Tech Companies Reach Deal on Disclosure of Security Data
National Security Agency/Wikipedia
Lawyers for several large technology companies have reached a deal with the U.S. Department of Justice that would allow them to make more detailed disclosures to the public about the kinds of inquiries they get for user data from security and law enforcement agencies.
Companies including Google, Facebook, Microsoft and Apple have been pushing for the right to disclose information about how much data they are required to share about user accounts and other information in response to National Security Letters and other requests they’re required to comply with by law.
Previously, the companies have been forbidden by law from even acknowledging that they are served with National Security Letters. Now they’ll be able to tell the public how many of these requests they get and how many they complied with.
Under terms of the deal — which is described in detail in the letter from Attorney General Eric Holder below — the companies will be able to report to within the nearest one thousand the number of National Security Letters received, as well as requests made under the auspices of the Foreign Intelligence Surveillance Act court. They’ll be allowed to publish this data every six months, after waiting for six months after the requests have been made.
Under a second options, they’re allowed to lump all their FISA and National Security Letter requests and report them in an aggregate to the nearest 250.
Also, when companies get their first request for data on a new service or platform, they’ll be required to wait two years before disclosing data on requests specific to them.
It’s a big shift in what the companies will be allowed to report. Over the summer, Facebook and Microsoft were among those that made some limited disclosures about the requests, but only in aggregate. This means that requests from, say, the FBI were lumped in with requests from local police departments.
The companies have been pushing for the right to make more detailed disclosures — and even sued the government over it — in order to defend their reputations with customers shaken by documents revealed by Edward Snowden suggesting that user data was more or less willingly given to agencies like the FBI and the NSA.
In a statement, Microsoft called it a step in the right direction: “We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We’re pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”
Update: Apple just released its latest batch of numbers according to the new rules, and if nothing else it may have the effect of showing for once how few of these national security-related requests it receives and complies with.
According to a statement it just posted, Apple chose option two. It reported that between Jan. 1 and June 30 of last year it received somewhere between one and 249 requests by way of National Security Letters and FISA court orders. So it’s at most a low three-digit number out of several hundred million accounts.
It also reported that, during the same period, it received 927 requests from law enforcement agencies that weren’t related to national security requests, seeking information on 2,330 accounts. Of those, it disclosed data on only 747 accounts, or a little less than one third of the time.
I also received a statement from Apple spokeswoman Kristin Huguet:
“Apple has always believed that our customers have the right to understand how their personal information is being handled. We applaud the Administration for taking this important step toward greater transparency, and we thank the Justice Department for considering Apple’s point of view as it reached this decision. Our business does not rely on collecting large amounts of personal data about our customers, which is reflected in the figures we are releasing under the new transparency rules. We look forward to working with the White House working group led by John Podesta, focusing on big data and the future of privacy. We believe it’s one of the most important issues facing our industry and our society today.”
Here’s the letter from Holder detailing the new reporting rules.