That's neither ethical nor transparent. And the guy writing that post is ex-FBI.
An ethical and transparent way to handle such subpoenas would include:
1. If possible, not being a US company so you might be able to avoid the subpoena in the first place.
2. Have a policy of not keeping user data at all, or keeping it with a third party that is not legally bound by US government subpoenas, so that it can't (?) be subpoenaed.
3. Publish any subpoena you get from the government.
4. Moreover, arrange it so that subpoenas are published before being read, so that if you get a National Security Letter, you would not be able to comply with the non-disclosure requirement. Another way to go about this may be to only open subpoenas in a public forum, preferably with journalists present. Try to consult ACLU/EFF lawyers about this particular issue.
5. If the government somehow gets its hands on user data, inform the users immediately.
>4. Moreover, arrange it so that subpoenas are published before being read, so that if you get a National Security Letter, you would not be able to comply with the non-disclosure requirement. Another way to go about this may be to only open subpoenas in a public forum, preferably with journalists present. Try to consult ACLU/EFF lawyers about this particular issue.
I can't imagine this working more than once, the goverment can just verbally inform you of the non-disclosure requirement when they deliver any future documents in person.
It working once is enough, provided you're the first person it occurred to.
In Jujitsu, that's the way it works. You create a new technique, or rediscover it, you get one free shot at Sensei, and then it doesn't work the same anymore.
Can you elaborate how you think a tool like this is neither ethical nor transparent? And why is it bad the writer is ex-FBI?
You appear to be passionate about the issue at hand, but your knowledge on this process seems to be limited.
1. Not being a US company doesn't matter - international agencies send subpoenas just like the US agencies. US govt can send subpoenas to international companies just the same.
2. Not having PII or user data doesn't prevent subpoenas (i.e. Reddit, 4chan, Whisper, etc.)
3. Subpoena’s often come with Non-Disclosure Orders (NDO). Even without NDOs, publication of the actual subpoena is arguably more irresponsible just by the shear fact you could be publicizing PII, and subjecting this user to unfair, and non-contextualized public opinion. Big tech has adopted transparency reports for this reason. User notice is the goal - not publicly shaming your user just to make a point to the government.
4. Non-compliance and willful disregard for the legal order will not change the overall problem. Ironically, you're right that the best way to prevent data requests from the govt might be non-compliance...then the company would get shut down for said non-compliance...so there would be no company for the government to subpoena.
5. User notice is obviously a legal department best practice, but if there is a NDO it puts legal repercussions on a company for disclosing such info. Keeping this process clunky/messy/disorganized hurts the user, and the company. You say this company is not ethical, yet Kodex automatically informs users about data requests pertinent to them, and if there is an NDO, the user is notified immediately upon expiration rather than relying on a legal department employee to remember to manually do it months or years later. Would it be more ethical to keep the process unchanged and prone to human error?
These guides for Law Enforcement (LE) to get data are actually meant to streamline the process for the company, so companies don’t have to deal with non-valid subpoenas. The subpoena is coming regardless…why waste time/resources dealing with non-valid subpoenas when educating LE will help streamline things. Obfuscation is never going to prevent these legal orders…if the FBI wants to send your company a subpoena they are going to whether you tell them how to do it properly or not. Kodex is a best practice that standardizes how the govt can interact with companies, to keep the govt in check, while keeping companies compliant, transparent, and accountable about the process.
As the writer said: “There is a lot that can be fixed in government. This process is one of them. The goal is not to ‘help the FBI do their job more easily’… making the process easier for the company, forces the government to do their job BETTER, and helps society move forward.”
1. "International agencies send subpoenas" - which agencies? I doubt they send the kind of subpoenas described in the FBI guide. Of course, different world states may have this problem themselves.
2. Not having PII or user data may not prevent a subpoena, but if you're subpoenaed for data you don't have, then you just write back saying you don't have such data.
3. If your process of handling mail is transparent to begin with, the order is (probably, hopefully) moot. I had assumed only NSL's can have such non-disclosure orders, but I guess the USA has a slightly more repressive regime than I had assumed... as for subpoenas containing PII - do you mean about the people the government wants to spy on? It's morally necessary to publish who the government is spying on. I hope (though, again, not a US lawyer) that such publicizing this is protected by the first amendment anyways.
"You say this company is not ethical, yet Kodex ... informs users about ... an NDO ... immediately upon expiration"
So, the Kodex+its client would hide a subpoena from the user while it is in effect. This is most likely unethical, and certainly immoral.
4. Mass circumvention (or disregard) of government orders will most certainly change the overall problem. Just like general disregard of copyright infringement of file sharing platforms and applications has had significant effects on music distribution, academic publishing etc.
