NickCalyx

I am not 100% sure of the penalty part, the ACLU people are digging into the law to figure out the precise answer. I thought it was a 5 year prison term, in the amended version of the NSL statute. What was really scary to me when I got the NSL was that the law (the Patriot Act) didn't specify what the penalty was, and I assumed the worst, which was being dragged away in the middle of the night and perhaps being taken to Guantanamo.

As far as what NSLs usually seek to uncover, they typically are looking for metadata and/or subscriber information. This is the TL/DR version: What information the FBI demanded of me with an NSL in 2004

So, in the case of an ISP, they would hope that the ISP runs a web proxy cache, that would have a log of every website that the user visits, posts to, etc. The times and dates the user is online, and geolocation data. Possibly a lot more about a lot more types of protocols (file sharing, VOIP, Skype, XMPP, you name it), if the ISP maintained extensive Netflow data

Or in the case of a service like Reddit, they might want to know who was communicating with who via private messages, or times and dates of access, or the date a particular username signed up.

In the case of an email provider like gmail, they might be looking for the entire list of emails that the user corresponded with, including dates, times, message lengths, etc.

Essentially the types of data that the government can get with an NSL paint a very vivid picture of a person's first amendment protected online activities and associations, without even showing any probable cause that a crime had occurred or was likely to occur.

Hey all, Nick Merrill from The Calyx Institute here - we are a member of the coalition as well, and I'm happy to be here and to take part in this !

Hi, this is Nick Merrill from The Calyx Institute. Because of everything I have learned over the past 12 years, I am not especially shocked that this has (allegedly) happened. After I sued the Department of Justice over the constitutionality of NSL's in 2004, the DoJ's inspector general released a report detailing FBI's use of NSLs. In that report they looked at the years 2003-2006 if I recall correctly. And in that time period, the FBI had issued something like 192,000 NSLs. If you do some quick math, that's getting close to one NSL per 1000 Americans. But then when you realize that some of the NSL's that DoJ's inspector general looked at got a list of everyone that visited Las Vegas over new year's eve one year, or the phone records of over 11,000 people it might be one NSL per 500 people or one NSL per 100 people. It's hard to know the full extent due to the overbearing use of secrecy and gag orders.

And, FBI has continued to issue 10's of thousands of NSLs every year since. And that's not even counting what we learned through the Snowden revelations. So we know that warrantless surveillance is widespread. But the big change here is that companies are resisting, en masse. Apple has been very public with it. Google and Twitter have also been doing a lot of work behind the scenes.

One of the projects that my organization, The Calyx Institute has been working on is a project called Canary Watch where we track all the known warrant canaries set up by websites and online service providers. When we started there were only around a half dozen known warrant canaries. Now, due to growing awareness and the change in political climate, there are about 50, and we have a backlog of dozens more that we need to add.

I guess the TL/DR version of my answer is "more hopeful" because service providers are realizing that it's good for business for them to stand up for the rights of their users.

I would say any time you have personal information belonging to somebody else, you are now acting as a steward of someone's data and you should consider setting up a warrant canary.

One of the subprojects that we want to do with Canarywatch is help define a legal standard for warrant canaries. We have applied for funding for this project in the past but not been successful at finding someone to subsidize getting a technical writer and lawyer to work through this for a few months. If anyone can help us find funding for this please let me know.

There is no such open standard at this point, which makes it difficult for organizations to deploy canaries since they have to essentially reinvent the wheel, and it also makes it difficult for us to main the Canarywatch site since for each canary we add, we need to write custom code to try to scrape the canary and identify changes while minimizing false positives.

In the mean time, The Intercept wrote a piece of free software to automate setting up your own canary that you might want to have a look at.

Thanks, well that is a difficult question to answer. The time and productivity would be impossible to calculate. As you can imagine it was extremely disruptive to both my personal and professional life. However if it were possible to calculate it would probably add up to quite a large number. As far as actual money, I didn't have to spend any money on the legal case because the government had to pay my legal bills since it lost.

(edit) The real question, it seems to me is how much it would have cost me - ethically and in terms of my sense of self - if I hadn't done something.