NSA – On the National Security Beat http://nationalsecurityzone.medill.northwestern.edu/onthebeat On the National Security Beat Tue, 29 Sep 2015 20:29:42 +0000 en-US hourly 1 Is irony five-sided, too? http://nationalsecurityzone.medill.northwestern.edu/onthebeat/is-irony-five-sided/ Fri, 23 May 2014 15:35:21 +0000 http://onthebeat.nationalsecurityzone.org/?p=2153 The intelligence leaks by Edward Snowden were “staggering,” a secret Pentagon report has concluded. Here is what multiple pages of the 12 pages it declassified from that report look like, naturally. (Via The Guardian)
story: )

Redacted report page

]]>
Survey shows improved privacy, security at big online services http://nationalsecurityzone.medill.northwestern.edu/onthebeat/survey-shows-improved-privacy-security-at-big-online-services/ Fri, 16 May 2014 15:48:26 +0000 http://onthebeat.nationalsecurityzone.org/?p=2121 The chart below summarizes how the major tech companies surveyed by the Electronic Frontier Foundation fared as it relates to “privacy policies, terms of service, public statements, and courtroom track record.”

Nine companies this year received the highest six-star rating, compared to two in last year’s survey. A total of 20 companies are now releasing so-called transparency reports about government requests for data compared to 7 a year ago, EFF’s survey showed.

“The sunlight brought about by a year’s worth of Snowden leaks appears to have prompted dozens of companies to improve their policies when it comes to giving user data to the government,” EFF’s Rainey Reitman said in a release.

Full Report (HTML) | Full Report (PDF) | SILK’s aggregated database of transparency reports (HTML)

Results of EFF's 2014 survey

]]>
‘Practically irrelevant’ annual report on FISA and NSL requests released http://nationalsecurityzone.medill.northwestern.edu/onthebeat/practically-irrelevant-annual-report-on-fisa-and-nsl-requests-released/ Thu, 01 May 2014 17:14:38 +0000 http://onthebeat.nationalsecurityzone.org/?p=2038 Steve Aftergood of the Secrecy News blog aptly called the report ‘practically irrelevant’ and notes its importance “has receded in the wake of the far more substantial disclosures of the post-Snowden era,” but nonetheless, the Justice Department this week officially declared how many times it snooped on us all in 2013.

In its annual report to Congress on activity under the Foreign Intelligence Surveillance Court Act, (download PDF)  the Justice Department said it made 1,655 applications to the Foreign Intelligence Surveillance Court. None of those requests for electronic surveillance, physical search or both was turned down. That total is down about 11% over 2012.

The FBI issued 14,219 secret National Security Letters demanding customer records from businesses. Those covered 5,334 individuals. Requests and people affected were down 7% and 11% respectively.

The report also said it sought “business records” from the surveillance court 178 times, but as Aftergood noted in light of information disclosed in and since the Snowden era began nearly a year ago, “the bland term “business records” extends in principle to everyone’s telephone call records.”

SOURCE:  OnTheBeat graphics using EPIC.org compilation from Federation of American Scientists document collection.

]]>
Transparency reports at your fingertips http://nationalsecurityzone.medill.northwestern.edu/onthebeat/transparency-reports-at-your-fingertips/ Tue, 15 Apr 2014 16:51:12 +0000 http://onthebeat.nationalsecurityzone.org/?p=1986 We’ve done a lot of stories on the transparency reports that major companies release with details on the number of requests they’ve gotten from law enforcement agencies for user information and/or data, so we thought it was time to keep a running list of where you can find those reports.

And here it is:

]]>
U.S. Law enforcement requests for Google user info up 31%; nearly half of all requests globally http://nationalsecurityzone.medill.northwestern.edu/onthebeat/u-s-law-enforcement-requests-for-google-user-info-up-31-nearly-half-of-all-requests-globally/ Fri, 28 Mar 2014 13:44:50 +0000 http://onthebeat.nationalsecurityzone.org/?p=1922 U.S. law enforcement requests for data about Google users set a new record, data that Google released about the second half of the year yesterday showed.

