Facebook, Microsoft beg Feds: Let us tell users what YOU asked for...
It's not as much as they think, honest...
Google, Facebook and Microsoft are all calling for more flexibility in disclosing more about that national security requests they receive from the US government.
The lobbying comes amid ongoing controversy about the NSA's controversial PRISM surveillance programme. The PRISM system is alleged to allow signals intelligence analysts to extract audio, photographs, emails, documents, and connection logs from users of internet services including Google (Gmail, YouTube, etc), Facebook, Microsoft (Hotmail, Skype, etc.), Apple, Yahoo, PalTalk and AOL, in order to track the online activities of foreign targets.
The system seems to involve access to a Dropbox-like system which fulfills wiretapping requests made by spooks under the US Foreign Intelligence Surveillance Act (FISA).
The secret system was exposed by CIA techie-turned-whistleblower Edward Snowden. Leaked slides about the scheme suggest annual running costs of just $20m a year; minuscule in the context of the NSA’s estimated overall budget of $10bn a year or more.
The number of requests disclosed by Microsoft, Google via PRISM is far lower than total number of law enforcement requests disclosed in a recent run of transparency reports from the internet giants.
In an open letter to the offices of the Attorney General and the Federal Bureau of Investigation, republished on its official blog, Google called for more flexibility to to publish data about government requests for disclosure made under national security laws.
Greater openness and transparency would help to dispel exaggerated public fears based on reports about PRISM without harming national security, David Drummond, chief legal officer at Google, argues.
Google has worked tremendously hard over the past fifteen years to earn our users’ trust. For example, we offer encryption across our services; we have hired some of the best security engineers in the world; and we have consistently pushed back on overly broad government requests for our users’ data.
We have always made clear that we comply with valid legal requests. And last week, the Director of National Intelligence acknowledged that service providers have received Foreign Intelligence Surveillance Act (FISA) requests.
Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.
Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication, and in fact more companies are receiving your approval to do so as a result of Google’s initiative. Transparency here will likewise serve the public interest without harming national security.
Microsoft and Facebook are also calling on the US government to provide greater transparency about national security requests, as part of efforts to distance themselves from reports casting them as willing stooges in mass snooping on the internet activity of millions. Each firm wants the ability to publish the number and scope of data requests it receives from security agencies and law enforcement, Reuters reports.
Such details would allow the internet giants to fill in the blanks in so-called transparency reports that provide a tally of how internet firms respond to government requests for user data.
Lifting the veil
Google published its first transparency report in 2010, refining it over the years to include requests sorted by country. The latest US figures are available on Google's Transparency Report pages.
Twitter followed suit in July 2012, before releasing an updated version of its summary of requests from law enforcement in January. Microsoft released its first transparency report on how it responds to law enforcement requests back in March.
All these statistics offer only the vaguest ball park figures on so-called National Security Letters. A US District Court in California recently declared NSLs unconstitutional because recipients are prohibited from discussing them.
More importantly, NSLs don't include the number of FISA disclosures; or their scope, in terms of the number of people they affect.
Almost forgotten in the hullabaloo about the PRISM controversy is that Snowden also leaked an even more sensitive Foreign Intelligence Surveillance Court order to Verizon, obliging it to hand over call logs on all its customers every day until July.
We've still no real idea how much data is hoovered up by systems such as PRISM, how long it is retained, or how many people are affected. The leaked slides tell us that PRISM is the most frequently cited tool in NSA reports, but ignores other intelligence gleaned from deep-packet inspection of traffic as it crosses the internet.
In the absence of solid information, privacy-conscious businesses might be inclined to think the worst and even to look for alternatives to US-based cloud services. That's extremely bad news for the likes of Google, Microsoft and Amazon in particular. Hence, Google's efforts to lobby for the ability to be more open are in part, at least, commercially driven.
Twitter's chief lawyer, Alex Macgillivray, backed up calls for greater transparency:
Sponsored: Virtualization security practical guide