Risk
6/17/2013
11:18 AM
Connect Directly
RSS
E-Mail
50%
50%

Apple, Facebook, Microsoft Detail Surveillance Requests

Newly published information details the total number of government surveillance requests received; Google abstains, citing "a step back for users."

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Apple, Facebook and Microsoft, under fire from customers domestic and foreign, have received permission from the Department of Justice and FBI to detail the number of requests they've received for customer data from the U.S. government.

The Internet businesses had written to U.S. Attorney General Eric Holder demanding greater transparency about how they must comply with U.S. government surveillance data demands, in the wake of the recent leak by former NSA contractor Edward Snowden about the Prism program, which the NSA refers to as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), and which targets foreign audio, email and video data.

Google, however, declined to release similar statistics, saying the government's restrictions "would be a step back for users." That's because the published information details the total number of requests received, without specifying whether those requests were from intelligence agencies such as the NSA, or made by the secret U.S. court that facilitates foreign surveillance orders under FISA.

[ Want more on Prism? Read NSA Prism: Inside The Modern Surveillance State. ]

In a statement released Monday, Apple said that between Dec. 1, 2012, and May 31, 2013, Apple fielded between 4,000 and 5,000 data requests from the U.S. government. "Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," said Apple. "The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide."

Reiterating previous statements, Apple said that "we do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order." Even with a court order, however, not all types of user data are available to the government via these requests, including iMessage and FaceTime conversations -- which are encrypted end-to-end and not readable by Apple -- as well as data related to customers' location, Siri requests and map searches, which Apple said it declines to store "in any identifiable form." Facebook, which counts 1.1 billion users, said Friday that in the second half of 2012, it received between 9,000 and 10,000 requests for information from law enforcement agencies pertaining to 18,000 or 19,000 accounts, or about .0017% of all Facebook users. "These requests run the gamut -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," said Ted Ullyot, Facebook's general counsel, in a blog post.

Microsoft, meanwhile, reported Friday that for the second half of 2012, it received between 6,000 and 7,000 requests, pertaining to between 31,000 and 32,000 consumer accounts. "We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers," said John Frank, VP and deputy general counsel for Microsoft, in a blog post.

According to Frank, the Justice Department and FBI allowed Microsoft "to publish data on national security orders received," but only for the second half of 2012, with totals presented in bands of 1,000 and with all of Microsoft's consumer services grouped together in a single count. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes."

Google, however, has declined to release similar figures. Via a statement provided to The Wall Street Journal, a spokesman said that Google "always believed that it's important to differentiate between different types of government requests," referring to national security requests for data versus data provided for criminal investigations.

"Lumping the two categories together would be a step back for users," said the Google spokesman. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

Google already publishes partial information about data demands in its semi-annual transparency report. But aside from a count of National Security letters received, it legally isn't allowed to detail the number of FISA requests it receives for national security purposes, or the number of Google accounts those requests cover.

U.S. intelligence officials appear to be mindful of the fallout now facing Internet companies that must comply with court orders pertaining to customers' data. "The [U.S. government] requires (in legal terms, "compels") U.S. technology companies to provide certain communications records," according to a statement provided Saturday to Congress by U.S. intelligence officials. "While required to comply, U.S. companies have put energy, focus and commitment to consistently protect the privacy of their customers, as well as the safety and security of these same customers, around the world."

The technology companies, meanwhile, have said they're still not satisfied with the level of detail they've been allowed to provide to customers, and continue to push the Department of Justice to give them more leeway. "We understand they have to weigh carefully the impacts on national security of allowing more disclosures. With more time, we hope they will take further steps," said Microsoft's Frank. "Transparency alone may not be enough to restore public confidence, but it's a great place to start."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Apprentice
6/21/2013 | 11:20:11 AM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I wonder what impact this will have especially on cloud business. Having your valuable data on premise requires a search warrant and you know who takes your stuff. With cloud you know nothing about who puts their paws on your data. Do companies still consider the cloud to be a serious option for business critical applications? If yes, they don't care about data security but only about saving cash, not a bad reason, but shortsighted and risky.
Cara Latham
50%
50%
Cara Latham,
User Rank: Apprentice
6/18/2013 | 1:13:50 PM
re: Apple, Facebook, Microsoft Detail Surveillance Requests
I agree with the differentiation angle that Google is arguing. I think it is in the public interest, especially now with transparency and privacy issues raised, to at least be able to understand how many of these requests are for criminal activity vs. national security requests.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7392
Published: 2014-07-22
Gitlist allows remote attackers to execute arbitrary commands via shell metacharacters in a file name to Source/.

CVE-2014-2385
Published: 2014-07-22
Multiple cross-site scripting (XSS) vulnerabilities in the web UI in Sophos Anti-Virus for Linux before 9.6.1 allow local users to inject arbitrary web script or HTML via the (1) newListList:ExcludeFileOnExpression, (2) newListList:ExcludeFilesystems, or (3) newListList:ExcludeMountPaths parameter t...

CVE-2014-4326
Published: 2014-07-22
Elasticsearch Logstash 1.0.14 through 1.4.x before 1.4.2 allows remote attackers to execute arbitrary commands via a crafted event in (1) zabbix.rb or (2) nagios_nsca.rb in outputs/.

CVE-2014-4511
Published: 2014-07-22
Gitlist before 0.5.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file name in the URI of a request for a (1) blame, (2) file, or (3) stats page, as demonstrated by requests to blame/master/, master/, and stats/master/.

CVE-2014-4911
Published: 2014-07-22
The ssl_decrypt_buf function in library/ssl_tls.c in PolarSSL before 1.2.11 and 1.3.x before 1.3.8 allows remote attackers to cause a denial of service (crash) via vectors related to the GCM ciphersuites, as demonstrated using the Codenomicon Defensics toolkit.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.