5. The process doesn't need to be clunky, messy, or disorganized - but certainly, a primary concern must be preventing the government from secretly spying on people.
You know, if you bring up the First Amendment in US, people usually stop listening. I haven't seen it brought up in court, though. But even in court. Unless of course there's something exceptional and sound in a strict sense about your argument (off the top of my head "I was born on the Moon. Because everybody who has ever walked on the Moon, and the only military on the Moon, were American, and the only country with a human presence on the moon, was America, therefore it is part of America, therefore I was born in America, and am therefore an American citizen." Suppose that's the truth, you were born on the Moon, and you say just what I wrote, and you believe it, and you mean it, oh man. American courts will, yeah, they'll really sympathize with you, and then yes, they will accept "freedom of speech" as an argument.
Lol woah - maybe I should check HN more than once a week. Let's dive in!!
1. “I doubt they [international agencies] send the kind of subpoenas…” - It’s a gross display of willful ignorance to assume things just so it agrees with your opinion. This is Facebook’s Transparency report (https://transparency.fb.com/data/government-data-requests/co...) They are just one example, with hundreds of thousands of requests coming from outside of the United States. There are 195 countries in the world…170 of them have sent them to Facebook alone.
2. You are literally proving the point of why those data guides were created…so no one asks a company for data that they don’t have and waste everyones time/energy. The reality is that every company has some form of data…if a company didn’t have any sort of data how in the world would they be able to display any information, or do literally anything ever? There is always something to ask for.
3. Lol so many absurdities going on with this bullet so buckle in:
3.1 - “If your process of handling mail…” - So do you not use email? Most people graduated from mailing addresses to email addresses because it was a better way of doing things and easier than mail…most companies use emails to deal with subpoenas…a tool like Kodex is easier than email and takes the burdens away from this legal obligation…keeping the process difficult only makes it difficult on the company, not the govt.
3.2 - “USA has a slightly more repressive regime than [you] assumed…” - NDOs are used so the subject of a case isn’t tipped off. For example, would you prefer pedophiles to be told “the FBI just asked for the CSAM on your google drive” and have the pedophile go dark/get away, and continue to abuse innocent children as a result? Is that “repressive” towards the pedophile? Or a necessary legal vehicle to protect the innocent? Would you rather the USA take the unfortunate approach that some countries do, and not do anything about heinous crimes like that?
3.3 - “Who the government is spying on…” - “Spying” and “investigating” are two very different things. Choosing to use the language “spying” for a subpoena is either ignorance, or a determined effort to fit the narrative you want and demonize what is actually going on. Subpoena’s are legal documents that go through a court. Spying does not. That NSA/Snowden scandal had nothing to do with subpoenas…that was all Top Secret spy programs that did not involve courts, or legal documents…Subpoenas are all unclassified information used for investigations, not on-going spy programs.
3.4 - “Publicizing…Protected by first amendment…” - You can’t yell fire in a crowded movie theater. Aka Free speech is moot when it is “a clear and present danger that they will bring about the substantive evils that Congress has a right to prevent.” You have a right to express your opinions, desire’s etc, but not to put others in harms way. These investigations are to prevent harms.
3.5 - “Hide a subpoena from the user while it is in effect…” - Kodex makes it easier for the client to follow the law, and allows them to ethically follow up with the user once the law no longer prohibits the company from doing so. Would you rather hope the company just remembers to go back to the mail room and fish through a file cabinet to see which user should be notified each day when that isn’t a priority for the company’s bottom line? Or would you want the company to be automatically reminded when such a date comes? Keeping this process more disorganized than it needs to be just for the sake of silently convincing yourself you live on a higher moral plane is what is more unethical.
4. “Mass circumvention…” - You seem to be willfully ignoring the fact that consequences exist, once again. You know copyright infringement/file sharing pioneers like Napster were ultimately shut down…right? You know, because it was illegal and the consequence was…being shut down? If you try to say that changed the music industry to help the onset of streaming/Spotify you might be right, but then why would you ignore that something like Kodex can be the same type disruption to subpoena processing that streaming was to music…making it easier and more accesible? Moreover, it wasn’t the general disregard for the rules that created Spotify, it was the realization of the desire for instant access to every song, rather than pay $1.29 for some songs.
5. “The process doesn’t need to be clunky, messy, or disorganized” - Thank you, I agree!
I’d encourage you to learn more about this topic, because you seem to have put little effort into understanding what’s really going on, and instead have chosen to just yell at the sky/internet about what you think is going on - simply for the sake of yelling.
Establishing a best practice for public/private sector communication keeps the govt in check and helps companies ensure compliance & transparency.