Risk
6/17/2013
11:18 AM
50%
50%

Apple, Facebook, Microsoft Detail Surveillance Requests

Newly published information details the total number of government surveillance requests received; Google abstains, citing "a step back for users."

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Apple, Facebook and Microsoft, under fire from customers domestic and foreign, have received permission from the Department of Justice and FBI to detail the number of requests they've received for customer data from the U.S. government.

The Internet businesses had written to U.S. Attorney General Eric Holder demanding greater transparency about how they must comply with U.S. government surveillance data demands, in the wake of the recent leak by former NSA contractor Edward Snowden about the Prism program, which the NSA refers to as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), and which targets foreign audio, email and video data.

Google, however, declined to release similar statistics, saying the government's restrictions "would be a step back for users." That's because the published information details the total number of requests received, without specifying whether those requests were from intelligence agencies such as the NSA, or made by the secret U.S. court that facilitates foreign surveillance orders under FISA.

[ Want more on Prism? Read NSA Prism: Inside The Modern Surveillance State. ]

In a statement released Monday, Apple said that between Dec. 1, 2012, and May 31, 2013, Apple fielded between 4,000 and 5,000 data requests from the U.S. government. "Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," said Apple. "The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide."

Reiterating previous statements, Apple said that "we do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order." Even with a court order, however, not all types of user data are available to the government via these requests, including iMessage and FaceTime conversations -- which are encrypted end-to-end and not readable by Apple -- as well as data related to customers' location, Siri requests and map searches, which Apple said it declines to store "in any identifiable form." Facebook, which counts 1.1 billion users, said Friday that in the second half of 2012, it received between 9,000 and 10,000 requests for information from law enforcement agencies pertaining to 18,000 or 19,000 accounts, or about .0017% of all Facebook users. "These requests run the gamut -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," said Ted Ullyot, Facebook's general counsel, in a blog post.

Microsoft, meanwhile, reported Friday that for the second half of 2012, it received between 6,000 and 7,000 requests, pertaining to between 31,000 and 32,000 consumer accounts. "We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers," said John Frank, VP and deputy general counsel for Microsoft, in a blog post.

According to Frank, the Justice Department and FBI allowed Microsoft "to publish data on national security orders received," but only for the second half of 2012, with totals presented in bands of 1,000 and with all of Microsoft's consumer services grouped together in a single count. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes."

Google, however, has declined to release similar figures. Via a statement provided to The Wall Street Journal, a spokesman said that Google "always believed that it's important to differentiate between different types of government requests," referring to national security requests for data versus data provided for criminal investigations.

"Lumping the two categories together would be a step back for users," said the Google spokesman. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

Google already publishes partial information about data demands in its semi-annual transparency report. But aside from a count of National Security letters received, it legally isn't allowed to detail the number of FISA requests it receives for national security purposes, or the number of Google accounts those requests cover.

U.S. intelligence officials appear to be mindful of the fallout now facing Internet companies that must comply with court orders pertaining to customers' data. "The [U.S. government] requires (in legal terms, "compels") U.S. technology companies to provide certain communications records," according to a statement provided Saturday to Congress by U.S. intelligence officials. "While required to comply, U.S. companies have put energy, focus and commitment to consistently protect the privacy of their customers, as well as the safety and security of these same customers, around the world."

The technology companies, meanwhile, have said they're still not satisfied with the level of detail they've been allowed to provide to customers, and continue to push the Department of Justice to give them more leeway. "We understand they have to weigh carefully the impacts on national security of allowing more disclosures. With more time, we hope they will take further steps," said Microsoft's Frank. "Transparency alone may not be enough to restore public confidence, but it's a great place to start."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/21/2013 | 11:20:11 AM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I wonder what impact this will have especially on cloud business. Having your valuable data on premise requires a search warrant and you know who takes your stuff. With cloud you know nothing about who puts their paws on your data. Do companies still consider the cloud to be a serious option for business critical applications? If yes, they don't care about data security but only about saving cash, not a bad reason, but shortsighted and risky.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
6/18/2013 | 1:13:50 PM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I agree with the differentiation angle that Google is arguing. I think it is in the public interest, especially now with transparency and privacy issues raised, to at least be able to understand how many of these requests are for criminal activity vs. national security requests.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-1793
Published: 2014-12-25
rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted SVG document that leads to a "stale pointer."

CVE-2011-1794
Published: 2014-12-25
Integer overflow in the FilterEffect::copyImageBytes function in platform/graphics/filters/FilterEffect.cpp in the SVG filter implementation in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified ...

CVE-2011-1795
Published: 2014-12-25
Integer underflow in the HTMLFormElement::removeFormElement function in html/HTMLFormElement.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted HTML document con...

CVE-2011-1796
Published: 2014-12-25
Use-after-free vulnerability in the FrameView::calculateScrollbarModesForLayout function in page/FrameView.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted JavaS...

CVE-2011-1798
Published: 2014-12-25
rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which allows remote attackers to cause a denial of service (application crash) or possibly have unknown othe...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.