Marcia Hofmann (Cal. Bar No. 250087) Zeitgeist Law PC 25 Taylor Street San Francisco, CA 94102 Telephone: (415) 830-6664 marcia@zeitgeist.law 1 2 3 4 5 Attorney for Amici Curiae Automattic, Inc.; CloudFlare, Inc.; CREDO Mobile, Inc.; Mapbox, Inc.; A Medium Corp.; Reddit, Inc.; Wickr Foundation; and Wikimedia Foundation 6 7 8 UNITED STATES DISTRICT COURT 9 FOR THE NORTHERN DISTRICT OF CALIFORNIA 10 OAKLAND DIVISION 11 12 TWITTER, INC., 13 Plaintiff, 14 v. 15 16 LORETTA E. LYNCH, United States Attorney General, et al., 17 18 Defendants. 19 20 21 ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Case No. 14-cv-4480 YGR BRIEF OF AMICI CURIAE AUTOMATTIC, INC.; CLOUDFLARE, INC.; CREDO MOBILE, INC.; MAPBOX, INC.; A MEDIUM CORP.; REDDIT, INC.; WICKR FOUNDATION; AND WIKIMEDIA FOUNDATION IN OPPOSITION TO DEFENDANTS’ MOTION TO DISMISS THE AMENDED COMPLAINT Date: March 15, 2016 Time: 2:00 p.m. Courtroom 1, Fourth Floor Hon. Yvonne Gonzalez Rogers 22 23 24 25 26 27 28 Case No. 14-cv-4480 YGR a BRIEF OF AMICI CURIAE SERVICE PROVIDERS STATEMENT OF INTEREST OF AMICI CURIAE 1 2 Amici are Internet companies, communication service providers, and not-for-profit 3 organizations that want to be open and honest with their users and the public about the volume of 4 national security requests they receive from the government. Like Twitter, Amici publish regular 5 transparency reports providing statistics about government requests for user information. Amici 6 believe the reporting rules for national security information currently sanctioned by the government do 7 not allow them to tell a candid story. 8 Automattic operates WordPress.com, a web-based publishing platform. WordPress.com is 9 powered by the open-source WordPress software, which is available for anyone to use or improve for 10 free. WordPress.com hosts sites for some of the largest media companies in the world, including the 11 New York Post, CNN, and Time. It also hosts more than 70 million individual blogs operated by small 12 businesses, individuals, and citizen journalists who publish on a wide range of topics. 13 CloudFlare offers some of the most advanced web security, distributed denial of service attack 14 mitigation, and content delivery solutions available. CloudFlare is a community of more than 4 million 15 websites handling over 5 percent of global web and blocking more than 8.3 billion potentially 16 malicious requests every day. In order to ensure the greatest possible participation in its community, 17 CloudFlare is committed to transparency, free speech, and due process for all legal requests. CREDO Mobile is a U.S.-based telecommunications company that donates a portion of its 18 revenue to progressive non-profits and engages in social change activism. 19 20 Mapbox provides highly customizable maps and mapping software for web, mobile, and 21 embedded applications. Based in Washington, D.C., Mapbox powers the maps behind some of the 22 most visited sites on the web. 23 Medium, based in San Francisco, California, offers a publishing platform that allows anyone 24 to easily read and share stories and ideas that matter to them. Tens of millions of users have spent in 25 sum more than 2.6 millennia reading on Medium. 26 Reddit is an online community where users can start, read, join, and rate discussions on 27 topics they submit and choose. Reddit is based in San Francisco, California and attracts over 230 28 Case No. 14-cv-4480 YGR a 2 BRIEF OF AMICI CURIAE SERVICE PROVIDERS million monthly unique visitors. 1 2 Wickr Foundation is a non-profit organization dedicated to supporting a strong free society by 3 championing private communications and uncensored access to information. The key mission of 4 Wickr Foundation is to provide education, digital security and privacy tools for at-risk populations 5 underserved by commercial markets. The Foundation operates educational and public awareness 6 programs for policy-makers, youth, journalists, and human rights organizations. Wickr Foundation was 7 launched by Wickr Inc., a communication platform that enables anyone in the world to communicate 8 freely, privately and securely. Wickr Inc. publishes transparency reports on a quarterly basis. 9 The Wikimedia Foundation is a non-profit organization based in San Francisco, California, that 10 operates twelve free-knowledge projects on the Internet. Wikimedia’s mission is to develop and 11 maintain “wiki”-based projects, and to provide the full contents of those projects to individuals around 12 the world free of charge. In December 2015, all Wikimedia Projects combined had 14.95 billion page 13 views across 14 English Wikipedia. 