“Many government requests we receive contain demands to withhold notice from users that carry no legal weight. We actively disregard these non-binding demands. Our goal is to give users the information they need to seek legal advice before their records are disclosed. As stated in our privacy policy, we provide advance notice to affected users unless prohibited by a court order or where we decide delayed notice is appropriate based on clear criteria.” –Reddit Transparency Report, January 29, 2015
Reddit’s inaugural transparency report was posted on their front page today. It’s a brief report, and it can be found in printable form here, but I’d like to point out two quick things.
First, I’d like to discuss their approach to user privacy. Patrons to any site don’t want their information shared, and Redditors are no exception, so the small number of data requests submitted to Reddit for user information should please everybody. It came to a paltry 55 requests.
Apparently, Reddit isn’t a target for regulatory bodies yet, at least compared to companies like Apple, which got 4,132 U.S. device requests in just the first half of 2014. Those requests asked for information on 13,743 American device users.
You think that’s bad? Polish Customs and Revenue Authorities requested data on 191,699 Polish device users from January 1 to June 30, and they got the information they wanted on 68% of those users. Globally, there were over 20,000 law enforcement device requests made to Apple in just 6 months, demanding information on almost 282,000 device users.
A site administrator identifying as “ekjp” confirmed that this year’s transparency report is “strictly counting external legal requests to reddit Inc,” so internal takedown requests to admins and mods related to offensive material, copyrighted photographs, invasions of privacy, etc. do not count toward the number.
Even so, with over 174 million users at the end of 2014, you’d think there would’ve been more than 55 requests for user information. That’s a mere 0.000032% of Reddit’s usership all year, while 0.035% of Apple’s 800 million device users were tapped for info in the first half of 2014. Granted, there are vast differences between Reddit and Apple, but both are in the communications industry and both rely on users to drive profits.
Unfortunately for Apple users, those profits have walked hand-in-hand with an awful privacy record. Only telecom companies (specifically AT&T and Verizon) are rated worse…oh, and MySpace. I’m sure those larger companies could make the case that being a target for hackers and governments comes with the territory, but Dropbox does a pretty good job, and so does Google.
Reddit isn’t as high-profile as any of those listed above, so it doesn’t get as many data requests, but when it does, it actively fights them. Reddit lawyers beat two civil subpoenas that “sought to unmask more than a dozen anonymous users,” and it also fought a lot of illegitimate (but nonetheless official) removal requests. Reddit only ended up removing 31% of the material formally requested for takedown.
The most notable inclusion in this report, however, is less about user privacy and more about how Reddit would communicate whether or not that privacy has been compromised. For that, we’ll turn to Reddit’s “warrant canary,” which states:
As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information. If we ever receive such a request, we would seek to let the public know it existed.
A warrant canary is like a message within a message. Technically, Reddit wouldn’t be allowed to tell anyone they received a National Security Letter in the first place, but by saying they didn’t receive one, they reserve the opportunity to not say they didn’t get one in future reports.
Did you catch that? Since two negatives make a positive, we can assume that Reddit will have received a National Security Letter the year they stop telling us they didn’t.
The warrant canary takes its name from the little yellow birds that coal miners used when determining the safety of a mine shaft. One of the biggest killers of miners in the early 20th Century was carbon monoxide, the odorless gas that asphyxiated humans before the invention of warning devices. By keeping canaries around in cages, miners could monitor gas levels around them – a distressed canary signaled dangerous levels of carbon monoxide and/or methane, while a dead canary meant get the hell out of dodge, asap.
Other examples of warrant canaries in action recently are Apple and Tumblr. The former removed its disclaimer in 2014, indicating Apple’s receipt of at least one (but less than 250) NSLs sometime since its last report. Tumblr, on the other hand, can still say it hasn’t received a letter, nor is it expected to since hipster fandom, no matter how obnoxious, isn’t a threat to national security…or is it?
Overall, I’m pleased with Reddit’s report if only for the user-friendly vibe I get from it, but I also value the practice of issuing transparency reports publicly. To be fair, I couldn’t have cited Apple’s popularity with law enforcement agencies without their own public admission, and in the electronic age we can only expect this to continue.
Follow us:byShare this:by