Apple first to report number of secret customer data requests under new reporting rules


By SB Anderson

Apple this week was the first tech company to take advantage of new slightly more lenient Justice Department rules about how many secret requests for customer information the federal government makes.

The new rules governing controversial “National Security Letters” from the FBI director and national security orders issued under the Foreign Intelligence Surveillance Act were part of a settlement of a lawsuit by technology companies seeking to be more transparent about the top secret demands for information. (Read the settlement order as well as a letter from the Justice Department)

Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

Only basic customer information can be requested in an NSL; content, such as e-mails, cannot be sought. Content information can be sought under national security orders and the new regulations provide some latitude to report how many times that happens.

Previously, companies were prohibited from even acknowledging that they had received national security orders from the Foreign Intelligence Surveillance Court. They could report NSLs, but only in bands of 1,000 such as 0-999.

Apple in its release on Monday said it was “pleased” with the new rules, but made it clear that the number of secret orders at the end of the day was de minimis.

“The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of customer accounts registered with Apple,” Apple said.

Companies now have two options for reporting data that is at least six months old, and only once every six months:

  1. Can report national security orders under FISA, and National Security Letters from the FBI, as a combined number in increments of 250, as well as the number of accounts affected, also in increments. This is what Apple chose to do. Companies can also release the type of order as well as whether it was for customer content.
  2. If they want to report security orders and NSLs separately, the must use the original bands of 1,000 (e.g., 0-999).

Below is our running tally of key transparency report data, updated with Apple’s new report. | Earlier stories on transparency reports.

Transparency Report Update