US govt, tech firms settle: Round 1 to the govt

US govt, tech firms settle: Round 1 to the govt

Summary: The government will allow large tech companies to disclose more information about the extent of their compliance with national security orders for customer data, but maybe not enough.

SHARE:
3

The US Department of Justice announced today a settlement in litigation with several technology companies before the Foreign Intelligence Surveillance Court (FISC).

DOJ.Logo

The five tech companies who had filed suit in the FISC to seek permission to disclose more details about their compliance with government requests for customer data in national security cases — Yahoo!, Microsoft, Google, LinkedIn and Facebook — have agreed to the settlement, but they appear not to be completely satisfied with the result.

The following statement was provided to ZDNet by Microsoft, but attributed to a spokesperson for all five companies who dismissed their motions: "We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."

Apple had endorsed, but not joined in the litigation. The company was quoted in the Washington Post as saying "We applaud the Administration for taking this important step toward greater transparency, and we thank the Justice Department for considering Apple's point of view as it reached this decision."

The actual agreement filed with the FISC still places complicated restrictions on when and how the companies may release the information. They may not give exact numbers of requests from the government, but do so in "bands" of, alternatively 1000 or 250, in two schemes from which the company may choose. Broadly speaking, they may disclose about specific categories of request in bands of 1000 or disclose overall requests in bands of 250. In other words, they may say that there were between 0 and 999 requests, 1000 and 1999 requests, and so on, in the first case, but not a specific number.

In the Washington Post article, Apple chooses option 2, saying "...that it had received fewer than 249 national security letters, affecting fewer than 249 accounts, in the first six months of 2013."

Since the goal of disclosure for the tech companies is to reassure customers that they are not divulging customer data willy-nilly, the inspecifics of the allowable disclosures and a delay of two years for disclosure of any requests related to new platforms, leave much room for customers to wonder.

The two year delay is specifically "...for data relating to the first order that is served on a company for a platform, product, or service (whether developed or acquired) for which the company has not previously received such an order, and that is designated by the government as a 'New Capability Order' because disclosing it would reveal that the platform, product, or service is subject to previously undisclosed collection through FISA orders." Presumably the government has primary say over what is a "new capability."

Like the move to have the telecoms, rather than the government, hold telephone metadata requested under section 215 of the PATRIOT Act, allowing the tech companies to disclose this level of information is not likely to satisfy anyone who had genuine concerns about the program. The government has ceded ground in this battle but still controls the field. The war over disclosure is not over.

Topics: Security, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • This is bullshit

    1. you should only trust a cloud which encrypts your data with your and only your key that no other person have access to it otherwise you should not trust it (this can be implemented easily without even users knowing it like what SpiderOak did).

    2. If you trust a proprietary software which specially originates from USA you are a complete moron!
    L3thargic
  • Round 1 to the Government

    I think the answer is simple : "If you are an IT Manager, just don't use any piece of technology (hardware, software, services, whatever), that is either manufactured in the U.S., or which is owned by a U.S.-based company."

    I am recommending to all my non-U.S. customers that they dump / phase out all U.S.-manufactured equipment, as soon as possible. Many of my customers are doing just that. Hope you're happy, NSA.
    AngerNotManaged
  • Round 1 to the Government

    I think the answer is simple : "If you are an IT Manager, just don't use any piece of technology (hardware, software, services, whatever), that is either manufactured in the U.S., or which is owned by a U.S.-based company."

    I am recommending to all my non-U.S. customers that they dump / phase out all U.S.-manufactured equipment, as soon as possible. Many of my customers are doing just that. Hope you're happy, NSA.
    AngerNotManaged