Wielding subpoenas in 2 out of 3 cases, agencies asked 21,500 times — 59 times a day — for information about nearly 40,000 users and/or accounts. Unlike court orders and warrants, subpoenas are not necessarily issued by a court.

The number of requests was down slightly in the second half of the year (3%) and the number of users/accounts was down a bit more (16%). It is unclear whether the enormous publicity over monitoring of personal data after Edward Snowden released a plethora of explosive NSA documents in the Spring may have been a factor in the slight decline. The drop in the second half of 2013 as the first ever reported on a half-year basis since Google started releasing the data after the second half of 2009.

The data released on Thursday focused on requests that are unrelated to national security, i.e., involving the National Security Agency, FBI and secret Foreign Intelligence Surveillance Court. Aggregate data about those cases was released in February after the Obama administration slightly reduced restrictions on public release.

Google has been releasing the so-called “Transparency Reports” since 2009; some of its peers and competitors didn’t follow suit until the last year. The requests from law enforcement in some cases cover just information about an account holder or user, such as address; in other cases, authorities ask for actual content produced by the user (e.g., Gmail, YouTube, etc.). In 2013, at least some data was released in just over 4 in 5 cases.

The U.S. by far remained the leader in requests, accounting for 43% of all requests (up slightly over the first half), distantly followed by France, Germany and India in the second half of the year. The number of countries that made requests was up in the second half of the year, but about half were for 20 or fewer.

Requests by year and number of accounts affected

Broken down by first and second halves of years

Types of orders

For good measure, Google released this animated cartoon about how it deals with warrants.

]]>
AT&T latest to release data on secret government requests for data http://nationalsecurityzone.medill.northwestern.edu/onthebeat/att-latest-to-release-data-on-secret-government-requests-for-data/ Tue, 18 Feb 2014 22:53:42 +0000 http://onthebeat.nationalsecurityzone.org/?p=1772 AT&T said on Tuesday that it received secret orders under the Federal Intelligence Surveillance Act in the first half of last year involving up to 37,000 customer accounts. Those accounts were included in up to 2,000 orders from the Justice Department; half of those requests were for actual content from customers in as many as 36,000 accounts. The other half demanded just account data.

As many as 2,999 other requests came from the FBI as “National Security Letters,” and involved up to 4,999 accounts. Those letters can only demand information about a customer account, not personal data such as documents or emails.

ATT FISA and NSL Report 2/14

SOURCE: AT&T

The Justice Department in late January, to settle a lawsuit the companies had brought seeking more transparent reporting, relaxed reporting standards and allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999.

FISA data can cover both the total number of orders made and how many accounts were involved. It can also be broken out by requests for customer information, such as subscriber name, or actual content, such as an e-mail. National Security Letters are limited to only customer information, not content.

AT&T on Tuesday also released its first ever data on non-national security related civil and criminal court requests for user data and information. Other communications and internet companies, such as Google, have been releasing “transparency reports” with this data for several years.

During 2013, AT&T received an average of 827 requests a day from law enforcement — 301,816 for the years, most involging criminal cases and issued by subpoenas, which are believed to typically only cover data about a user and account, not content created. Just under 1 in 5 requests came via more powerful court order or warrant. Only about 1% of requests were rejected by AT&T and for about 5% of the requests, AT&T had no or only partial information to release.

About 100,000 “emergency” requests were received, such as those related to a 911 call. About 38,000 request were for a customer’s location, as well as all numbers for a particular cell tower.

ATT Transparency Report

SOURCE: AT&T

AT&T did not release information about how many customers were actually affected by the requests; nor did competitor Verizon in its report a few weeks ago. Other companies, such as Yahoo and Google, release that data, but AT&T said “demands for information in civil or criminal matters involve a wide range of variables – making it very difficult to tally the number of customers whose information was provided in response to those demands.”

Verizon, which issued a “traditional” transparency report covering court requests and National Security Letters earlier in January, has not released updated data to include FISA orders and additional NSL details since allowed under the relaxed reporting guidelines that were were made effective after it released its original report.

