US to allow tech companies to disclose surveillance requests, but with limits

28 Jan, 2014 01:33 / Updated 11 years ago

The US Justice Department announced Monday that it has agreed to allow tech companies to publicize - in limited capacity - how often they are required to hand over sensitive customer information to the government.

Google, Microsoft, Yahoo, Facebook, and LinkedIn will now be able to report on national security letters - in which information is demanded independent of court authority - as well as requests ordered by the Foreign Intelligence Surveillance Act (FISA) court. Yet how they report will be limited to broad numerical ranges on the volume of orders and the number of accounts affected.

For example, the number of national security letters could be described as between one and 999. The Justice Department claims that any more detail could indicate which targets are up for investigation.

The new policy comes in response to legal challenges from the five companies that called for more mobility to make public the nature of data requests - overseen by the compliant, highly-secretive FISA court - made by US law enforcement. Disclosures supplied by former intelligence contractor Edward Snowden regarding the National Security Agency’s global spying regime exposed how integral the companies’ compliance with US data-gathering policy has become, and just how tight-lipped private sector partners are required to be.

The changes in policy were announced in a letter Monday from Deputy Attorney General James Cole to the five companies that filed legal action.

“While this aggregate data was properly classified until today, the office of the Director of National Intelligence, in consultation with other departments and agencies, has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification,” the Justice Department said in a statement.

The companies, wary of the impact the Snowden disclosures have had for their credibility, offered a joint statement on Monday.

“We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We’re pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed,” the statement reads.

While applauding Monday’s move as “a victory for transparency,” the American Civil Liberties Union, which supported the companies in their bid to offer more information, said more can be done to shed light on just how much the US government asks of the private sector in its data-gathering expeditions.

"It is commendable that the companies pressed the government for more openness, but even more is needed,” said the ACLU’s Alex Abdo. “Congress should require the government to publish basic information about the full extent of its surveillance."

Some of the five companies and others have issued limited transparency reports to help alleviate concerns about customer privacy. For instance, telecom giant Verizon revealed last week that local, state, and federal law enforcement agencies in the US requested customer information no fewer than 320,000 times during the last calendar year.

Yet despite the Monday announcement and President Barack Obama’s new, updated guidelines for how the NSA operates, questions remain on just how much these companies are off the hook.

Last week, Obama said in a public speech that NSA officials must now obtain court permission in order to access the government’s archive of telephone metadata — a trove of intelligence that has been regularly collected by the government through a program that its proponents say is a legally sound and crucial counterterrorism tool justified under Section 215 of the United States Patriot Act.

“I believe we need a new approach,” Obama said. “I am therefore ordering a transition that will end the Section 215 bulk metadata collection program as it currently exists, and establishes a mechanism that preserves the capabilities we need without the government holding this bulk metadata.”

But exactly who will be in charge of holding onto the phone records pertaining to millions of Americans has yet to be decided. US Attorney General Eric Holder, the intelligence community, and Congress were given 60 days to develop a plan for storing the bulk telephony metadata outside of government custody.

Telecom companies like AT&T and Verizon have resisted such retention of data, and no third-party entity exists. In addition, companies say such an arrangement comes with all sorts of headaches.

“We don’t want to keep these records,” an anonymous industry executive told The Washington Post late last month. “We end up with all sorts of litigation risks, privacy risks, hacking vulnerabilities. There is a huge cost involved in just protecting them. And truthfully, we just don’t want to do it.”

The Post reported that one company official estimated it would cost “in the range of $50 million” per year to maintain a five-year, searchable database.

“If all that’s happening is the NSA is going to contract out the storage of the data, that doesn’t really change anything,” Daniel Castro of the policy research group Information Technology & Innovation Foundation told BusinessWeek after Obama’s plan was revealed.

A policy review board was named by Obama to assess NSA spying operations following numerous reports fueled by Snowden’s leaks that appeared across the globe starting last June. Their recommendations were announced in December and were part of Obama’s revamped guidelines, namely the panel’s suggestions on the very subject of how the data is stored and by whom.

"We recommend that legislation should be enacted that terminates the storage of bulk telephony meta-data by the government under section 215, and transitions as soon as reasonably possible to a system in which such meta-data is held instead either by private providers or by a private third party," the group wrote.

On the same day that the new disclosure agreement was announced by the Department of Justice, a new AP report surfaced stating that government officials are already funding research to bolster encryption techniques, so as to secure a would-be database that is still searchable to US intelligence, but held by a third party.

Still, experts who spoke with AP say there are still serious questions as to whether a database held by a phone company or another third party would be feasible, due to a slowdown in access for intelligence services once encryption computations are applied.