Silicon Valley tech giants have reportedly begun notifying users of data requests by government authorities under subpoena, despite requests by the government to retain a level of secrecy.
Reported by The Washington Post on Thursday, Apple, Facebook, Google, Microsoft and Yahoo have updated their policies to notify users of a data request unless a judge or other competent authority issues a gag order.
These issues are technically unrelated to surveillance matters disclosed last year by whistleblower Edward Snowden. Neither the National Security Agency nor the Foreign Intelligence Surveillance (FISA) Court are involved. But the new company policies are a clear response to the embarrassment suffered by the companies in light of the disclosure.
Since the disclosure of NSA surveillance programs, the companies have worked to demonstrate to customers that they do not give the government free rein over customer data. Many of them sued the federal government in the FISA court for the right to disclose aggregate data about the number of requests.
A settlement was reached and the aggregate disclosures began in February.
Silicon Valley have longed to release these secret FISA figures, no more so than in recent months following the Snowden disclosures. ZDNet spoke to a number of legal experts, lawyers, and academics in November, and the consensus was that they "don't know" precisely what would happen should these companies release the figures regardless of the restrictions.
"Nothing in FISA's text or legislative history suggests the Act prohibits a recipient of a FISA order from... disclosing the aggregate number of requests it has received." — Apple amicus brief, 2013
Any number of financial or custodial penalties could be applied to individuals known to be aware of FISA orders, according to Deborah Caldwell-Stone, deputy director for the Office of Intellectual Freedom at the American Library Association, who spoke to ZDNet last year.
"We don't have a factual basis to go off," she said, describing how experts could only speculate because the law itself does not specify what such penalties might be. However, at very least, violating a gag order would amount to contempt of court, she said.
However, if the company disclosed the contents of a FISA order, they would be prosecuted or penalized by the FBI in violation of those security clearance agreements, according to Patrick Toomey, a staff attorney at the American Civil Liberty Union's (ACLU) National Security Project.
The history of subpoenas shows that disclosure to the target of investigation was traditionally given and, in many cases, is inevitable if it requires the cooperation of the target. In the context of Internet records, the data is held by a third-party — the largest tech companies at issue — and courts have ruled that disclosure to the tech company was sufficient.
But the tech companies have decided to assert customer rights in the face of such subpoenas. The Washington Post article gives no indication that the government is attempting to force the issue, and in fact the new policies have led many government entities to withdraw or hold back on requests.
Such unilateral action was considered by the companies during the dispute over releasing aggregate FISA request data. The legal implications of that act were unclear, but in that case the parties were operating under the authority of the FISA court. The subpoena requests happen at all levels of government. US magistrate judges, who hear requests by Federal authorities for user data, have also begun pushing back against many of them.
The EFF has periodically reported on the extent to which companies protect user privacy. The latest report shows Dropbox, LinkedIn, Sonic.net, SpiderOak and Twitter as telling users about data demands, with Google getting partial credit.
A new and updated report is due to be released later this month.