Tag Archives: privacy

AT&T latest to release data on secret government requests for data


By SB Anderson

AT&T said on Tuesday that it received secret orders under the Federal Intelligence Surveillance Act in the first half of last year involving up to 37,000 customer accounts. Those accounts were included in up to 2,000 orders from the Justice Department; half of those requests were for actual content from customers in as many as 36,000 accounts. The other half demanded just account data.

As many as 2,999 other requests came from the FBI as “National Security Letters,” and involved up to 4,999 accounts. Those letters can only demand information about a customer account, not personal data such as documents or emails.

ATT FISA and NSL Report 2/14

SOURCE: AT&T

The Justice Department in late January, to settle a lawsuit the companies had brought seeking more transparent reporting, relaxed reporting standards and allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999.

FISA data can cover both the total number of orders made and how many accounts were involved. It can also be broken out by requests for customer information, such as subscriber name, or actual content, such as an e-mail. National Security Letters are limited to only customer information, not content.

AT&T on Tuesday also released its first ever data on non-national security related civil and criminal court requests for user data and information. Other communications and internet companies, such as Google, have been releasing “transparency reports” with this data for several years.

During 2013, AT&T received an average of 827 requests a day from law enforcement — 301,816 for the years, most involging criminal cases and issued by subpoenas, which are believed to typically only cover data about a user and account, not content created. Just under 1 in 5 requests came via more powerful court order or warrant. Only about 1% of requests were rejected by AT&T and for about 5% of the requests, AT&T had no or only partial information to release.

About 100,000 “emergency” requests were received, such as those related to a 911 call. About 38,000 request were for a customer’s location, as well as all numbers for a particular cell tower.

ATT Transparency Report

SOURCE: AT&T

Continue reading

More companies report under loosened rules on national security orders for customer info


By SB Anderson

(Updated 2/18/2014 to add AT&T data).

More major tech companies have weighed in with data they are now allowed to release about how many secret orders for user information and content were made under the Foreign Intelligence Surveillance Act or from the FBI in a National Security Letter.

Yahoo, Microsoft, Google, LinkedIn and Facebook this week joined Apple, which was the first to report last week. All said they’d received the same number of secret government requests in the first half of 2013, but the number of accounts affected by those requests varied widely. (See table below). UPDATE: AT&T released its FISA data and update on National Security Letters on Feb. 18. Link to its report is also below; it includes data on its other criminal and civil requests for data as well.

The Justice Department last week, to settle a lawsuit the companies had brought seeking more transparent reporting, relaxed reporting standards and allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999.

FISA data can cover both the total number of orders made and how many accounts were involved. It can also be broken out by requests for customer information, such as subscriber name, or actual content, such as an e-mail. National Security Letters are limited to only customer information, not content.

FISA and NSA Data (updated 2/18/2014)(Click on image for larger version in new browser window).

The fresh batch of reports largely covered the first half of 2013, although some companies added earlier years as well. Data for the second half of 2013 won’t be available until mid-2014 because of a waiting period required by the new rules for FISA orders.

NSL requests aren’t covered by that waiting period and two of the four companies that reported July-December 2013 numbers for those showed an increase in number of accounts affected over the first half of the year. Yahoo and Google bot said 1,000-1,999 accounts were affected, up from 0-999; Microsoft and Facebook reported no increase.

Google and Yahoo provided the most historical data. While total FISA requests has remained flat, the number of accounts affected by content requests has increased significancy. Google’s rose from 2,000-2,000 in the first half of 2009 and peaked at 12,000-12,999 in the second half of 2012. Microsoft’s peaked at the same time, at 16,000-16,999 in the second half of 2012 vs. 11,000-11,999 a year earlier.

Full details can be found in the individual reports below.

Facebook makes its first revised report on U.S. government’s secret requests for user data


By SB Anderson

Facebook on Monday became one of the latest companies since Justice Department reporting rules were relaxed late last month to release more details about the number and type of secret requests that U.S. authorities have made for user account information and content.

Facebook in a release said it had received up to 999 requests for content under the the Foreign Intelligence Surveillance Act in the first half of 2013, and those requests covered from 5,000 to 5,999 accounts. Another 0-999 FISA requests that didn’t involve content — but sought information such as a subscriber name — were received, involving an equal number of accounts. It also received up to 999 “National Security Letters” from the FBI director for user information.

