Feds Reach Settlement With Internet Companies Allowing Them To Report Not Nearly Enough Details On Surveillance Efforts

from the too-bad dept

Mon, Jan 27th 2014 11:55pm — Mike Masnick

It appears that the lawsuit that a bunch of big internet companies had filed against the NSA in an attempt to reveal just how often they get FISA court information requests and how many of their users are impacted is now over, as the government has reached a settlement with the companies, allowing them slightly more leeway in sharing information, but in a very limiting way.

Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.

Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.

This is a step forward, but it's not nearly far enough. As Kevin Bankston notes:

"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."

Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.

Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.

There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.

Apple has already updated its transparency report to note 0 - 249 "national security orders" and 0 - 249 "total accounts affected."

Since they're doing ranges of 250, they're clearly lumping together both national security letters and FISC orders as "national security orders" though that's a bit confusing. Also, I don't think Apple is actually allowed to say "total accounts affected" from the terms of the agreement. When it comes to FISC orders, they can only list "customer selectors targeted," and saying "accounts affected" would suggest more information than the agreement appears to allow. Still, the obvious suggestion is that the government isn't requesting that much information directly from Apple, though other reports suggest it gets plenty of information, not directly via Apple, but by hacking their way into iOS devices....

Misc 13 03 04 05 06 07 Notice 140127 (PDF)Misc 13 03 04 05 06 07 Notice 140127 (Text)

Misc 13 03 04 05 06 07 Action 140127 (PDF)Misc 13 03 04 05 06 07 Action 140127 (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: doj, fisa orders, fisc, internet companies, national security letters, nsls, transparency, transparency report
Companies: apple, facebook, google, linkedin, microsoft, yahoo

10 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 28 Jan 2014 @ 1:59am

there is only one way to cure this and it's to stop the spying all together!!
[ link to this | view in chronology ]
- Anonymous Coward, 28 Jan 2014 @ 4:30am
  
  Re:
  Which means total excision of the political elites as a start. Followed by excision of the intelligence elite.
  [ link to this | view in chronology ]
- Anonymous Coward, 28 Jan 2014 @ 7:27am
  
  Re:
  Complete disbandment of the NSA. It's not possible to restore faith in a rogue agency.
  [ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 5:31am

ha ha Citizens!!!
We RULE over you in SECRET!

And when we COME FOR YOU!!! you cannot tell anyone about it!

Next up!!! putting people in jail and not telling them why! Because its a STATE SECRET!!! ssshhhhhhh!!!!!
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 6:38am

Apple doesn't get direct requests
...because the NSA can skip that and get the information directly their devices anyway.
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 6:48am

And they still blame Eve for eating that Apple.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 28 Jan 2014 @ 6:49am

So, Mike, after your making many items out of this trivia, ended up exactly as I predicted: meaningless unverifiable numbers.
And way run (not just your re-write) is mildly interesting: Apple gets focus, Google and others not mentioned. (Yes, I see the "Companies" tag above, not in the body here or elsewhere, though.) Perhaps that's because after the minimal result, Google decided they'd gotten all good press possible out of it.
So long as "The Market" (if not NSA directly) rewards Google for spying, do you expect it to do LESS of it? (104 of 192)

02:47:06[c-210-6]
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 7:43am

Just more window dressing. The numbers aren't even accurate. Even if the number were accurate, I'd have a hard time believing they're true.

I refuse to store my information anywhere, if I'm not in sole possession of the decryption key, myself. Corporations spy just as much as governments do. They store these vast treasure troves of customer data for decades, and they usually end up getting hacked, with all that personal information getting stolen (see Target Mass Christmas hack of 2013).

Storing decades of personal information on people, is like dangling and giant honeypot in front of a starving grizzly bear. Now replace "bear" with "hackers", and you now understand the fallacy of storing everyone's big-data for decades.

No data, no honeypot. Everyone's information would be much safer this way. Of course, corporate profits and unconstitutional spying will prevent common sense from prevailing.

Such is the nature of man-kind.
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 8:33am

Beating the system
How often can a company release this information ?
Can they say if they've had no requests or just 0-249 ?
And over what period can they show figures ?

If (for example) they had a ticker on the website giving an up to date figure, we'd see when it stopped being zero, and we'd see hen it crossed 250. I assume that's prevented in the small print...
[ link to this | view in chronology ]
Anonymous Coward, 28 Jan 2014 @ 10:26am

The masters throw chicken bones under the table, and the house slaves say thankyou
[ link to this | view in chronology ]