A gag order has been eased that prevented technology and telecommunications companies from reporting requests for customer data made under the Foreign Intelligence Surveillance Act (FISA).
The move comes on the heels of announced surveillance reforms by President Obama on Jan. 17. Obama, during an address to the Justice Department, promised changes as to how long requests from the Foreign Intelligence Surveillance Court could be kept secret and how they could be reported. Technology companies such as Microsoft, Google, Facebook, LinkedIn and others had banded together several times to petition Obama and Attorney General Eric Holder for greater transparency around these types of requests.
A Justice Department ruling released last night provided companies with two reporting options, according to a letter from Deputy Attorney General James Cole to the general counsels of Yahoo, Microsoft, LinkedIn, Google and Facebook.
The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer.
Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.
The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.
CloudFlare, a company that optimizes Web traffic through a cloud-based service, wasted no time in providing its transparency report in accordance with the new order. CloudFlare reported 0-249 National Security Letter orders received impacting 0-249 accounts.
Apple also issued a transparency report on national security orders, reporting 0-249 total orders received affecting 0-249 customer accounts. Apple also reported 927 law enforcement requests on 2,330 accounts. Apple said that it complied with 81 percent of account requests where some data was disclosed.
“This data represents every U.S. national security order for data about our customers regardless of geography,” Apple said in a statement. “We did not receive any orders for bulk data. The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of accounts registered with Apple.”
Apple was among the technology companies that on several occasions requested additional leeway in reporting national security orders. The companies argued that the ban violated their respective First Amendment to free speech and harmed their ability to maintain trustworthy relationships with customers. LinkedIn went so far as to call the ban unconstitutional in September.
Companies balked at the government’s initial concession to allow reporting in buckets of 1,000 requests, arguing that it would misrepresent the state of affairs for smaller companies that likely would not receive thousands of requests for national security orders. The companies worried that reporting in bulk would create the impression that the number of orders received would be much higher than reality, i.e., a company that received only 10 requests would have to report that as 0-999.
“The information permitted under these measures would be misleading, would distort the public’s understanding of the actual number of government requests received, would reduce rather than increase transparency, and would deplete rather than enhance trust in the companies, the industry and the government,” LinkedIn wrote in an amicus brief with a California court of appeals in September.
CloudFlare, for example, said that the number of orders it received affects fewer than 0.02 percent of its customers.
“We have long felt that the arguments in support of restricting the disclosure of NSLs to be flawed,” said CloudFlare counsel Kenneth R. Carter in a statement. “We see no threat to national security by acknowledging the program or the number of orders a particular company has received. Further, it is frustrating that most assume the program to be widespread and that tech companies receive NSLs on a daily basis.”