Thursday, June 20, 2013

More Data on Privacy, but Picture Is No Clearer

Now, one by one, the companies are putting out data intended to reassure their users that the government gets information on just a tiny number of people. Over the weekend, Facebook and Microsoft released reports about the overall number of data requests they had received from United States law enforcement agencies. On Monday, Apple and Yahoo joined the chorus.

But rather than provide clarity, some of the disclosures have left many questions unanswered.

Apple, for example, said that from Dec. 1, 2012, through May 31, 2013, it received between 4,000 and 5,000 requests for data, covering 9,000 to 10,000 accounts, from American law enforcement agencies. Facebook said it got 9,000 to 10,000 requests for information about its users, covering 18,000 to 19,000 user accounts, in the last six months of 2012.

How many of those requests were from investigators seeking to sniff out the next terrorist?

The companies said they were not allowed to say, although they noted that the requests were commonly related to things like local police investigations and searches for missing children. That continuing restriction prompted both Google and Twitter to say they would not publish similar data until they could separate national security requests from the rest.

“We still don’t know what is allowed and how these programs are being implemented,” said Amie Stepanovich, director of the Domestic Surveillance Project at the Electronic Privacy Information Center, a nonprofit group.

But the companies were under immense pressure to announce something. If customers do not trust that Facebook or Microsoft or Google will keep private data confidential, they could use those services far less, undermining the companies’ business model.

“They’ve got to say to the consuming public that we care about your data, we’re going to do everything we can to preserve your data, and absent a national security contingency, no one gets access to your data,” said Adonis Hoffman, an adjunct professor at Georgetown University, who has served as a legal adviser to both the government and the advertising industry.

Pressing on the companies from the other side are the country’s intelligence agencies, which prohibit companies from disclosing virtually anything about the requests for national security data without permission.

“The nature of these orders are that they themselves are secret,” said one frustrated executive at a company involved in discussions with the government over disclosure issues.

Despite a week of arduous negotiations since the first reports about the National Security Agency’s seeking private data from nine major technology companies, the firms still cannot say much. “The government will only authorize us to communicate about these numbers in aggregate, and as a range,” Facebook wrote when it posted its data late Friday night.

Still, for tech companies that had never before released a transparency report, like Facebook and Apple, the data shed some light on their practices.

Apple, for example, noted in its report that it never gives the government copies of electronic conversations that take place over iMessage and FaceTime because they are protected by encryption that even Apple cannot break. “Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form,” the company said.

Google and Twitter, which had previously released transparency reports, said that lumping all law enforcement requests together, like Apple and the others did over the weekend, would be even less transparent.

Microsoft, which put out its first transparency report in March, decided to disclose the aggregate numbers but said it was pressing for further disclosure. Google, which published its first transparency report in 2010, has been the most aggressive in pushing for more disclosure. In March, it began breaking out data on one type of government request — National Security Letters, which request information on Americans — saying it had received 0 to 999 requests.

Permission to disclose that came after more than a year of negotiations with the government, and Google had been seeking permission to publish data on the other major type of national security request — information on foreigners demanded under the Foreign Intelligence Surveillance Act — even before news of Prism, the government’s surveillance program, broke, according to a person briefed on those discussions. It is still in talks to try to publish more detailed data, the person said.

By pushing to be able to publish more data on national security requests, the companies were hoping to shift the debate from the data exchange between the tech companies and the government to how the government can be more transparent about it.

Still, even if the government gives permission to break out FISA requests as a separate data point, the numbers are unlikely to tell the whole story. For every formal FISA request the government makes, intelligence agents are able to add names and additional search queries to that request for up to a year afterward, so the amount of data requested could be much higher.

Also, when the government gave Google and Microsoft permission to publish the number of national security letters they receive, it required them to publish the numbers in increments of 1,000, instead of the exact number, and would most likely do the same for FISA requests.

No comments:

Post a Comment