What if Silicon Valley just released data request figures anyway? Think again, lawyers say
"We don't know."
These three little words, on their own and without context, may seem meaningless. But when spoken by a lawyer, by all accounts should send shivers of sheer terror down your spine.
In a rare act of unity, several Silicon Valley giants are collaborating in a legal bid to save face after a torrent of leaks — relating to the U.S. government's mass surveillance machine — broke in June. At the time, reporters' claims — which were later retracted — appeared to implicate the companies as willing particpants in the surveillance scandal.
But should their legal bid fail — a likely prospect when dealing with a secretive Washington D.C. court charged with defending national security within the U.S. government's mass surveillance system — these major technology companies may have no recourse from claims made against them.
The legal bid is simple: These companies want to show that they were forced under federal law to hand over customer data, by disclosing how many secret data request orders the U.S. government served on them over a six-month or yearly basis.
The trouble is that they're not allowed to release the figures. Federal law permits such disclosures.
The logical conclusion, therefore, is to throw caution to the wind, and with the might and power, money and influence of their customer base and economic footprint in the U.S., to simply disclose the figures anyway.
But even lawyers and experts in this area aren't entirely sure of the consequences should Silicon Valley take matters into their own hands.
"Direct access" and claims of complicity
Slides posted by The Guardian and the Washington Post lifted the lid in early June on the U.S. National Security Agency's (NSA) vast domestic and foreign intelligence gathering and surveillance machine, revealed by former U.S. government contractor turned whistleblower Edward Snowden.
Snowden revealed a shadowy program known as PRISM, what is now understood to be a data requesting tool used by federal government agencies in order to acquire records held on U.S. citizens and foreign nationals under the Foreign Intelligence Surveillance Act (FISA).
PRISM allegedly gave the government "direct access" to servers. The claim was quickly retracted (albeit not quickly enough), but nonetheless caused immense damage to the reputations of the companies involved.
Since then, Microsoft and Google, Yahoo and Facebook have all joined the fight to clear their names by filing lawsuits against the U.S. government to allow the disclosure of data requests. The companies retorted with claims of free speech under the First Amendment. This, they hope, shows that they resisted government requests to disclose user and customer data to the NSA or any other intelligence agency or law enforcement unit.
But the federal government is fighting back.
Citing "national security," the Justice Department is attempting to conceal the number of requests it makes to these select major technology companies for fear that it will harm ongoing intelligence operations or investigations and threats to national security.
Ultimately, the legal exercise may not reveal much about the secret serve-and-grab program. According to the Washington Post, one of the publications in possession of the Snowden documents, PRISM does not require individual warrants from the court each time a search is made.
Despite the murk and mud from the confusing and ever-developing spread of leaked classified materials, it is clear that the secretive Foreign Intelligence Surveillance Court (FISC), created under its aforementioned namesake law, holds the keys to the scandal.
All roads lead back to Washington's secret surveillance court
The secretive Washington D.C.-based court has faced extreme scrutiny in recent months following the Snowden leaks as it became clear that the panel of 11 judges systematically authorized more and more programs, allowing the NSA to collect vast amounts of data belonging to both Americans and foreigners alike.
With almost zero accountability, retained records are classified to the rafters, with very few outside government and Congress given access.
Out of 1,789 eavesdropping requests, only one was not passed — because the U.S. government withdrew the request.
There have been only a few occasions where the court has snipped the wings of the NSA's power. According to one report sent to Congress, the court approved all but one of the 1,789 eavesdropping requests submitted by the government in 2012. The government withdrew the one remaining.
In total, 40 of the requests were modified for unknown reasons — likely to expand or more likely limit the scope of surveillance.
On one occasion, the FISC ruled a secret NSA program illegal and in breach of the Fourth Amendment, which protects against unreasonable search and seizure. The court's judges were "troubled" over the NSA's acquisition of Internet traffic, which vacuumed up American's email and other data.
It was the third time in less than three years that the federal government disclosed a "substantial misrepresentation" of the scope of its collection programs, according to heavily redacted court documents.
The New York Times in July, in response to the NSA-related leaks, compared the FISC to being "almost a parallel [to the] Supreme Court" on issues relating to surveillance and intelligence issues.
Out of the loop
If you are served with a FISA court order, you had better lawyer up. And not just any lawyer: one that has security clearance. Because the court's activities are shrouded in the highest level of secrecy, lawyers who have not been vetted prior to hearings are not even allowed access to the thick-walled, soundproof chambers.
"What exactly goes on in that court... we have to rely on some of the reports who have sat on the bench for that court, and some of the FBI agents who have appeared before the court," according to Deborah Caldwell-Stone, deputy director for the Office of Intellectual Freedom at the American Library Association, who spoke to ZDNet on the phone.
"Neither FISA or the [FISA Amendments Act] prohibit Facebook from disclosing the aggregate data. The First Amendment also ensures Facebook's right to report these data and to respond to public criticism." — Facebook legal motion, September 2013
"Any subpoena or demand for a record that carries the weight of a court, can contain a gag order," Caldwell-Stone said, should an argument that disclosing certain facts may jeopardize an investigation.
