Risk
6/17/2013
11:18 AM
50%
50%

Apple, Facebook, Microsoft Detail Surveillance Requests

Newly published information details the total number of government surveillance requests received; Google abstains, citing "a step back for users."

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Apple, Facebook and Microsoft, under fire from customers domestic and foreign, have received permission from the Department of Justice and FBI to detail the number of requests they've received for customer data from the U.S. government.

The Internet businesses had written to U.S. Attorney General Eric Holder demanding greater transparency about how they must comply with U.S. government surveillance data demands, in the wake of the recent leak by former NSA contractor Edward Snowden about the Prism program, which the NSA refers to as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), and which targets foreign audio, email and video data.

Google, however, declined to release similar statistics, saying the government's restrictions "would be a step back for users." That's because the published information details the total number of requests received, without specifying whether those requests were from intelligence agencies such as the NSA, or made by the secret U.S. court that facilitates foreign surveillance orders under FISA.

[ Want more on Prism? Read NSA Prism: Inside The Modern Surveillance State. ]

In a statement released Monday, Apple said that between Dec. 1, 2012, and May 31, 2013, Apple fielded between 4,000 and 5,000 data requests from the U.S. government. "Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," said Apple. "The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide."

Reiterating previous statements, Apple said that "we do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order." Even with a court order, however, not all types of user data are available to the government via these requests, including iMessage and FaceTime conversations -- which are encrypted end-to-end and not readable by Apple -- as well as data related to customers' location, Siri requests and map searches, which Apple said it declines to store "in any identifiable form." Facebook, which counts 1.1 billion users, said Friday that in the second half of 2012, it received between 9,000 and 10,000 requests for information from law enforcement agencies pertaining to 18,000 or 19,000 accounts, or about .0017% of all Facebook users. "These requests run the gamut -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," said Ted Ullyot, Facebook's general counsel, in a blog post.

Microsoft, meanwhile, reported Friday that for the second half of 2012, it received between 6,000 and 7,000 requests, pertaining to between 31,000 and 32,000 consumer accounts. "We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers," said John Frank, VP and deputy general counsel for Microsoft, in a blog post.

According to Frank, the Justice Department and FBI allowed Microsoft "to publish data on national security orders received," but only for the second half of 2012, with totals presented in bands of 1,000 and with all of Microsoft's consumer services grouped together in a single count. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes."

Google, however, has declined to release similar figures. Via a statement provided to The Wall Street Journal, a spokesman said that Google "always believed that it's important to differentiate between different types of government requests," referring to national security requests for data versus data provided for criminal investigations.

"Lumping the two categories together would be a step back for users," said the Google spokesman. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

Google already publishes partial information about data demands in its semi-annual transparency report. But aside from a count of National Security letters received, it legally isn't allowed to detail the number of FISA requests it receives for national security purposes, or the number of Google accounts those requests cover.

U.S. intelligence officials appear to be mindful of the fallout now facing Internet companies that must comply with court orders pertaining to customers' data. "The [U.S. government] requires (in legal terms, "compels") U.S. technology companies to provide certain communications records," according to a statement provided Saturday to Congress by U.S. intelligence officials. "While required to comply, U.S. companies have put energy, focus and commitment to consistently protect the privacy of their customers, as well as the safety and security of these same customers, around the world."

The technology companies, meanwhile, have said they're still not satisfied with the level of detail they've been allowed to provide to customers, and continue to push the Department of Justice to give them more leeway. "We understand they have to weigh carefully the impacts on national security of allowing more disclosures. With more time, we hope they will take further steps," said Microsoft's Frank. "Transparency alone may not be enough to restore public confidence, but it's a great place to start."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/21/2013 | 11:20:11 AM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I wonder what impact this will have especially on cloud business. Having your valuable data on premise requires a search warrant and you know who takes your stuff. With cloud you know nothing about who puts their paws on your data. Do companies still consider the cloud to be a serious option for business critical applications? If yes, they don't care about data security but only about saving cash, not a bad reason, but shortsighted and risky.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
6/18/2013 | 1:13:50 PM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I agree with the differentiation angle that Google is arguing. I think it is in the public interest, especially now with transparency and privacy issues raised, to at least be able to understand how many of these requests are for criminal activity vs. national security requests.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?