15 on English Wikipedia, and 9.9 million edits were made that month. mobile As and of desktop December devices, 2015, there including were over 7.12 5 billion million on articles 16 INTRODUCTION 17 This case is about an Internet company’s desire to be open and honest with the public about its 18 role, or lack thereof, in national security investigations. Its outcome is key for all organizations that 19 want to be transparent about what they do and provide meaningful information to the public about 20 how much national security process they receive. Reporting national security requests under the rubric 21 approved by the United States government obfuscates rather than illuminates the volume of this 22 sensitive and controversial process. Like Twitter, Amici want to provide useful, accurate information 23 to the public and respond to their users’ concerns in a way that does no harm to national security— 24 and believe the First Amendment permits them to do so. Amici urge the Court to deny the 25 government’s motion to dismiss and proceed to the merits. 26 27 28 Case No. 14-cv-4480 YGR a 3 BRIEF OF AMICI CURIAE SERVICE PROVIDERS BACKGROUND 1 2 Twitter filed this suit on October 7, 2014 after the Department of Justice denied the company 3 permission to publish a transparency report in which Twitter wished to provide aggregate numbers of 4 national security process in smaller bands than those permitted by the government. Compl. (ECF No. 5 1.) After the passage of the USA FREEDOM Act changed the laws at the heart of Twitter’s claims in 6 June 2015, the Court gave Twitter leave to amend its complaint. Order at 12. (ECF No. 85.) 7 Twitter now seeks to establish its First Amendment right to publish a draft transparency report 8 disclosing the amount of legal process it received from the Foreign Intelligence Surveillance Court 9 (FISC) between July 1, 2013 and December 31, 2013. Am. Compl. ¶ 4. (ECF No. 88.) Twitter does not 10 wish to reveal detail about any specific order that it may have received from the FISC during that time 11 period, but rather seeks to publish “the actual aggregate number of [Foreign Intelligence Surveillance 12 Act (FISA)] orders received (if any), the volume of FISA orders received by comparison to 13 government-approved reporting structures, and similar information.” Am. Compl. ¶ 4. Twitter also 14 wants the freedom to report that “it received ‘zero’ FISA orders, or ‘zero’ of a specific kind of FISA 15 order, for that period, if either of these circumstances is true.” Am. Comp. ¶ 4. Further, Twitter seeks 16 to release more specific details about particular FISA orders it has received in the past or may receive 17 in the future when doing so will no longer harm national security. Am. Comp. ¶ 7. 18 Twitter asserts that FISA’s nondisclosure provisions violate the First Amendment on their 19 face, and to the extent the government relies on those provisions to prohibit Twitter indefinitely from 20 publishing information about FISA orders it receives, those provisions are unconstitutional as applied. 21 Am. Compl. ¶¶ 49-57. Further, to the extent the government might prosecute Twitter under the 22 Espionage Act for publishing such information, that law is unconstitutional as applied to Twitter. Am. 23 Compl. ¶¶ 58-61. 24 The government now moves to dismiss Twitter’s amended complaint, arguing 1) the FISC 25 should hear Twitter’s challenges to FISA’s nondisclosure provisions, 2) Twitter has failed to show that 26 it has standing to challenge the constitutionality of the Espionage Act, and 3) Twitter’s claims fail as a 27 matter of law because the government may lawfully prohibit disclosure of classified information 28 Case No. 14-cv-4480 YGR a 4 BRIEF OF AMICI CURIAE SERVICE PROVIDERS learned through participating in a national security investigation. Defs. Mot. Dismiss. (ECF No. 94.) 1 2 ARGUMENT 3 Amici urge this Court to reach the merits of this case and determine whether service providers 4 have a constitutional right to report data about national security requests, including orders issued by 5 the FISC. This question is crucial for all companies seeking to provide accurate, useful information to 6 their users in the aftermath of momentous public disclosures about government surveillance that have 7 undermined user trust in online services. 