User notification of legal requests, as a government team

[konklone]

The DNT policy says this about user notification of legal requests:

5. USER NOTIFICATION: 

  a. If we are required by law to retain or disclose user identifiers, we will
     attempt to provide the users with notice (unless we are prohibited or it
     would be futile) that a request for their information has been made in
     order to give the users an opportunity to object to the retention or
     disclosure.

  b. We will attempt to provide this notice by email, if the users have given
     us an email address, and by postal mail if the users have provided a
     postal address.                                   

  c. If the users do not challenge the disclosure request, we may be legally
     required to turn over their information.

As a government team, how should we think about this section? I'm not sure at all what the lay of the land is, legally or normatively, in terms of legal requests for user information that is intragovernmental.

If we were held to the standard above as written, I think we'd at least have to involve our general counsel to determine its applicability and reasonableness in our situation.

[pde]

Commitments to user notification in case of data requests is an emerging standard that EFF has had some success in promulgating via Who Has Your Back:

https://www.eff.org/who-has-your-back-2014

Arguably it could be applicable in some governmental situations, too, though I agree it's trickier. We could strike the section entirely if that were necessary, but it would be giving up on an important type of user privacy.

[konklone]

Yeah, I wasn't suggesting striking it. One possibility would be adding some language that says "if applicable" (in more precise/meaningful terms). As it stands, as a small-ish team in a very large beast, I don't know if we're even capable of making any commitments about user notification of legal requests (or what kinds of requests are relevant to us).

[mfb]

This seems like something for lawyers to sort out and IANAL, but theoretically, one government agency, such as the Census Bureau, could inform users when asked to provide their information to another agency, such as a LEA, unless there were a court order prohibiting it...

[pde]

Reading this again: as the language above is drafted, it isn't really specific to governmental requests for data; it would apply equally to a civil subpoena for a user's data (and in fact some companies have implemented user notification that way; I've seen users informed by major tech companies about subpoenas for their data via civil lawsuits).

So in principle, it seems like something that a government website could implement. And if any process or procedure anywhere in that government was forcing a particular website to violate its DNT Policy commitment, then if able and permitted by law, the website should notify the affected users.

[gboone]

I think what @konklone is getting at is: The Census Bureau (to keep the example going) could act for all of the Bureau's users and web products but a smaller team within Census that has full control of its web presence might not be able to make that kind of commitment. A team running smaller-team.census.gov could commit itself to DNT but disclosure requests would go to Census, not the team. Getting Census's General Counsel to determine what a relevant request looks like and how to reasonably notify users for a relatively small portion of the Bureau's work could be quite difficult.

Correct me if that's not what you're after, @konklone 😄

[konklone]

Yes, that's a big part of what I'm getting at, and even if 18F were to make sure that we received all legal requests for user information about 18F's site, I don't think we could guarantee a notice procedure -- that would have to come from GSA.