Transparency Reports Updated 2/18/14

FISA and NSA Data (updated 2/18/2014)(Click on image for larger version in new browser window).

]]>
More companies report under loosened rules on national security orders for customer info http://nationalsecurityzone.medill.northwestern.edu/onthebeat/more-companies-report-under-loosed-rules-on-national-security-orders-for-customer-info/ Tue, 04 Feb 2014 14:53:53 +0000 http://onthebeat.nationalsecurityzone.org/?p=1727 (Updated 2/18/2014 to add AT&T data).

More major tech companies have weighed in with data they are now allowed to release about how many secret orders for user information and content were made under the Foreign Intelligence Surveillance Act or from the FBI in a National Security Letter.

Yahoo, Microsoft, Google, LinkedIn and Facebook this week joined Apple, which was the first to report last week. All said they’d received the same number of secret government requests in the first half of 2013, but the number of accounts affected by those requests varied widely. (See table below). UPDATE: AT&T released its FISA data and update on National Security Letters on Feb. 18. Link to its report is also below; it includes data on its other criminal and civil requests for data as well.

The Justice Department last week, to settle a lawsuit the companies had brought seeking more transparent reporting, relaxed reporting standards and allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999.

FISA data can cover both the total number of orders made and how many accounts were involved. It can also be broken out by requests for customer information, such as subscriber name, or actual content, such as an e-mail. National Security Letters are limited to only customer information, not content.

FISA and NSA Data (updated 2/18/2014)(Click on image for larger version in new browser window).

The fresh batch of reports largely covered the first half of 2013, although some companies added earlier years as well. Data for the second half of 2013 won’t be available until mid-2014 because of a waiting period required by the new rules for FISA orders.

NSL requests aren’t covered by that waiting period and two of the four companies that reported July-December 2013 numbers for those showed an increase in number of accounts affected over the first half of the year. Yahoo and Google bot said 1,000-1,999 accounts were affected, up from 0-999; Microsoft and Facebook reported no increase.

Google and Yahoo provided the most historical data. While total FISA requests has remained flat, the number of accounts affected by content requests has increased significancy. Google’s rose from 2,000-2,000 in the first half of 2009 and peaked at 12,000-12,999 in the second half of 2012. Microsoft’s peaked at the same time, at 16,000-16,999 in the second half of 2012 vs. 11,000-11,999 a year earlier.

Full details can be found in the individual reports below.

]]>
Facebook makes its first revised report on U.S. government’s secret requests for user data http://nationalsecurityzone.medill.northwestern.edu/onthebeat/facebook-makes-first-report-on-u-s-governments-secret-requests-for-user-data/ Mon, 03 Feb 2014 21:43:35 +0000 http://onthebeat.nationalsecurityzone.org/?p=1716 Facebook on Monday became one of the latest companies since Justice Department reporting rules were relaxed late last month to release more details about the number and type of secret requests that U.S. authorities have made for user account information and content.

Facebook in a release said it had received up to 999 requests for content under the the Foreign Intelligence Surveillance Act in the first half of 2013, and those requests covered from 5,000 to 5,999 accounts. Another 0-999 FISA requests that didn’t involve content — but sought information such as a subscriber name — were received, involving an equal number of accounts. It also received up to 999 “National Security Letters” from the FBI director for user information.

Those numbers were little changed from the second half of 2012. The number of National Security Letters was in the same range in the second half of 2013. Data for the FISA requests cannot be released until after a six-month waiting period, so there is no data for the second half of 2013 for those yet.

The new relaxed reporting standards allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999. Facebook chose the latter.

Apple, which reported its data last week, chose the former. Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

In its original “transparency report” on 2013 first-half requests, Facebook said it received between 11,000 and 12,000 requests from all law enforcement agencies, affecting 20,000-21,000 accounts.

The Justice Department agreed to relax the reporting rules as part of settling a lawsuit by a number of companies — including Facebook, seeking latitude to be more transparent in their reporting.

“The new information we are releasing today marks a significant step forward,” Facebook said in its release. “As we have said before, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent.”