8 I. 9 Twitter’s Claims Present Critical First Amendment Issues That Also Affect Amici and Similarly Situated Service Providers 10 In June 2013, government contractor Edward Snowden leaked classified records from the 11 National Security Agency to the media, exposing government surveillance activities far more extensive 12 than previously known to the public and raising profound questions about the lawfulness of those 13 activities. See, e.g., Barton Gellman and Laura Poitras, U.S., British Intelligence Mining Data From Nine U.S. 14 Internet Companies in Broad Secret Program, WASH. POST, June 6, 2013.1 15 In the wake of worldwide public debate about U.S. communications providers’ role in this 16 controversial government surveillance, several major Internet companies negotiated with the 17 Department of Justice for the right to publicly disclose aggregate information about the legal process 18 they receive from the government in national security investigations. When these negotiations failed to 19 yield results, Google, Facebook, Microsoft, Yahoo!, and LinkedIn filed motions in the FISC seeking to 20 establish that they have a First Amendment right to publish basic aggregate data about the FISA orders 21 they receive. In re Motions to Disclose Aggregate Information Regarding FISA Orders and Directives, Nos. Misc. 22 3-03, 13-04, 13-05, 13-06 & 13-07 (F.I.S.C. filed 2013). 23 The litigation settled, however, when those companies reached an agreement with the Justice 24 Department permitting them to report national security requests in broad bands of aggregate numbers. 25 Letter From James M. Cole, Deputy Attorney General, Department of Justice, to General Counsels of 26 1 Available at http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nineus-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845d970ccb04497_story.html. 5 27 28 Case No. 14-cv-4480 YGR a BRIEF OF AMICI CURIAE SERVICE PROVIDERS 1 Facebook, Google, LinkedIn, Microsoft, and Yahoo, Jan. 27, 2014.2 The Justice Department 2 apparently took the position that these restrictions applied not only to the parties to the agreement, but 3 more broadly to other service providers, as well, which prompted Twitter to initiate this action. Compl. 4 ¶¶ 35-40. 5 In June, Congress passed the USA FREEDOM Act, which largely incorporated the Justice 6 Department’s approved reporting framework into the FISA. Pub. L. No. 114-23, 129 Stat. 268, 7 codified at 50 U.S.C. § 1874. Specifically, the USA FREEDOM Act gives recipients of national 8 security process four reporting options, allowing them to issue: • A semiannual report on the number of national security letters (NSLs), customer accounts affected by NSLs, FISA orders for content, FISA orders for non-content, and customer selectors targeted by each type of FISA order as separate categories in bands of 1000, beginning with 0 (i.e., 0-999), with some breakdown by FISA authority for non-content figures; 9 10 11 12 • A semiannual report on the number of NSLs, customer accounts affected by NSLs, FISA orders for content, FISA orders for non-content, and customer selectors targeted by each type of FISA order as separate categories in bands of 500, beginning with 0 (i.e., 0-499);3 • A semiannual report on the total number of all national security requests received, and the total number of customer selectors targeted by all national security process, in bands of 250, beginning with 0 (i.e., 0-249); or • 18 An annual report on the total number of all national security requests received, and the total number of customer selectors targeted by all national security process, in bands of 100, beginning with 0 (i.e., 0-99). 19 50 U.S.C. § 1874(a)(1)-(4). The USA FREEDOM Act did not amend FISA’s pre-existing 20 nondisclosure provisions, however. While this framework provides guidance, it fails to clarify the legal 21 limits of reporting aggregate information about national security process. 13 14 15 16 17 22 As a result, this case poses a fundamental lingering question: to what extent do companies 23 have a constitutional right to report truthful aggregate data about national security requests? Amici believe 24 2 Available at http://www.justice.gov/iso/opa/resources/366201412716018407143.pdf. The law also limits the time period a report may cover, ranging from 180 days to one year. 50 U.S.C. § 1874(b)(1)-(3). When publishing a report that discloses categories in bands of 500 and 1000, providers are required to wait 18 months before reporting any FISA order or directive concerning a platform, product, or service for which the provider has not previously received a FISA order or directive. Id. § 1874(b)(B). 