Those numbers were little changed from the second half of 2012. The number of National Security Letters was in the same range in the second half of 2013. Data for the FISA requests cannot be released until after a six-month waiting period, so there is no data for the second half of 2013 for those yet.

The new relaxed reporting standards allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999. Facebook chose the latter.

Apple, which reported its data last week, chose the former. Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

In its original “transparency report” on 2013 first-half requests, Facebook said it received between 11,000 and 12,000 requests from all law enforcement agencies, affecting 20,000-21,000 accounts.

The Justice Department agreed to relax the reporting rules as part of settling a lawsuit by a number of companies — including Facebook, seeking latitude to be more transparent in their reporting.

“The new information we are releasing today marks a significant step forward,” Facebook said in its release. “As we have said before, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent.”

Facebook FISA and NSL

SOURCE: Facebook.

Apple first to report number of secret customer data requests under new reporting rules


By SB Anderson

Apple this week was the first tech company to take advantage of new slightly more lenient Justice Department rules about how many secret requests for customer information the federal government makes.

The new rules governing controversial “National Security Letters” from the FBI director and national security orders issued under the Foreign Intelligence Surveillance Act were part of a settlement of a lawsuit by technology companies seeking to be more transparent about the top secret demands for information. (Read the settlement order as well as a letter from the Justice Department)

Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

Only basic customer information can be requested in an NSL; content, such as e-mails, cannot be sought. Content information can be sought under national security orders and the new regulations provide some latitude to report how many times that happens.

Previously, companies were prohibited from even acknowledging that they had received national security orders from the Foreign Intelligence Surveillance Court. They could report NSLs, but only in bands of 1,000 such as 0-999.

Apple in its release on Monday said it was “pleased” with the new rules, but made it clear that the number of secret orders at the end of the day was de minimis.

“The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of customer accounts registered with Apple,” Apple said.

Companies now have two options for reporting data that is at least six months old, and only once every six months:

  1. Can report national security orders under FISA, and National Security Letters from the FBI, as a combined number in increments of 250, as well as the number of accounts affected, also in increments. This is what Apple chose to do. Companies can also release the type of order as well as whether it was for customer content.
  2. If they want to report security orders and NSLs separately, the must use the original bands of 1,000 (e.g., 0-999).

Below is our running tally of key transparency report data, updated with Apple’s new report. | Earlier stories on transparency reports.

Transparency Report Update

For Verizon, a solid grade on transparency reporting


By SB Anderson

Telecom behemoth Verizon released its first ever “Transparency Report” today on the number of requests for customer data it gets from government agencies — a whopping 900 A DAY almost. That was 320,000 total in 2013 in the U.S. alone.

Numbers aside for a moment, this report is one the clearest, most pithy documents on the topic that OTB has come across in the past two years of working with this data from Google, Apple, Microsoft et al. It’s like the lawyers were temporarily possessed by an angel of clarity and precision as they sat down at the keyboard.

verizon transparency data

      SOURCE: Verizon

Not only do you get a clear, simple explanation of the number of requests and types, and Verizon’s policies, but also a clear, simple explanation of the various laws and process that are involved.

One negative in the report is that it does not detail how often Verizon actually released data. While the numbers are typically small, other companies detail the times they’ve said no to requests for various reasons or didn’t have the data requested. Google, for example, did not release data in 17% of requests in the first half of 2013.

Verizon’s numbers are so large compared to even the largest companies such as Google and Microsoft that have released reports in the past that it said it only “relatively infrequently” was compelled to provide content such as text messages, email and photos. Infrequently in this case: 14,500 times via warrant. It received about twice that many warrants and orders for location information — 35,000 demands — and 3,200 requests for “cell tower dumps,” in which it provides an agency all phone numbers that communicated with a certain cell tower for a period of time.

“The number of warrants and orders for location information are increasing each year,” Verizon noted.

Verizon also received between 1,000 and 1,999 “National Security Letters” from the FBI Director. These controversial orders certify that “the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. . . .” Content data cannot be sought; requests must be for “name, address, length of service and toll billing records.”

It is illegal to disclose the exact number of letters received (individuals who receive them cannot even say they got one) or give details about what was sought. Only figures in ranges from 1-999 can be used to say how many were received.