The Obama administration’s decision to allow Internet companies to report broadly the number of national security requests they receive is a step toward improved public transparency for government surveillance, but less than meets the eye, civil libertarians and legal experts say.
In the wake of revelations last year that popular social media companies had been targeted by the National Security Agency’s PRISM data collection program, five companies filed legal motions before the Federal Intelligence Surveillance Court (FISC) to release more information about government data requests.
Worried the surveillance would tarnish their brands, Facebook, Google, LinkedIn, Microsoft, and Yahoo argued in legal filings that the step toward transparency was necessary to show customers more specifically the degree of surveillance conducted and to reassure them it was a tiny fraction of the total.
New disclosures that the NSA has also been using data from smartphone apps, such as Angry Birds, to collect information on people, set off a new wave of reassurances to customers. ln a statement on Tuesday, Mikael Hed, CEO of the Finnish software company that developed Angry Birds, quickly reassured fans that Rovio did not "collaborate, collude, or share data with spy agencies anywhere in the world." Apple, whose iPhones feature Angry Birds, said it was glad to have the ability to report in more detail on government data requests.
On Monday, the US Justice Department, which had long prohibited any release of how many national security requests had been made, unveiled a plan to permit the companies to release a ballpark number of customers affected by national security letter (NSL) requests and targeted under FISC orders they receive from US intelligence agencies.
“This action was directed by the President earlier this month in his speech on intelligence reforms,” the Justice Department said in a statement. “While this aggregate data was properly classified until today, the office of the Director of National Intelligence, in consultation with other departments and agencies, has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification.”
Under the compromise agreement, the Internet companies will be allowed to release more information – not the specific number of criminal orders requested by government – only the block outline when it comes to NSLs.
For instance, the companies must round to the nearest thousand the number of secret NSL requests by government investigators, FISC order, and the number of customers targeted or affected in both categories. When it comes to FISC orders, the companies will be permitted to identify the number of requests for personal information about their customers, not just those seeking e-mails.
The companies also may choose a simplified reporting of the number of criminal orders by lumping together the various categories. In that case, the total national security, criminal, and FISC orders can be reported in blocks of 250; and total numbers of customers whose data is targeted also in blocks of 250.
The step was hailed by the companies as a victory for public accountability.
"We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive," said Facebook, Google, Microsoft, and Yahoo in a statement. "We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."
Experts who have examined the impact on Internet business of such NSA practices – exposed by top-secret documents leaked to the media by former NSA contractor Edward Snowden – say the shift is likely to be helpful.
“This is a first step, but a very important one,” writes Chris Boam, an expert on privacy law in Vienna, Va., in an e-mail interview. “For the companies that have been impacted by the data orders, it shows that they are both pushing back, defending what they see as the rights of the customer, and now getting some concessions to increase transparency.... I think that is very helpful for the brand and business of these firms.”
Some civil libertarians hailed the step as well.
“This is a victory for transparency and a critical step toward reining in excessive government surveillance,” said Alex Abdo, staff attorney with the American Civil Liberties Union’s National Security Project, in a statement. “Companies must be allowed to report basic information about what they’re giving the government so that Americans can decide for themselves whether the NSA's spying has gone too far."
But others were less impressed by the compromise, saying it was more about government and corporate face-saving than it was providing the public with truly useful gauges that enable them to understand the extent of government surveillance of social media.
“I have a concern that some of this new reporting could be very misleading,” says Elizabeth Goitein, co-director the Brennan Center’s Liberty and National Security Program at the New York University School of Law, in a phone interview.
For instance, the new plan allows companies to report broadly the number of customers “affected” by NSL requests, while the number of FISC orders that may be reported are only “customers targeted,” she says.
“In situations where companies report the number of customers targeted under a FISC order, it is likely to vastly understate the number of customers who may be affected,” Ms. Goitein says. “Consider someone sitting in Europe who becomes a target. The government says to a company: ‘I want all e-mails that refer to this individual or any e-mails to or from this individual or about this individual.’ Well guess what, the number of customers whose communications are swept up in this hunt is a lot more than one, but it will still be reported as one.”
Conversely, the use of the word “affected” for NSL requests might end up “being more revealing,” she admits. “No one’s lying here. But the government is being very careful how it uses the word “targeted” when comes to FISC orders. One customer targeted could mean hundreds or thousands affected.”
Stephen Vladeck, a legal expert on national security law at American University, called the move “a big symbolic step,” but with key caveats.
“It’s only going to give us a sense of the overall state of play,” he writes in an e-mail interview. “While it’s helpful to know how often these orders are being received by the individual firms, it’s going to be incredibly difficult to undertake any real assessment of the forest without at least some sense of the individual trees.”
The White House move also fell short of mollifying many in Congress.
“It’s just common sense that the government should give the American people a good idea of how many of them have had their information collected,” said Sen. Al Franken (D) of Minnesota in a statement reported by The Washington Post. “The Obama Administration still has made no progress on that front.”
The government says the numerical obfuscation is necessary to prevent adversaries from discerning the pulse and direction of federal investigations. But the companies must go even further and delay release of national security order numbers by six months. The companies also must refrain for two years from revealing whether government is tapping into new communications technologies the companies may develop.
All of which leaves some expert circumspect about what will really be known by the release of these numbers.
“We’ll have a better sense of how often the government is relying upon these authorities,” Mr. Vladeck says, “but not whether such reliance is consistent with the underlying statutory authorities and/or the Constitution in all or even most cases.”