U.S. government loosens gag order on security-related data requests

U.S. government loosens gag order on security-related data requests

Summary: In response to stories about widespread spying by the NSA, some giant tech companies asked the government for permission to disclose more details about national security orders. The government has now granted those requests, with significant restrictions that have Microsoft and Google agreeing they don't go far enough.


Updated June 16 with information from Microsoft's 2012 Law Enforcement Requests Report.

Update June 17 with statement from Apple.

Earlier this week, in a response to ongoing allegations of widespread surveillance by the United States government, Google published an open letter to the Attorney General and the FBI director asking for permission to disclose details about the company's response to national security requests. Facebook and Microsoft published similar requests shortly thereafter.

Late Friday night, Microsoft and Facebook revealed that the government had relaxed their nondisclosure agreement slightly. In separate late-night posts, the two companies provided details and a description of the new ground rules they’re required to follow.

Also see: Apple: iMessage and Facetime are encrypted so we can't hand over info

Microsoft's post, written by John Frank, Vice President & Deputy General Counsel, describes the new rules:

We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together.

We previously published aggregated data for law enforcement requests for the twelve months ended December 31, 2012 in our Law Enforcement Requests Report; but because the national security orders prohibit us from disclosing their existence, we could not include them in that data set. 

The new numbers, according to Microsoft, now include “the total volume of national security orders, which may include FISA orders.” In a twist straight out of Alice in Wonderland, the company says, “We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes.”

The new data is as follows, with the emphasis in the original:

For the six months ended December 31, 2012, Microsoft received  between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal). This only impacts a tiny fraction of Microsoft’s global customer base.

We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers.

Update June 16:

It's impossible to precisely break out the national security orders from more traditional law enforcement requests because of the way that Microsoft reports its data. The 2012 Law Enforcement Requests Report covers all of 2012, whereas the new figures cover only the second half of the year. But it is possible to make some assumptions.

A total of 12,227 law enforcement requests came from the United States for the entire year. If one assumes those requests were evenly spread over the entire year, then the number for the second half of the year would be just over 6000. Comparing that to the numbers in the new disclosure, "between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders,"  suggests that national security related data requests to Microsoft from the United States government number fewer than 2,000 per year.

In total, Microsoft says U.S.-based requests for data about customers of its services, including Skype, affected 29,379 "accounts/identifiers" for all of 2012. With national security related requests included, the total for the second half of the year alone was between 31,000 and 32,000 accounts. The obvious takeaway is that the identifiers used for national security requests typically result in a larger number of accounts being affected—an average of 8 to 10 accounts per request rather than the 2 to 3 accounts in a traditional law enforcement request. Still, a total that numbers in the tens of thousands is a very small percentage of the total customer base for all Microsoft services, which numbers in the hundreds of millions. Skype alone had approximately 600 milion accounts in 2012.

It's also worth noting that requests from other countries aren't subject to the nondisclosure requirements that U.S. law imposes on Microsoft and other companies. According to the 2012 report, Microsoft and Skype received a total of 75,378 law enforcement requests worldwide. The United States came in second on the list of requests to Microsoft (excluding Skype). The largest number came from Turkey. The United Kingdom, France, and Germany, in order, made up the rest of the top 5.

Facebook’s statement was authored by the company’s General Counsel, Ted Ullyot:

We’ve reiterated in recent days that we scrutinize every government data request that we receive – whether from state, local, federal, or foreign governments. We’ve also made clear that we aggressively protect our users’ data when confronted with such requests: we frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law.

But particularly in light of continued confusion and inaccurate reporting related to this issue, we’ve advocated for the ability to say even more.

Facebook is under restrictions that sound similar to those reported by Microsoft:

We’re pleased that as a result of our discussions, we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters) – which until now no company has been permitted to do. As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range. This is progress, but we’re continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.

For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000. These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.

Last March, Google received permission to disclose some very broad information about national security letters, revealing that it had received between 0 and 999 NSLs each year starting in 2009. In a statement to the New York Times, Google said the new guidelines are unacceptable:

“Lumping the two categories together would be a step back for users,” the statement said. “Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.”

Twitter's legal director, Benjamin Lee, also objected, via Twitter (naturally):

We agree with @Google: It's important to be able to publish numbers of national security requests—including FISA disclosures—separately.

— Benjamin Lee (@BenL) June 15, 2013

In its statement Microsoft says it believes the new guidelines still “fall short of what is needed to help the community understand and debate these issues. … With more time, we hope [the government] will take further steps.”