Facebook FISA and NSL

SOURCE: Facebook.

]]>
Apple first to report number of secret customer data requests under new reporting rules http://nationalsecurityzone.medill.northwestern.edu/onthebeat/apple-first-to-report-number-of-secret-customer-data-requests-under-new-reporting-rules/ Tue, 28 Jan 2014 14:12:44 +0000 http://onthebeat.nationalsecurityzone.org/?p=1701 Apple this week was the first tech company to take advantage of new slightly more lenient Justice Department rules about how many secret requests for customer information the federal government makes.

The new rules governing controversial “National Security Letters” from the FBI director and national security orders issued under the Foreign Intelligence Surveillance Act were part of a settlement of a lawsuit by technology companies seeking to be more transparent about the top secret demands for information. (Read the settlement order as well as a letter from the Justice Department)

Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

Only basic customer information can be requested in an NSL; content, such as e-mails, cannot be sought. Content information can be sought under national security orders and the new regulations provide some latitude to report how many times that happens.

Previously, companies were prohibited from even acknowledging that they had received national security orders from the Foreign Intelligence Surveillance Court. They could report NSLs, but only in bands of 1,000 such as 0-999.

Apple in its release on Monday said it was “pleased” with the new rules, but made it clear that the number of secret orders at the end of the day was de minimis.

“The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of customer accounts registered with Apple,” Apple said.

Companies now have two options for reporting data that is at least six months old, and only once every six months:

  1. Can report national security orders under FISA, and National Security Letters from the FBI, as a combined number in increments of 250, as well as the number of accounts affected, also in increments. This is what Apple chose to do. Companies can also release the type of order as well as whether it was for customer content.
  2. If they want to report security orders and NSLs separately, the must use the original bands of 1,000 (e.g., 0-999).

Below is our running tally of key transparency report data, updated with Apple’s new report. | Earlier stories on transparency reports.

Transparency Report Update

]]>
For Verizon, a solid grade on transparency reporting http://nationalsecurityzone.medill.northwestern.edu/onthebeat/for-verizon-an-a-on-transparency-reporting/ Wed, 22 Jan 2014 23:11:13 +0000 http://onthebeat.nationalsecurityzone.org/?p=1673 Telecom behemoth Verizon released its first ever “Transparency Report” today on the number of requests for customer data it gets from government agencies — a whopping 900 A DAY almost. That was 320,000 total in 2013 in the U.S. alone.

Numbers aside for a moment, this report is one the clearest, most pithy documents on the topic that OTB has come across in the past two years of working with this data from Google, Apple, Microsoft et al. It’s like the lawyers were temporarily possessed by an angel of clarity and precision as they sat down at the keyboard.

verizon transparency data

      SOURCE: Verizon

Not only do you get a clear, simple explanation of the number of requests and types, and Verizon’s policies, but also a clear, simple explanation of the various laws and process that are involved.

One negative in the report is that it does not detail how often Verizon actually released data. While the numbers are typically small, other companies detail the times they’ve said no to requests for various reasons or didn’t have the data requested. Google, for example, did not release data in 17% of requests in the first half of 2013.

Verizon’s numbers are so large compared to even the largest companies such as Google and Microsoft that have released reports in the past that it said it only “relatively infrequently” was compelled to provide content such as text messages, email and photos. Infrequently in this case: 14,500 times via warrant. It received about twice that many warrants and orders for location information — 35,000 demands — and 3,200 requests for “cell tower dumps,” in which it provides an agency all phone numbers that communicated with a certain cell tower for a period of time.

“The number of warrants and orders for location information are increasing each year,” Verizon noted.

Verizon also received between 1,000 and 1,999 “National Security Letters” from the FBI Director. These controversial orders certify that “the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. . . .” Content data cannot be sought; requests must be for “name, address, length of service and toll billing records.”

It is illegal to disclose the exact number of letters received (individuals who receive them cannot even say they got one) or give details about what was sought. Only figures in ranges from 1-999 can be used to say how many were received.

]]>