Apple, Facebook, Microsoft Detail Surveillance Requests

Newly published information details the total number of government surveillance requests received; Google abstains, citing "a step back for users."

Mathew J. Schwartz, Contributor

June 17, 2013

5 Min Read
Dark Reading logo in a gray background | Dark Reading

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know


(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Apple, Facebook and Microsoft, under fire from customers domestic and foreign, have received permission from the Department of Justice and FBI to detail the number of requests they've received for customer data from the U.S. government.

The Internet businesses had written to U.S. Attorney General Eric Holder demanding greater transparency about how they must comply with U.S. government surveillance data demands, in the wake of the recent leak by former NSA contractor Edward Snowden about the Prism program, which the NSA refers to as the Collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA), and which targets foreign audio, email and video data.

Google, however, declined to release similar statistics, saying the government's restrictions "would be a step back for users." That's because the published information details the total number of requests received, without specifying whether those requests were from intelligence agencies such as the NSA, or made by the secret U.S. court that facilitates foreign surveillance orders under FISA.

[ Want more on Prism? Read NSA Prism: Inside The Modern Surveillance State. ]

In a statement released Monday, Apple said that between Dec. 1, 2012, and May 31, 2013, Apple fielded between 4,000 and 5,000 data requests from the U.S. government. "Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters," said Apple. "The most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide."

Reiterating previous statements, Apple said that "we do not provide any government agency with direct access to our servers, and any government agency requesting customer content must get a court order." Even with a court order, however, not all types of user data are available to the government via these requests, including iMessage and FaceTime conversations -- which are encrypted end-to-end and not readable by Apple -- as well as data related to customers' location, Siri requests and map searches, which Apple said it declines to store "in any identifiable form." Facebook, which counts 1.1 billion users, said Friday that in the second half of 2012, it received between 9,000 and 10,000 requests for information from law enforcement agencies pertaining to 18,000 or 19,000 accounts, or about .0017% of all Facebook users. "These requests run the gamut -- from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," said Ted Ullyot, Facebook's general counsel, in a blog post.

Microsoft, meanwhile, reported Friday that for the second half of 2012, it received between 6,000 and 7,000 requests, pertaining to between 31,000 and 32,000 consumer accounts. "We have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers," said John Frank, VP and deputy general counsel for Microsoft, in a blog post.

According to Frank, the Justice Department and FBI allowed Microsoft "to publish data on national security orders received," but only for the second half of 2012, with totals presented in bands of 1,000 and with all of Microsoft's consumer services grouped together in a single count. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes."

Google, however, has declined to release similar figures. Via a statement provided to The Wall Street Journal, a spokesman said that Google "always believed that it's important to differentiate between different types of government requests," referring to national security requests for data versus data provided for criminal investigations.

"Lumping the two categories together would be a step back for users," said the Google spokesman. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

Google already publishes partial information about data demands in its semi-annual transparency report. But aside from a count of National Security letters received, it legally isn't allowed to detail the number of FISA requests it receives for national security purposes, or the number of Google accounts those requests cover.

U.S. intelligence officials appear to be mindful of the fallout now facing Internet companies that must comply with court orders pertaining to customers' data. "The [U.S. government] requires (in legal terms, "compels") U.S. technology companies to provide certain communications records," according to a statement provided Saturday to Congress by U.S. intelligence officials. "While required to comply, U.S. companies have put energy, focus and commitment to consistently protect the privacy of their customers, as well as the safety and security of these same customers, around the world."

The technology companies, meanwhile, have said they're still not satisfied with the level of detail they've been allowed to provide to customers, and continue to push the Department of Justice to give them more leeway. "We understand they have to weigh carefully the impacts on national security of allowing more disclosures. With more time, we hope they will take further steps," said Microsoft's Frank. "Transparency alone may not be enough to restore public confidence, but it's a great place to start."

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights