Facebook, Microsoft beg Feds: Let us tell users what YOU asked for...

It's not as much as they think, honest...

3 Big data security analytics techniques

Google, Facebook and Microsoft are all calling for more flexibility in disclosing more about that national security requests they receive from the US government.

The lobbying comes amid ongoing controversy about the NSA's controversial PRISM surveillance programme. The PRISM system is alleged to allow signals intelligence analysts to extract audio, photographs, emails, documents, and connection logs from users of internet services including Google (Gmail, YouTube, etc), Facebook, Microsoft (Hotmail, Skype, etc.), Apple, Yahoo, PalTalk and AOL, in order to track the online activities of foreign targets.

The system seems to involve access to a Dropbox-like system which fulfills wiretapping requests made by spooks under the US Foreign Intelligence Surveillance Act (FISA).

The secret system was exposed by CIA techie-turned-whistleblower Edward Snowden. Leaked slides about the scheme suggest annual running costs of just $20m a year; minuscule in the context of the NSA’s estimated overall budget of $10bn a year or more.

The number of requests disclosed by Microsoft, Google via PRISM is far lower than total number of law enforcement requests disclosed in a recent run of transparency reports from the internet giants.

In an open letter to the offices of the Attorney General and the Federal Bureau of Investigation, republished on its official blog, Google called for more flexibility to to publish data about government requests for disclosure made under national security laws.

Greater openness and transparency would help to dispel exaggerated public fears based on reports about PRISM without harming national security, David Drummond, chief legal officer at Google, argues.

Google has worked tremendously hard over the past fifteen years to earn our users’ trust. For example, we offer encryption across our services; we have hired some of the best security engineers in the world; and we have consistently pushed back on overly broad government requests for our users’ data.

We have always made clear that we comply with valid legal requests. And last week, the Director of National Intelligence acknowledged that service providers have received Foreign Intelligence Surveillance Act (FISA) requests.

Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication, and in fact more companies are receiving your approval to do so as a result of Google’s initiative. Transparency here will likewise serve the public interest without harming national security.

Microsoft and Facebook are also calling on the US government to provide greater transparency about national security requests, as part of efforts to distance themselves from reports casting them as willing stooges in mass snooping on the internet activity of millions. Each firm wants the ability to publish the number and scope of data requests it receives from security agencies and law enforcement, Reuters reports.

Such details would allow the internet giants to fill in the blanks in so-called transparency reports that provide a tally of how internet firms respond to government requests for user data.

Lifting the veil

Google published its first transparency report in 2010, refining it over the years to include requests sorted by country. The latest US figures are available on Google's Transparency Report pages.

Twitter followed suit in July 2012, before releasing an updated version of its summary of requests from law enforcement in January. Microsoft released its first transparency report on how it responds to law enforcement requests back in March.

All these statistics offer only the vaguest ball park figures on so-called National Security Letters. A US District Court in California recently declared NSLs unconstitutional because recipients are prohibited from discussing them.

More importantly, NSLs don't include the number of FISA disclosures; or their scope, in terms of the number of people they affect.

Almost forgotten in the hullabaloo about the PRISM controversy is that Snowden also leaked an even more sensitive Foreign Intelligence Surveillance Court order to Verizon, obliging it to hand over call logs on all its customers every day until July.

We've still no real idea how much data is hoovered up by systems such as PRISM, how long it is retained, or how many people are affected. The leaked slides tell us that PRISM is the most frequently cited tool in NSA reports, but ignores other intelligence gleaned from deep-packet inspection of traffic as it crosses the internet.

In the absence of solid information, privacy-conscious businesses might be inclined to think the worst and even to look for alternatives to US-based cloud services. That's extremely bad news for the likes of Google, Microsoft and Amazon in particular. Hence, Google's efforts to lobby for the ability to be more open are in part, at least, commercially driven.

Twitter's chief lawyer, Alex Macgillivray, backed up calls for greater transparency:


SANS - Survey on application security programs

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Bored with trading oil and gold? Why not flog some CLOUD servers?
Chicago Mercantile Exchange plans cloud spot exchange
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
IT bods: How long does it take YOU to train up on new tech?
I'll leave my arrays to do the hard work, if you don't mind
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.