Google, Microsoft, Facebook, Yahoo and LinkedIn wasted little time in disclosing what they could about requests for customer data made under the secret Foreign Intelligence Surveillance Act.
One week after the Justice Department eased a gag order on reporting of FISA requests, the five tech giants and advocates for greater transparency yesterday published data for the first six months of 2013.
The respective transparency reports are somewhat a victory for the companies, which banded together for much of last year filing lawsuits and signing petitions asking the government to allow them greater transparency on reporting requests for data involving national security. Apple and CloudFlare updated their transparency reports already last week, the same day as the Justice Department’s ruling.
The government finally conceded last week after months of negotiating, giving companies two reporting options. In return, the companies agreed to drop their suits.
The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.
Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.
The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.
The companies cried out about the limited reporting options afforded them by the government.
“We were not, for example, permitted to break down the data between conventional law enforcement requests and those related to national security, or indeed even to acknowledge that we had received certain types of national-security related requests at all,” said Facebook general counsel Colin Stretch.
In general, the number of requests reported today involves a tiny percentage of the companies’ respective customers, and the firms hope the updated transparency reports dispel the possibility they may have been secretly cooperating with the government in providing them data on customers’ activity.
“While our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands. This obviously means that only a fraction of a percent of our users are affected by these orders,” said Microsoft general counsel Brad Smith. “In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records. This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.”
The requests made each company generally fall within 0-999 for content and non-content requests, as well as National Security Letters. Yahoo, however, is an outlier. The company was the laggard among tech giants in turning on SSL encryption by default last month on its web-based email service. The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s Outlook.com webmail service have had SSL enabled by default since July 2012 while Facebook made it the default last February.
Experts were quick to criticize Yahoo’s lax encryption implementation for its customers, especially in light of the surveillance carried out by the National Security Agency. SSL, the experts said, should be considered a minimum standard and that other technologies such as Perfect Forward Secrecy and HTTP Strict Transport Security should be implemented as well. Sites and services such as Dropbox, Facebook and Twitter already implement both or plan to in 2014 according to the Electronic Frontier Foundation’s 2013 Encrypt the Web report.
A company-by-company breakdown of requests for the first half of 2013 is as follows:
- Microsoft: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 15,000-15,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters non-content orders 0-999; accounts impacted by National Security Letters non-content orders 0-999.
- Yahoo: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 30,000-30,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
- Facebook: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 4,000-4,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
- LinkedIn: National Security Letters requests 0-249; accounts impacted by National Security Letter requests 0-249.
- Google: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 9,000-9,999; FISA non-content requests 0-999; accounts impacted by FISA non-content orders 0-999;