Few have challenged such accompanying gag orders, but those who have are often forced to wait years for their cases to resolve.
"Individuals under Patriot Act gag orders can be permanently gagged," she added, which is why some of those cases have been brought against the orders under claims of First Amendment rights to free speech.
But, she warned, "we don't have a factual basis to go off," noting that she and others could only speculate, because the law itself does not specify what such penalties might be.
Under 2006 amendments to the Patriot Act, those who receive data requests and subsequent gag orders were then allowed to share with others only if they are in a position to assist in serving the government's request. All those informed are immediately subject to the gag order themselves, and face the same penalties should they violate that order.
But very few people within a company will be allowed to deal with FISA court orders and data requests, including National Security Letters, which are often served in accompaniment to data requests to gag recipients in order to prevent their disclosure. In some cases there will be a dedicated department of just a handful of people in a company that take in data demands and are able to fulfil those requests — specifically acquiring user data and sending it back to the requesting U.S. government agency.
In most cases, particularly with larger companies — such as the named nine Silicon Valley giants — the chances of anyone in the executive-level suite knowing are slim, allowing chief executives and their senior staff to appease shareholders with an air of plausible deniability.
But the buck nonetheless stops with those select few inside corporate walls who are subject to the court order, as well as the companies they work for and represent.
Just release the damn numbers already: What's the worst that could happen?
There is an uncertainty over what penalties companies and individuals face in regards to wide-ranging orders that can vacuum up all "tangible things," which under Section 215 of the Patriot Act allows the mass collection of a company's user's data.
Under the National Security Letters provision, the law is relatively clear. "You're subject to a fine and up to five years in prison," Caldwell-Stone said.
But trouble arises when companies are served gagging orders under the FISA and not the Patriot Act.
"The individuals involved and subject to the court order could be subject to penalties," she said, but remained unclear as to whether there be a fine imposed on the company itself for the action of its "agents." As per the statute, she explained the individual is responsible for ensuring that the information is not released.
Patrick Toomey, a staff attorney at the American Civil Liberty Union's (ACLU) National Security Project, said those who knew of FISA requests could also be prosecuted also for breaking the terms of their governmental security clearance.
"Individuals have to enter a specific agreement to handle these kinds of [FISA] materials," he said. "If the company disclosed the contents of a FISA order, they would be prosecuted or penalized by the FBI in violation of those security clearance agreements."
Toomey explained the text of the law governing gagging orders between National Security Letters and FISA orders are different. He said because the substance of the requests are so similar — all involving requests of customer data — many companies are applying the framework of the law that governs National Security Letters to the context of FISA requests, even without the penalties being spelled out the same way.
The companies implicated in the PRISM surveillance scandal are beginning to catch on.
Apple reiterated this point in a recent amicus brief that the law the FBI was citing did not provide any specific reasons as to why it couldn't disclose such data. The FBI claimed the FISA statute as the relevant issue, the brief noted. The iPhone and iPad maker argued, however: "Even on that issue, the FBI did not identify anything in the law that authorizes the Government to prohibit disclosure of the aggregate number of national security requests received by Apple."
"Nothing in FISA's text or legislative history suggests the Act prohibits a recipient of a FISA order from confirming (or denying) the basic fact that it has (or has not) received a nondescript legal process under FISA, or from disclosing the aggregate number of requests it has received," the document read.
Simply put, Apple argues that it should be allowed to disclose data, unless there is a secret internal interpretation at the Justice Department, for example. In such a case, this would not be too dissimilar from a comparable secret interpretation of the Patriot Act, as first described by Sen. Ron Wyden (D-OR) and Sen. Mark Udall (D-CO) more than two years ago.
On Wednesday, the FBI fired back on all cylinders in efforts to resist the efforts by the Silicon Valley giants. The understood-to-be secret interpretation was released, albeit heavily redacted, putting the companies at a great disadvantage. The reason: Because of the classified nature of the FISC court document, only the judges overseeing the case will be able to see the document.
Featured
"Companies are so risk averse with government interactions," Toomey said. "They don't want to test the limits in any serious way by violating the type of gag order the FBI appears to be insisting on."
"The statute that authorizes the business records collection under FISA doesn't have a prescribed penalty, whereas National Security Letters do," Caldwell-Stone said. "Under the U.S. system, if you violate a court-ordered gag order, that amounts to contempt of court. And the court is free to fashion a penalty to address the severity of the situation. It could be a fine, or it could be a jail term, or both," she said.
The outcome to the data request figures debacle, a scandal in its own right, could fall either way.
No doubt the companies are preparing for the worst-case scenario — a firm denial by the court — which would put the nine Silicon Valley-based firms squarely between a moral and ethical rock and a hard place.
In spite of the quandary, the consequences would be dire for companies and their employees subject to these secret laws — even if the penalties are not prescribed directly in law.
While it may have taken one person, a whistleblower, to disclose the data disclosure scandal in its own right, the chances are you won't find even a handful of people in each company willing to fall on their corporate sword for the sake of transparency.