Increasingly Common Gag Orders Show Necessity Of Minimal Data Collection

New documents obtained by the ACLU reveal a secret subpoena to Open Whisper Systems (OWS), the maker of the end-to-end encrypted Signal chat application. In the first half of this year, the U.S. government sought information related to two phone numbers, one of which belonged to a Signal user.

However, because OWS has a policy of collecting only absolutely necessary information and discarding what they don’t need, the government could only find out when the user created the account and when they last connected. In a time of gag orders becoming the rule rather than the exception, OWS shows that minimal data collection may be the most important strategy against abusive gag orders and even data breaches.

Gag Orders As The Norm

As Microsoft unveiled earlier this year, the U.S. government has begun making secret gag orders more of a rule than the exception that such orders should be. The company sued the U.S. government because almost half of the data requests from federal agents are secret. Companies such as Microsoft can afford to fight back against abuse of secret orders, but this is likely not something all small companies can afford to do.

OWS Fights Back

Open Whisper Systems, with the ACLU's assistance, is one of the few small companies that made the decision to fight what it considers an over-broad gag order. The government requested all information associated with the two phone numbers, including web browsing history and data stored in tracking cookies of the web browsers associated with the two accounts.

However, Signal doesn’t collect much user information at all, and it discards most of the information it does collect after use. Therefore, the U.S. government was only able to recover the date the user created the account and when the Signal user last connected to the Signal servers.

Most Gag Orders Violate First Amendment

The gag order that accompanied the subpoena was supposed to keep the company silent about the user data request for at least a year. ACLU got the government to quickly admit that most of the information under seal didn’t need to be secret after all.

According to the nonprofit, this is just more proof that the government creates many of these gag orders without too much thought into what actually needs to be secret. However, because not everyone has the resources to fight back, most of these gag orders remain secret by default, sometimes even indefinitely.

ACLU argued, just as Microsoft did earlier this year, that the overly broad gag orders are a violation of the First Amendment. ACLU believes that the government should only use secrecy for truly sensitive information, and not for anything that it thinks could “jeopardize its investigation” if the information became public.

Necessity Of Minimal Data Retention

When companies use strong encryption so users can protect their own files or communications with their own keys, the government knows there isn’t much it can ask of those companies, so it doesn’t bother them as much as it does other companies that have access to all user data.

In the same way, when the companies collect and store only minimal amounts of records on the servers, there are fewer reasons for the government to visit and ask for user data. As a bonus, minimal data collection also protects companies from having to make embarrassing data breaches public.

OWS, an organization that is a few years old, has only received a single subpoena so far, likely because authorities already know their strong privacy stance. OWS recently helped companies such as WhatsApp, Facebook, Silent Circle, and Google implement its open source end-to-end encryption protocol into their own chat applications. Its own open source chat application, Signal, is also often used by activists, journalists, and even U.S. presidential candidates.

Even after the subpoena, the only thing the government could uncover was the account creation date and when it connected last. The chances are that in the future OWS will try to erase those records for its users as well, given that they don’t seem to be critically important for running the Signal service.

That means, there would be no reason whatsoever for the government to serve the company another subpoena unless some anti-encryption law passes. However, until that happens, companies that only keep minimal amounts of user data around should have to deal with fewer abusive gag orders or embarrassing data breaches.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Clamyboy74
    What kind of sicko does this? I feel less and less secure the more I hear about this
    Reply
  • ahnilated
    This type of stuff has been going on for many years.
    Reply
  • nutjob2
    It's a great time to be a criminal or a terrorist. Paranoid and delusional millennials in a panic about the NSA reading their emails to grandma are giving them free reign.
    Reply
  • negusp
    "It's a great time to be a criminal or a terrorist. Paranoid and delusional millennials in a panic about the NSA reading their emails to grandma are giving them free reign."

    It's people like you that destroy our freedom. What's next after email reading? Camera's in our house? Oh wait, our phones are already being monitored.
    Reply
  • targetdrone
    18685864 said:
    It's a great time to be a criminal or a terrorist.


    Well terrorists and criminals have a huge supporter and ally working in the Oval Office.
    Reply
  • dragget
    18686231 said:
    18685864 said:
    It's a great time to be a criminal or a terrorist.

    Well terrorists and criminals have a huge supporter and ally working in the Oval Office.
    Nice conspiracy theory there, pal. This has nothing to do with presidential policy and everything to do with a corrupt, repressive justice system making a policy of violating our constitutional rights with their litigious overreach. Nice to hear that at least a few companies and private citizens are standing up to these bullying bureaucrats.
    Reply
  • Kimonajane
    The fascist FED is so corrupt now it does not stand for freedom anymore. Its more like a soft police state/tyranny but they kept many of their dirty Unconstitutional deeds hidden, some in plain sight.
    Reply
  • chicofehr
    Why would Facebook and Google encrypt their data so they can't get full access to it? They rely on stealing and harvesting your data as their business model.
    Reply
  • bit_user
    18685864 said:
    It's a great time to be a criminal or a terrorist. Paranoid and delusional millennials in a panic about the NSA reading their emails to grandma are giving them free reign.
    Don't you understand why the 4th Amendment was created? Universal surveillance hurts democracy. I doubt any US government agency will be interested in me, personally, but what about whistleblowers and candidates in opposition parties? It's this indirect harm that I fear.

    Have you never heard of Watergate? If Nixon were President today, his spying would probably never come to light, and he'd have been able to learn so much more. This is the real threat, IMO.

    18689137 said:
    Why would Facebook and Google encrypt their data so they can't get full access to it? They rely on stealing and harvesting your data as their business model.
    Read more carefully:
    OWS recently helped companies such as WhatsApp, Facebook, Silent Circle, and Google implement its open source end-to-end encryption protocol into their own chat applications.
    Reply