gag orders violate the Fourth Amendment right of its customers to know if the government searches or seizes their property and also the company’s First Amendment right to speak to its customers.
Microsoft also complained that the orders often came without time limits, unlike the Open Whisper Systems order. Dozens of other technology, media and civil liberties groups filed briefs supporting Microsoft last month, and the case is pending.
Part of the gag order on Open Whisper Systems was lifted after a court challenge by the American Civil Liberties Union, and redacted versions of documents related to the information request were made public last week. But the company was still not allowed to tell specific account holders about the investigation.
The documents made public show that the government asked Open Whisper Systems to turn over data associated with two telephone numbers, including Web browsing histories and data stored in the tracking cookies of the Web browsers attached to those accounts. But one of Signal’s biggest draws is that it does not collect most of that information.
“The Signal service was designed to minimize the data we retain,” said Moxie Marlinspike, the founder of Open Whisper Systems. Marlinspike said Signal uses a technology called end-to-end encryption that keeps the service from gaining access to the contents of its users’ messages. The company also does not store information on those with whom its users are communicating.
Civil liberties lawyers argue that the Justice Department request fell well outside the bounds of what is typically covered by a subpoena, including basic subscriber information. Additional information, such as computer logs or content, would require a search warrant under the 1986 Electronic Communications Privacy Act.
“The Justice Department is pushing the envelope,” said Jennifer Granick, director of civil liberties at the Stanford Law School Center for Internet and Society. Big companies like Apple and Microsoft have the wherewithal to push back, she said. But smaller companies may cave, rather than risk an expensive fight.
The Justice Department came to Open Whisper with a menu of information needs, including subscriber details, addresses, telephone numbers, email addresses and method of payment. The request went on to demand information on Internet addresses, browsers and Internet providers that the account holders could have used, according to court records.
One of the phone numbers the government was investigating was not a Signal user after all. For the other phone number, Open Whisper turned over the only pieces of data it could: the time the user’s account had been created and the last time it had connected to the service — far less than the government sought.
In other circumstances, the government has tried to force companies via court order to re-engineer their services to collect missing pieces of information, as it did with Apple earlier this year and in a similar case in 2013 against Lavabit, a small encrypted-messaging service used by former defense contractor Edward Snowden. The government did not make that request of Open Whisper Systems.
“They need to pick those cases carefully,” Granick said. “They are only picking cases where they think they’re going to have the people on their side.”
Companies are having some success in getting courts to lift gag orders. Last year, Nicholas Merrill, the owner of a now-defunct Internet service provider, got a gag order lifted, though it took more than a decade. After the court decision in Merrill’s case, a federal judge in New York denied gag orders in more than a dozen cases related to Facebook subpoenas in May. And in June, Yahoo got a court to lift gag orders on a number of law enforcement information requests.
“Gag orders should be used in exceptional cases,” said Brett Kaufman, the staff attorney with the ACLU who represented Open Whisper Systems. “This one demonstrates that the exception has become the rule in routine proceedings.”