EFF's new certificate authority publishes an all-zero, pre-release transparency report


EFF, Mozilla and pals are launching Let's Encrypt, an all-free certificate authority, in September — but they've released a transparency report months in advance.

Transparency reports document the number of law-enforcement requests a service has received, including the number of secret, gag-ordered, illegal-to-mention National Security Letters. These reports serve as "warrant canaries" — it's not illegal to say that you haven't received an NSL, and it's not illegal not to mention whether you've gotten an NSL. But if this month's transparency report says "No NSLs received" and next month's transparency report has no information at all about NSLs, then careful observers can conclude that one or more NSLs have turned up on the service's doorstep.

While I'm on the subject, here's a status report on our effort to go all-HTTPS here on Boing Boing: our admin Ken has been assembling the hardware needed for it, and we've been going through all the WordPress plugins we use to find the ones that serve unencrypted content, patching them, and feeding them back into their developers' main branch. The trap we want to avoid is getting stuck with custom code in our plugins that stop us from updating from the main branch, which could leave us with a bunch of unpatchable code that leaves you vulnerable to drive-by malware, which is an even greater risk than serving unencrypted pages. But watch this space — it's important to us, too.

This is actually pretty important for a variety of reasons. First, it clearly acts as something of a warrant canary. And by posting this now, before launch and before there's even been a chance for the government to request information, Let's Encrypt is actually able to say "0." That may seem like a strange thing to say but, with other companies, the government has told them that they're not allowed to claim "0," but can only give ranges — such as 0 to 999 if they separate out the specific government requests, or 0 to 249 if they lump together different kinds of government orders. Twitter has been fighting back against these kinds of rules, and others have argued that revealing an accurate number should be protected speech under the First Amendment.

Let's Encrypt is, smartly, getting this first report out there — with all the zeroes — before the government can swoop in and insist that it has to only display ranges. In other words, this is getting in before any gag order can stop this kind of thing. Smart move. It's also nice to see them break down all of the different possible types of orders, rather than lumping them into more general buckets. That's an important step that it would be nice to see others follow as well.

[Mike Masnick/Techdirt]

ISRG Legal Transparency Report, January 2015 – June 2015 [Josh Aas/Let's Encrypt]