U.S. government loosens gag order on security-related data requests
Updated June 16 with information from Microsoft's 2012 Law Enforcement Requests Report.
Update June 17 with statement from Apple.
Earlier this week, in a response to ongoing allegations of widespread surveillance by the United States government, Google published an open letter to the Attorney General and the FBI director asking for permission to disclose details about the company's response to national security requests. Facebook and Microsoft published similar requests shortly thereafter.
Late Friday night, Microsoft and Facebook revealed that the government had relaxed their nondisclosure agreement slightly. In separate late-night posts, the two companies provided details and a description of the new ground rules they’re required to follow.
Also see: Apple: iMessage and Facetime are encrypted so we can't hand over info
Microsoft's post, written by John Frank, Vice President & Deputy General Counsel, describes the new rules:
We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together.
We previously published aggregated data for law enforcement requests for the twelve months ended December 31, 2012 in our Law Enforcement Requests Report; but because the national security orders prohibit us from disclosing their existence, we could not include them in that data set.
The new numbers, according to Microsoft, now include “the total volume of national security orders, which may include FISA orders.” In a twist straight out of Alice in Wonderland, the company says, “We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes.”
Read this
The new data is as follows, with the emphasis in the original:
For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal). This only impacts a tiny fraction of Microsoft’s global customer base.
We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers.
Update June 16:
It's impossible to precisely break out the national security orders from more traditional law enforcement requests because of the way that Microsoft reports its data. The 2012 Law Enforcement Requests Report covers all of 2012, whereas the new figures cover only the second half of the year. But it is possible to make some assumptions.
A total of 12,227 law enforcement requests came from the United States for the entire year. If one assumes those requests were evenly spread over the entire year, then the number for the second half of the year would be just over 6000. Comparing that to the numbers in the new disclosure, "between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders," suggests that national security related data requests to Microsoft from the United States government number fewer than 2,000 per year.
In total, Microsoft says U.S.-based requests for data about customers of its services, including Skype, affected 29,379 "accounts/identifiers" for all of 2012. With national security related requests included, the total for the second half of the year alone was between 31,000 and 32,000 accounts. The obvious takeaway is that the identifiers used for national security requests typically result in a larger number of accounts being affected—an average of 8 to 10 accounts per request rather than the 2 to 3 accounts in a traditional law enforcement request. Still, a total that numbers in the tens of thousands is a very small percentage of the total customer base for all Microsoft services, which numbers in the hundreds of millions. Skype alone had approximately 600 milion accounts in 2012.
It's also worth noting that requests from other countries aren't subject to the nondisclosure requirements that U.S. law imposes on Microsoft and other companies. According to the 2012 report, Microsoft and Skype received a total of 75,378 law enforcement requests worldwide. The United States came in second on the list of requests to Microsoft (excluding Skype). The largest number came from Turkey. The United Kingdom, France, and Germany, in order, made up the rest of the top 5.
Facebook’s statement was authored by the company’s General Counsel, Ted Ullyot:
We’ve reiterated in recent days that we scrutinize every government data request that we receive – whether from state, local, federal, or foreign governments. We’ve also made clear that we aggressively protect our users’ data when confronted with such requests: we frequently reject such requests outright, or require the government to substantially scale down its requests, or simply give the government much less data than it has requested. And we respond only as required by law.
But particularly in light of continued confusion and inaccurate reporting related to this issue, we’ve advocated for the ability to say even more.
Facebook is under restrictions that sound similar to those reported by Microsoft:
We’re pleased that as a result of our discussions, we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters) – which until now no company has been permitted to do. As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range. This is progress, but we’re continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.
For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000. These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.
Last March, Google received permission to disclose some very broad information about national security letters, revealing that it had received between 0 and 999 NSLs each year starting in 2009. In a statement to the New York Times, Google said the new guidelines are unacceptable:
“Lumping the two categories together would be a step back for users,” the statement said. “Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.”
Twitter's legal director, Benjamin Lee, also objected, via Twitter (naturally):
We agree with @Google: It's important to be able to publish numbers of national security requests—including FISA disclosures—separately.
— Benjamin Lee (@BenL) June 15, 2013
In its statement Microsoft says it believes the new guidelines still “fall short of what is needed to help the community understand and debate these issues. … With more time, we hope [the government] will take further steps.”
Update June 17: In an unsigned, undated statement on its website, Apple says the company "asked the U.S. government for permission to report how many requests we receive related to national security and how we handle them. We have been authorized to share some of that data."
From December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide.
Apple's pointed statement reiterates that the company does not "provide any government agency with direct access to our servers," and it says its legal team evaluates each request and delivers "the narrowest possible set of information to the authorities."
In particular, Apple notes that iMessage and FaceTime conversations are protected by end-to-end encryption, and "Apple cannot decrypt that data." The company also says it does not store any data related to customers’ location, Map searches or Siri requests.