Microsoft, Twitter, Google and Facebook all participate in the NSA's Prism effort. Photograph: Pichi Chuang/Reuters
Tens of thousands of accounts associated with customers of
Microsoft, Google, Facebook and Yahoo have their data turned over to US
government authorities every six months as the result of secret court
orders, the tech giants disclosed for the first time on Monday.
As part of a transparency deal reached last week with the Justice Department, four of the tech firms that participate in the National Security Agency’s Prism effort,
which collects largely overseas internet communications, released more
information about the volume of data the US demands they provide than
they have ever previously been permitted to disclose.
But the
terms of the deal prevent the companies from itemising the collection,
beyond bands of thousands of data requests served on them by a secret
surveillance court. The companies must also delay by six months
disclosing information on the most recent requests – terms the Justice
Department negotiated to end a transparency lawsuit before the so-called
FISA court that was brought by the companies.
In announcing
the updated data figures, the companies appeared concerned by the lack
of precision over the depth of their compelled participation in
government surveillance.
“We still believe more transparency
is needed so everyone can better understand how surveillance laws work
and decide whether or not they serve the public interest,” said Google’s
legal director for law enforcement and information security, Richard
Salgado, in a post on the company’s official blog.
“Specifically,
we want to disclose the precise numbers and types of requests we
receive, as well as the number of users they affect in a timely way.”
In the most recent period for which data is available, January to June 2013 – a period ended by the beginning of whistleblower Edward Snowden’s landmark surveillance disclosures
– Google gave the government the internet metadata of up to 999
customer accounts, and the content of communications from between 9,000
and 9,999 customers.
Microsoft received fewer than 1,000
orders from the FISA court for communications content during the same
period, related to between 15,000 and 15,999 “accounts or individual
identifiers”.
The company, which owns the internet video
calling service Skype, also disclosed that it received fewer than 1,000
orders for metadata – which reveals communications patterns rather than
individual message content – related to fewer than 1,000 accounts or
identifiers.
Yahoo disclosed
that it gave the government communications content from between 30,000
and 30,999 accounts over the first six months of 2013, and fewer than
1,000 customer accounts that were subject to Fisa court orders for
metadata.
Facebook disclosed that during the first half of 2013,
it turned over content data from between 5000 and 5999 accounts – a
rise of about 1000 from the previous six month period – and customer
metadata associated with up to 999 accounts.
Microsoft,
Facebook and Yahoo also gave the FBI certain customer records – not
content – under a type of non-judicial subpoena called a national
security letter. Since disclosure of national security letters is not
subject to a six-month delay under last week’s deal, Microsoft revealed
that it received up to 999 such subpoenas between June and December
2013, affecting up to 999 user accounts. Facebook’s National Security
Letter total was the same.
Yahoo received up to 999 national
security letters during the same period, affecting 1,000 to 1,999
accounts. Google received the same total, and disclosed that since 2009,
national security letters have compelled the handover of customer
records from as many as 1999 accounts every six months. Last weekApple disclosed that between 1 January and 30 June 2013 it had received less than 250
national security orders – including national security letters and
other requests – relating to less than 250 accounts.
LinkedIn, the professional networking service, disclosed on Monday that it received the same total of generic “national security requests.”
Brad Smith, Microsoft’s general counsel, posted on the company’s blog
that “only a fraction of a percent of users are affected by these
orders”, and argued that “we have not received the type of bulk data
requests that are commonly discussed publicly regarding telephone
records.”
But the disclosures only apply to data requests turned over to the NSA and FBI as the result of FISA court orders.
Documents
that Snowden disclosed to the Guardian, Washington Post and other
outlets show that the NSA also siphons communications and associated
data from information in transit across the global communications
infrastructure – without court orders, under authority claimed under a
seminal executive order known as executive order 12,333.
“Nothing
in today's report minimises the significance of efforts by Governments
to obtain customer information outside legal process,” Smith said,
affirming that the company remained concerned about reports of
clandestine government hacking and would continue to press for more
transparency from the US government and others. Google data shows a significant growth in
internet content collection from its products by the NSA. Photograph:
Justin Sullivan/Getty Images
The data from Google shows a significant growth in internet content
collection from its products by the NSA. In the first six months of
2009, the company gave the government data from up to 2,999 customer
accounts, a figure that grew to between 12,000 and 12,999 customer
accounts by the second half of 2012 before dipping to under 10,000
accounts in the first half of 2013.
But the data does not provide
any indication of what accounted for the rise, beyond the growth in
popularity of Google email and other internet products.
Similarly,
Microsoft revealed that it gave the US government content information
on more than 12,000 customer accounts in the second half of 2011, a
figure that grew to over 16,000 customer accounts in late 2012 before
dropping to more than 15,000 in the first six months of 2013.
Kevin
Bankston, the policy director for the Open Technology Institute in
Washington, said the amount of information the companies were able to
detail about their roles in US surveillance was “far less than what we
need for adequate accountability from the government”.
“Lumping
all of the different types of surveillance orders together into one
number, then adding obscurity on top of obscurity by requiring that
number to be reported in ranges of one thousand, is not enough to
educate the American public or reassure the international community that
the NSA is using its surveillance authorities responsibly," said
Bankston, who like Google’s Salgado advocated legislation permitting the
additional disclosure of “specific number of requests issued under
specific legal authorities and the number of people affected by each”.
Nate
Cardozo, a staff attorney at the Electronic Frontier Foundation, said
the new information in the transparency reports was “a good first step”
but added that large questions remained. Cardozo said the national
security letters had all been “lumped together” and it was impossible to
see what legal framework had been used to compel the companies to hand
over information.
“It makes you question the government’s repeated assertions that it welcomes this debate,” he said.
Microsoft’s
Smith lamented that “despite the President's reform efforts and our
ability to publish more information, there has not yet been any public
commitment by either the US or other governments to renounce the
attempted hacking of internet companies.
“We believe the
constitution requires that our government seek information from American
companies within the rule of law. We'll therefore continue to press for
more on this point, in collaboration with others across our industry.”
•
An earlier version of this story stated in error that Google did not
disclose the number of national security letters it had received. This
has been corrected.
It was further revised to remove an unsubstantiated
description of Microsoft being a "major surveillance partner for the
US government".
