Govt Allows Internet Companies Increased Transparency on Spy Requests, Sort Of
New authorization "falls far short of the level of transparency that an unprecedented coalition of Internet companies, privacy advocates and civil liberties organizations called for"
The Justice Department on Monday announced new rules that will loosen restrictions on Internet companies like Google and Facebook to inform customers about government requests for user data.
While welcoming the new change as a step forward towards increased transparency, critics charge that it falls far short of true surveillance reform.
The new authorization marks an agreement reached between Google, Microsoft, Facebook and Yahoo who had filed motions with the Foreign Intelligence Surveillance Court saying they had a First Amendment right to release data about orders from the secretive court.
"We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive," a representative for Internet companies said in a joint statement.
A joint statement issued by Attorney General Eric Holder and Director of National Intelligence James Clapper Monday read, in part:
While this aggregate data was properly classified until today, the office of the Director of National Intelligence, in consultation with other departments and agencies, has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification.
Permitting disclosure of this aggregate data resolves an important area of concern to communications providers and the public.
Explaining the new rules, Harley Geiger of the Center for Democracy & Technology, who, along with the ACLU, the First Amendment Coalition, the Electronic Frontier Foundation and TechFreedom filed in July an amicus brief in the FISA court in support of the tech giants' motion, writes:
Under the first option, the DOJ will allow companies to publish an aggregate number of all data demands originating under FISA authorities, as well as the number of user accounts affected, separately from law enforcement data requests and NSLs [National Security Letters]. The DOJ will also allow companies to distinguish between demands for content (such as the message in a communication) and non-content metadata (such as a communications to/from information). However, the government would still limit companies to reporting the numbers in a range of 1,000, and the government would continue to prohibit companies from specifying what provision of law authorized the order (for example, Section 702 or 703 of FISA).
Under the second option, the DOJ will allow companies to publish all national security requests, combining FISA orders and NSLs, as a single number in a range of 250. Companies choosing this option can also report the number of users targeted by both FISA orders and NSLs in a range of 250. However, companies cannot distinguish between content and non-content orders.
Under the DOJ’s new authorization, companies may publish these figures every six months, but with a six month delay (so the most current reports would contain data at least six months old). The government’s new authorization would also require a two-year delay on national security-related reporting for “new” products and services that had not yet received such data requests, though it remains to be seen how this stipulation will play out in practice.
"Among the problems here," writes Mike Masnick at TechDirt,
are that while [the tech companies] can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.
Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. [...] Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.
Despite these restrictions, Alex Abdo, staff attorney with the American Civil Liberties Union’s National Security Project, said in a statement that the rules represent "a victory for transparency and a critical step toward reining in excessive government surveillance."
"Fuzzing the numbers into ranges of a thousand—and even worse, lumping all of the different types of surveillance orders into a single number—serves no national security purpose while making it impossible to effectively evaluate how those powers are being used."
—Kevin Bankston, New America Foundation’s Open Technology Institute"Companies must be allowed to report basic information about what they’re giving the government so that Americans can decide for themselves whether the NSA’s spying has gone too far. It is commendable that the companies pressed the government for more openness, but even more is needed," Abdo added. "Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies’ involvement."
The Center for Democracy & Technology also said that the new rules "should be a temporary step on the road to more meaningful reform."
Kevin Bankston, the Policy Director of New America Foundation’s Open Technology Institute, welcomed the ruling as a good step as well, but stressed that it "falls far short of the level of transparency that an unprecedented coalition of Internet companies, privacy advocates and civil liberties organizations called for this summer."
"As that coalition made clear in July, meaningful transparency means giving companies the ability to publish the specific number of requests they receive for specific types of data under specific legal authorities. Fuzzing the numbers into ranges of a thousand—and even worse, lumping all of the different types of surveillance orders into a single number—serves no national security purpose while making it impossible to effectively evaluate how those powers are being used."
"Asking the public and policymakers to try and judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident," Bankston stated.