6 25 3 26 27 28 Case No. 14-cv-4480 YGR a BRIEF OF AMICI CURIAE SERVICE PROVIDERS 1 that there is no basis in law or policy for the government to prohibit recipients from disclosing the 2 mere fact that they have or have not received a national security request, and from publishing an 3 accurate, meaningful account of that statistic. And while the government has taken the position that it 4 believes “[n]othing prevents a company from reporting that it has received no national security legal 5 process at all,” Reply in Further Support of Defs. Partial Mot. Dismiss at 2 (ECF No. 57), it remains 6 unclear whether the First Amendment guarantees that disclosure, or whether a company that has 7 received a national security request in the past could report zero for subsequent periods of time. 8 The Court should resolve this question because the reporting framework approved by the 9 government is a particularly poor fit for service providers that receive little, if any, process in national 10 security investigations. The bands are simply too large to give the public a meaningful sense of the 11 volume of national security requests such a company may receive. 12 Compare the permitted ranges to the number of regular law enforcement requests that 13 companies can report with specificity. For example, between July 1 and December 31, 2013 (the same 14 period covered by the transparency report Twitter seeks through this litigation to publish), Automattic 15 received 36 non-national security requests for user information from all law enforcement authorities 16 worldwide (including all federal and state authorities).4 CloudFlare received 50 non-national security 17 requests from law enforcement throughout the United States during 2013.5 Similarly, LinkedIn 18 received 70 non-national security requests from United States law enforcement seeking user data 19 between July 1 and December 31, 2013.6 Each of these companies detailed the number and type of 20 these requests in their transparency reports—but reported that they received 0-249 national security 21 requests for the same period, even though the high end of the permitted range is several times the 22 number of all law enforcement requests each company received. 23 24 4 Automattic, Information Requests, http://transparency.automattic.com/information-requests-2013-h2 (last visited Feb. 5, 2016). 5 CloudFlare, 2013 Transparency Report: 1/1/2013-12/31/2013, https://www.cloudflare.com/ transparency2013 (last visited Feb. 5, 2016). 6 LinkedIn, Our Transparency Report, https://www.linkedin.com/legal/transparency (last visited Feb. 5, 2016). 7 25 26 27 28 Case No. 14-cv-4480 YGR a BRIEF OF AMICI CURIAE SERVICE PROVIDERS 1 Did these companies receive zero national security requests during the reporting period? Or 2 a handful? Or hundreds of FISA orders? Under the government’s framework, recipients cannot say. It 3 forces them to tell a misleading story that leaves users with more questions than answers about these 4 highly sensitive and controversial requests. 5 Reporting national security requests in this manner encourages public speculation about the 6 U.S. government’s level of interest in a service, which can lead to suspicion and distrust among users 7 and have a very real, negative impact on business. Users of online platforms and communications 8 services are more sensitive than ever to disclosures of their data to governments, and there is a strong 9 desire for truthful, accurate information about government interest in users’ data (or lack thereof). This 10 is especially true for users outside the United States, who may choose non-U.S. competitors once their 11 confidence in U.S. Internet companies’ candor is shaken. See generally Danielle Kehl, New America’s 12 Open Technology Institute, Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom & 13 Cybersecurity 7-19 (July 2014) (discussing the negative economic impact of the surveillance revelations 14 on American businesses, both domestically and internationally).7 For any U.S. Internet company with 15 non-U.S. users, the international community’s trust is essential to basic business operations. And its 16 absence is a competitive disadvantage. One example: the European Court of Justice recently 17 invalidated the U.S.-EU Safe Harbor arrangement—which had enabled transfers of Europeans’ data to 18 the United States—due in significant part to revelations about the U.S. government’s surveillance 19 activities. Schrems v. Data Protection Commissioner, Case C-362/14 (EJC Oct. 6, 2015). This decision 20 creates for Amici substantial and costly obstacles to operating in the European Union. 21 Twitter’s claims are important for all service providers seeking to re-establish trust in the 22 wake of the Snowden disclosures. Amici hope the Court will reach these issues to provide greater legal 23 certainty for all service providers seeking to be honest and upfront with their users. 