US govt, tech firms settle: Round 1 to the govt

The government will allow large tech companies to disclose more information about the extent of their compliance with national security orders for customer data, but maybe not enough.

The US Department of Justice announced today a settlement in litigation  with several technology companies before the Foreign Intelligence Surveillance Court (FISC).


The five tech companies who had filed suit in the FISC to seek permission to disclose more details about their compliance with government requests for customer data in national security cases — Yahoo!, Microsoft, Google, LinkedIn and Facebook — have agreed to the settlement, but they appear not to be completely satisfied with the result.

The following statement was provided to ZDNet by Microsoft, but attributed to a spokesperson for all five companies who dismissed their motions: "We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."

Apple had endorsed, but not joined in the litigation. The company was quoted in the Washington Post as saying "We applaud the Administration for taking this important step toward greater transparency, and we thank the Justice Department for considering Apple's point of view as it reached this decision."

The actual agreement filed with the FISC still places complicated restrictions on when and how the companies may release the information. They may not give exact numbers of requests from the government, but do so in "bands" of, alternatively 1000 or 250, in two schemes from which the company may choose. Broadly speaking, they may disclose about specific categories of request in bands of 1000 or disclose overall requests in bands of 250. In other words, they may say that there were between 0 and 999 requests, 1000 and 1999 requests, and so on, in the first case, but not a specific number.

In the Washington Post article, Apple chooses option 2, saying "...that it had received fewer than 249 national security letters, affecting fewer than 249 accounts, in the first six months of 2013."

Since the goal of disclosure for the tech companies is to reassure customers that they are not divulging customer data willy-nilly, the inspecifics of the allowable disclosures and a delay of two years for disclosure of any requests related to new platforms, leave much room for customers to wonder.

The two year delay is specifically "...for data relating to the first order that is served on a company for a platform, product, or service (whether developed or acquired) for which the company has not previously received such an order, and that is designated by the government as a 'New Capability Order' because disclosing it would reveal that the platform, product, or service is subject to previously undisclosed collection through FISA orders." Presumably the government has primary say over what is a "new capability."

Like the move to have the telecoms, rather than the government, hold telephone metadata requested under section 215 of the PATRIOT Act, allowing the tech companies to disclose this level of information is not likely to satisfy anyone who had genuine concerns about the program. The government has ceded ground in this battle but still controls the field. The war over disclosure is not over.