Update June 17: In an unsigned, undated statement on its website, Apple says the company "asked the U.S. government for permission to report how many requests we receive related to national security and how we handle them. We have been authorized to share some of that data."

From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide.

Apple's pointed statement reiterates that the company does not "provide any government agency with direct access to our servers," and it says its legal team evaluates each request and delivers "the narrowest possible set of information to the authorities."

In particular, Apple notes that iMessage and FaceTime conversations are protected by end-to-end encryption, and "Apple cannot decrypt that data." The company also says it does not store any data related to customers’ location, Map searches or Siri requests.

Topics: Security, Apple, Google, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Verizon-type requests

    >>We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers.

    They're not a telephone company, so of course they wouldn't. Is there a point to this statement?
    • I think they were just heading off objections

      If they didn't include this, you just KNOW someone would say they probably got one and were refusing to mention it.
      Ed Bott
    • And, with Skype, they kinda sorta are a phone company

  • Isn't this like sayin

    Isn't this like saying that you can talk about how much dog poop is on the beach, but only if you also include the grains of sand?

    There's an obvious difference between a police agency asking for information about a criminal, and the government doing suspicionless dragnet surveillance on the entire American public. If I post a picture of myself on Facebook, holding up stolen property or a bag of loot from a possible bank robbery, my local police might want to ask Facebook for more information. That's a far cry from the NSA trolling every photo or post on Facebook.

    To me, the idea of police catching a thief based on a Facebook photo is something that pretty much no one opposes. On the other hand, giving the NSA unfettered, warrantless access to the whole of Facebook is something altogether different. We're in a situation where we, as citizens and voters, don't adequately understand what they have access to, or how they're using that access. And that's because our government is hiding things and outright lying. IMO lumping in NSA blanket surveillance activities with legitimate law enforcement requests is pretty much as useless as just refusing to disclose it - the legitimate requests so muddy the water that we still have no idea what our goverment is doing.
    • Not sure where you're getting that

      The two disclosures list the total number of accounts whose data Facebook and Microsoft gave to authorities at any level. The numbers seem very low to me. Where do you get "unfettered, warrantless access to the whole of Facebook"?
      Ed Bott
      • Even if the Numbers are Low

        that doesn't mean there weren't abuses of power. Just that the numbers were low. Rendition is another form of abuse of power that takes place in low numbers, however that does not make it any less an abuse of power, nor does it render that abuse of power any less significant. Given the abuses of power that often come to light, nobody can be blamed for being wary of them occurring.
        • Abuses of power ?!

          Abuse of powers is not limited to digital world.
          We accept that we need police and securtiy services that have special powers.
          Power in the use of violence and in the search and seizure of goods and in invading privacy through searchwarrants and telephone tabs. Now we see that these powers extend also in the digital world.
          Especially the searchwarrent/subpoena

          However it does not mean that we should be afraid. Of course some abuse will happen just like it does with the tradtional police powers. This just means we have to monitor the police and security services just like we already do monitor them for abusing their traditional powers.

          If you are paranoia about police and or security services abusing their powers you should worry more about getting shot by them than about a warrant to search your email.
      • Prism

        It seems to me that the government is using a lot of clever semantics to describe these programs. The way I'm reading this is that the providers each got several thousand requests for specific data about specific individuals. With that logic, they're able to say we only got a few hundred phone calls, a few thousand people's account information, or whatever.

        That doesn't really address the wider issue of Prism, which much of the reporting has stated or implied much wider access to way more data than what is found in the disclosures. I don't particularly care about whether someone at the NSA logged into a provider with root access, or used some intermediate system to get the same access - the issue is not so much how they did it, but rather what they got and with what authority?

        "Collection directly from the servers," "extensive, in-depth surveillance on live communications and stored information," "possibility of communications made entirely within the US being collected without warrants" http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data

        Given that the government did everything in its power to keep these programs secret, and that they interpreted the law in ways never intended by the representatives who wrote it, I'm viewing all of their statements with a high level of skepticism. As for Google, Facebook et al, they're already viewed in a negative light by privacy advocates and us tin foil hat wearers. Do you really expect openness and honesty from any of them on this topic, especially when the government gives them cover to lie?
      • Wont be two sets of numbers to compare in future

        Now that the government has gracelessly and grudgingly given the tech companies "permission" to publish total numbers (including FISA and NSL's), in the future we won't have two sets of numbers to compare for any given time frame. So, the numbers will be effectively "hidden".