24 25 26 27 7 28 Available at http://oti.newamerica.net/sites/newamerica.net/files/policydocs/ Surveilance_Costs_Final.pdf. 8 Case No. 14-cv-4480 YGR a BRIEF OF AMICI CURIAE SERVICE PROVIDERS 1 II. 2 This Court Should Hear This First Amendment Case and Not Defer to the Foreign Intelligence Surveillance Court The government argues that this Court should decline to exercise jurisdiction over Counts I 3 and II because they “concern legal process issued by the FISC and provisions of FISA administered 4 under FISC supervision.” Defs. Mot. Dismiss at 10. To the contrary, this Court is the correct forum. 5 First, this case is a First Amendment challenge to the underlying statute, not a challenge to an 6 order of the FISC. Twitter contends that FISA’s nondisclosure provisions are unconstitutional facially 7 and as applied, to the extent these provisions might prohibit Twitter from publishing information 8 about the number of FISA orders it receives that would not harm national security. Am. Compl. ¶¶ 49- 9 57. And these are not Twitter’s only constitutional claims. Twitter also argues that the Espionage Act is 10 unconstitutional as applied to Twitter—a claim the FISC has no jurisdiction to review. Am. Compl. ¶¶ 11 58-61. There is no jurisdictional impediment to this Court’s review of all Twitter’s First Amendment 12 claims, and it should do so for the sake of judicial efficiency. 13 Second, this Court should hear the case because its proceedings are open and public by default, 14 which allows greater public awareness of how this litigation proceeds. The FISC is fundamentally 15 different from any other United States district court because its docket, hearings, and records are 16 generally classified. While this Court “operate[s] primarily in public, with secrecy the exception,” the 17 FISC “operates primarily in secret, with public access the exception.” In re Motion for Release of Court 18 Records, 526 F. Supp. 2d 484, 488 (F.I.S.C. 2007). 19 Congress has recognized the problematic nature of the FISC’s secret proceedings. It has tried 20 to make the court more transparent by, among other things, providing a process for limited amicus 21 curiae participation in FISC matters. USA FREEDOM Act, Pub. L. 114-23, 129 Stat. 279 § 401, 22 codified at 50 U.S.C. § 1803. While this change is a step toward greater public participation in FISC 23 proceedings, the court still conducts its judicial proceedings primarily out of public view and does not 24 allow for the level of amici participation that other district courts permit. Potential FISC amici face 25 profound and basic constraints on their ability to contribute effectively. For example, amici must have 26 a security clearance to obtain access to classified case materials and proceedings. 50 U.S.C. § 27 28 Case No. 14-cv-4480 YGR a 9 BRIEF OF AMICI CURIAE SERVICE PROVIDERS 1 1803(i)(3)(B); (6)(C). Furthermore, amici may only review legal precedents, applications, certifications, 2 petitions, motions, or other materials that the FISC believes in its sole discretion “are relevant to the 3 duties of the amicus curiae.” Id. § 1803(i)(6)(A)(i). These restrictions mean that amici will likely have 4 very limited (if any) access to the materials and proceedings in a FISC matter, which undermines their 5 ability to meaningfully participate. By contrast, the filings in this Court are public by default and 6 available to all unless sealed, which allows for more informed, robust amicus involvement. 7 Given the important constitutional issues raised by Twitter’s complaint and the precedential 8 value this decision will have for Amici and the rest of the technology industry, this case should be 9 heard by a court that makes its proceedings and records public by default. This Court, not the FISC, is the right forum for this case. 10 11 CONCLUSION 12 Amici just want to speak truthfully, address their users’ legitimate concerns, and provide useful 13 data to the public. Amici respectfully request that this Court deny the government’s motion to dismiss 14 and reach the merits of the case. 15 16 DATED: February 5, 2016 17 18 Respectfully submitted, /s/ Marcia Hofmann Marcia Hofmann Zeitgeist Law PC 25 Taylor Street San Francisco, CA 94102 marcia@zeitgeist.law Telephone: (415) 830-6664 19 20 21 22 Attorney for Amici Curiae Automattic, Inc.; CloudFlare, Inc.; CREDO Mobile, Inc.; Mapbox, Inc.; A Medium Corp.; Reddit, Inc.; Wickr Foundation; and Wikimedia Foundation 23 24 25 26 27 28 Case No. 14-cv-4480 YGR a 10 BRIEF OF AMICI CURIAE SERVICE PROVIDERS