Microsoft, Facebook, Google and Yahoo – all of which filed suit against the US government’s secret surveillance court over gag orders attached to data demands – on Monday were, for the first time, along with other tech companies, free to tell customers how often the government has requested their data.
This newfound freedom stems from a change of heart the US government had last week regarding disclosure of NSA surveillance requests.
Not a major change of heart, mind you: more like a fibrillation than a heart transplant.
Namely, the Obama administration said that new data disclosure rules allow internet companies to give customers an idea of how often government demands their information.
The data’s six months stale in some cases and offers scant detail – nothing about what, exactly, is being collected (emails? instant messages? address books? calendar items? images?) nor in what quantity.
Even the number of requests are required to be vague, listed by a range in the thousands instead of a specific number.
The new rules also contain a provision that exempts start-ups from spilling the beans about government requests, forcing newcomers to sit on the information for two years.
The secret court – known as the FISA court (after the Foreign Intelligence Surveillance Act) – last week made public a letter [PDF] sent to the tech companies from deputy attorney general James Cole that outlined paths to greater surveillance transparency.
Every six months, companies can now publish reports listing how many thousand National Security Letters (NSLs) they receive. An NSL is a type of nonjudicial subpoena from the FBI.
They can also publish the number of customer accounts those letters affect, again listed by the thousands.
Companies can also publish FISA orders for content, also by the thousand, along with how many of their customers’ “selectors” are involved.
Selector is a spy term that indicates a search term, such as an email address or a screenname, that serves as a proxy for an individual user.
Tech companies can now publish, every six months and in bands of 1,000, customer selectors and FISA orders for metadata.
And thus, tech companies on Monday rolled out the fruits of this new, limited disclosure part of last month’s transparency deal.
Facebook said that during the second half of 2012, it fielded FISA requests for data related to the content of 4,000 to 4,999 Facebook user accounts. That number ticked up into the range of between 5,000 and 5,999 user accounts during the first half of 2013.
Yahoo said on Monday in its report [PDF] that between January and June 2013, it received between zero and 999 FISA requests for content from 30,000-30,999 accounts.
For its part, Apple received fewer than 250 requests. Data behemoths Google and Microsoft grumbled about the new data deal as they released the data.
Brad Smith, General Counsel & Executive Vice President, Legal & Corporate Affairs for Microsoft, said in the company’s transparency posting that, first of all, the new rules don’t go far enough to restore Constitutional rights, and furthermore, it would be nice if the government would quit trying to hack tech companies (by, for example, not tapping into undersea cables without a warrant):
Despite the President's reform efforts and our ability to publish more information, there has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies.
We believe the Constitution requires that our government seek information from American companies within the rule of law. We'll therefore continue to press for more on this point, in collaboration with others across our industry.
Here’s what Microsoft revealed in its transparency report:
- Microsoft received fewer than 1,000 FISA orders seeking the disclosure of customer content. These orders related to between 15,000 and 15,999 accounts or individual identifiers. Smith noted that this doesn’t necessarily mean that more than 15,000 people were covered by these data requests, given that one individual may have multiple accounts, each of which would be counted separately for the purposes of reporting the data.
- Microsoft also received fewer than 1,000 FISA orders for non-content data only, seeking information that related to fewer than 1,000 accounts or identifiers.
- Microsoft received fewer than 1,000 NSLs covering fewer than 1,000 accounts or identifiers.
Although the numbers are vague, the number of NSLs is clearly on the rise, given the numbers for 2011 and 2012 requests that Microsoft provided.
Google said it received between 0-999 FISA requests from 9,000-9,999 accounts.
The company also received 0-999 requests for so-called non-content data, such as the identity and the location of users, from 0-999 accounts.
Google noted that the Justice Department doesn’t allow the release of more-recent data.
Google legal director Richard Salgado said in a blog post that in spite of the new disclosure rules, Google would much rather publish more data:
We still believe more transparency is needed so everyone can better understand how surveillance laws work and decide whether or not they serve the public interest.
Specifically, we want to disclose the precise numbers and types of requests we receive, as well as the number of users they affect in a timely way.
That's why we need Congress to go another step further and pass legislation (PDF) that will enable us to say more.
Have the new rules gotten us closer to having an idea of how much of our data the NSA is demanding? Hardly.
Unfortunately, the tech companies are in a situation akin to that of police officers telling people to move along, please, folks.
Nothing to see here.