        Two points:
        1 - There is NO OVERSIGHT on individual FISA orders and how they are actually carried out. If a government agency, once the Court provides the order, overreaches on that order, there is no one to know - because it is ALL CLASSIFIED and the tech companies are forbidden BY LAW from revealing TO ANYONE (which would include ANOTHER government agency) what the NSL or Court Order requested. Nice huh ?

        Do I trust everyone who works in my government ? NO.
        Do I trust there is adequate oversight of individuals working within my government to prevent misuse of information received from an NSL or FISA Order ? NO.

        2 - FISA court orders and NSLs are NOT "PRISM". That is another kettle of fish altogether.

        I believe that PRISM is what Dave was referencing in his comment on 'unfettered' access. I also believe that everyone has got ahold - thanks to the clueless poodle press - of the wrong end of the stick on PRISM. I don't think the tech companies are KNOWINGLY providing data to NSA. I think NSA has a "tap on the line" of ALL (or virtually all) internet traffic. The tech companies don't run the internet - they're just a part of it like everyone else.
      • Is 90 Accounts per Day Significant?

        According to Dorothy Chou, a senior policy analyst at Google, in the first 6 months of 2012 Google received requests from US law enforcement and court affecting 16,281 accounts.

        If the volume or requests were to continue to accelerate at the rate of 26% semiannually, that number would now be double.

        Nov, 13, 2012
        Google reported that law enforcement and courts in the United States made nearly 8,000 requests for user information in the first half of 2012 from all of Google’s products — including Gmail, search, Google Docs, etc. The number of requests from the American law enforcement alone jumped 26 percent from the previous six months, when 6,321 requests were made.

        Government officials wanted information on 16,281 accounts, Google said, and Google complied roughly 90 percent of the time.

        The report shows governments around the world not only wanted more data for law enforcement purposes but also increased requests to Google to remove content.. “Government surveillance is on the rise,” Dorothy Chou, a senior policy analyst at Google, wrote in a blog post announcing the report.
  • Agreement?

    Ed, you wrote 'the government had relaxed their nondisclosure agreement slightly." The Google and Microsoft responses make it look more like a command than an agreement.

    That's not meant to detract from your as always great work.
    • A one-sided negotiation, to be sure

      Both Microsoft and Google are used to being on the other side of that kind of "agreement." See their terms of service and license agreements.
      Ed Bott
  • Comment 5663.d_2

    You see this is all overblown conspiracy jargon! Only the crazies believe any of this! See how few court orders there were and almost none of them from us!

    Go back to work people, don't think about this stuff.
    • The NSA Does Not Have to Request

      They just take it. No warrants, no subpenas, and no regard for the constitution.
  • Hidden

    Making them report aggregate can be translated to mean "hidding" the requests. Its like yelling out "there a fire" but only on condition that you are surrounded with 1,000 jackhammers, car horns, and such.
  • Why? Stupidity

    Just as a cover-up results in more embarrassment than simply admitting up-front "We made a mistake", this stupidity also causes more trouble by making people ask "Why the game?".

    If MS/etc. were allowed to say "We received 1500 requests in the last six months", it would not be a big deal -- when the story first broke, we thought it was 10s or even 100s of thousands of requests.

    They are not so stupid to think we won't be able to come up with an approximation, the numbers are not outrageous, so why not just be up-front? Are they afraid of local law enforcement issuing a statement that the NSA instructed them to make requests? Are they keeping the frenzy going to distract people from something else? Are they afraid people will accuse them of not taking enough advantage of their snooping powers?

    and so it goes...
  • LOL

    You people are so easily distracted. Now you believe these court orders are what we were doing?

    Have a nice day
  • Nope

    PRISM, Room 641A, Stingray are just the tip of an iceberg.

    I assume the Verizon requests were only to augment the conversations the NSA had already recorded.

    Based on an NSA request to Congress made back in the 1980's to increase the recording of domestic phone conversations from the then level of 60%, I expect all land line conversations are currently being recorded.

    When their Stingray project gets up to speed the mobile conversation recording will reach that level.

    If one were to research the number of hard drives manufactured vs. the number of computers, they would find a huge disparity. Who is using all those hard drives?

    As a former Telecom engineer with close friends in the voice recording business, I have heard things. What Snowden revealed was nothing.

    "My understanding is that espionage means giving secret or classified information to the enemy. Since Snowden shared information with the American people, his indictment for espionage could reveal (or confirm) that the US Government views you and me as the enemy." -Ron Paul