Tag Archives: transparency

Facebook makes its first revised report on U.S. government’s secret requests for user data


By SB Anderson

Facebook on Monday became one of the latest companies since Justice Department reporting rules were relaxed late last month to release more details about the number and type of secret requests that U.S. authorities have made for user account information and content.

Facebook in a release said it had received up to 999 requests for content under the the Foreign Intelligence Surveillance Act in the first half of 2013, and those requests covered from 5,000 to 5,999 accounts. Another 0-999 FISA requests that didn’t involve content — but sought information such as a subscriber name — were received, involving an equal number of accounts. It also received up to 999 “National Security Letters” from the FBI director for user information.

Those numbers were little changed from the second half of 2012. The number of National Security Letters was in the same range in the second half of 2013. Data for the FISA requests cannot be released until after a six-month waiting period, so there is no data for the second half of 2013 for those yet.

The new relaxed reporting standards allowed the FISA data to be made public for the first time. Companies that choose to report the FISA requests and NSL requests combined can use ranges of 0–249; if data is separate, it must be reported in larger ranges — 0-999. Facebook chose the latter.

Apple, which reported its data last week, chose the former. Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

In its original “transparency report” on 2013 first-half requests, Facebook said it received between 11,000 and 12,000 requests from all law enforcement agencies, affecting 20,000-21,000 accounts.

The Justice Department agreed to relax the reporting rules as part of settling a lawsuit by a number of companies — including Facebook, seeking latitude to be more transparent in their reporting.

“The new information we are releasing today marks a significant step forward,” Facebook said in its release. “As we have said before, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent.”

Facebook FISA and NSL

SOURCE: Facebook.

Apple first to report number of secret customer data requests under new reporting rules


By SB Anderson

Apple this week was the first tech company to take advantage of new slightly more lenient Justice Department rules about how many secret requests for customer information the federal government makes.

The new rules governing controversial “National Security Letters” from the FBI director and national security orders issued under the Foreign Intelligence Surveillance Act were part of a settlement of a lawsuit by technology companies seeking to be more transparent about the top secret demands for information. (Read the settlement order as well as a letter from the Justice Department)

Apple said it had received between 0 and 249 FISA and NSL requests in the first half of 2013, involving the same range of accounts.

Only basic customer information can be requested in an NSL; content, such as e-mails, cannot be sought. Content information can be sought under national security orders and the new regulations provide some latitude to report how many times that happens.

Previously, companies were prohibited from even acknowledging that they had received national security orders from the Foreign Intelligence Surveillance Court. They could report NSLs, but only in bands of 1,000 such as 0-999.

Apple in its release on Monday said it was “pleased” with the new rules, but made it clear that the number of secret orders at the end of the day was de minimis.

“The number of accounts involved in national security orders is infinitesimal relative to the hundreds of millions of customer accounts registered with Apple,” Apple said.

Companies now have two options for reporting data that is at least six months old, and only once every six months:

  1. Can report national security orders under FISA, and National Security Letters from the FBI, as a combined number in increments of 250, as well as the number of accounts affected, also in increments. This is what Apple chose to do. Companies can also release the type of order as well as whether it was for customer content.
  2. If they want to report security orders and NSLs separately, the must use the original bands of 1,000 (e.g., 0-999).

Below is our running tally of key transparency report data, updated with Apple’s new report. | Earlier stories on transparency reports.

Transparency Report Update

For Verizon, a solid grade on transparency reporting


By SB Anderson

Telecom behemoth Verizon released its first ever “Transparency Report” today on the number of requests for customer data it gets from government agencies — a whopping 900 A DAY almost. That was 320,000 total in 2013 in the U.S. alone.

Numbers aside for a moment, this report is one the clearest, most pithy documents on the topic that OTB has come across in the past two years of working with this data from Google, Apple, Microsoft et al. It’s like the lawyers were temporarily possessed by an angel of clarity and precision as they sat down at the keyboard.

verizon transparency data

      SOURCE: Verizon

Not only do you get a clear, simple explanation of the number of requests and types, and Verizon’s policies, but also a clear, simple explanation of the various laws and process that are involved.

One negative in the report is that it does not detail how often Verizon actually released data. While the numbers are typically small, other companies detail the times they’ve said no to requests for various reasons or didn’t have the data requested. Google, for example, did not release data in 17% of requests in the first half of 2013.

Verizon’s numbers are so large compared to even the largest companies such as Google and Microsoft that have released reports in the past that it said it only “relatively infrequently” was compelled to provide content such as text messages, email and photos. Infrequently in this case: 14,500 times via warrant. It received about twice that many warrants and orders for location information — 35,000 demands — and 3,200 requests for “cell tower dumps,” in which it provides an agency all phone numbers that communicated with a certain cell tower for a period of time.

“The number of warrants and orders for location information are increasing each year,” Verizon noted.

Verizon also received between 1,000 and 1,999 “National Security Letters” from the FBI Director. These controversial orders certify that “the information sought is relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities. . . .” Content data cannot be sought; requests must be for “name, address, length of service and toll billing records.”

It is illegal to disclose the exact number of letters received (individuals who receive them cannot even say they got one) or give details about what was sought. Only figures in ranges from 1-999 can be used to say how many were received.

Government requests for data about Google users doubled since 2010


By SB Anderson

(Updated 11/17/13) Google’s somewhat-delayed update to its semi-annual transparency report was released this morning and we’ve just started crunching the numbers, but thought we’d share a handy visual overview that Google Blog posted in the interim, along with a few of our own graphics.

Quick summary: The government requests for user accounts info and user data just keep on coming, particularly in the U.S. They have doubled since 2010 — 25,900 requests in the first half of 2013 compared to 13,400 in the same period of 2010. And the US now makes up 42% of all requests, compared to 32% in 2010.

On the bright side, the percentage of U.S. requests that eventually led to some data being released has been steadily declining. It was 83% in the first half of this year and 94% at the end of 2010. The type of request that had the highest chance of leading to data being released: A wiretap order (100% in 7 cases). The least likely: A court order that wasn’t a subpoena or search warrant, with 69% of cases ending with data release.

Google Transparency Report Graphic

And here’s a chart we at OTB put together to show how the authorities come knocking.

And now that Google has weighed in, here is a summary of all the major companies that are now issuing transparency reports.

First half of 2013 transparency rollup

Apple joins peers in sharing data about government requests for data


By SB Anderson

Aggregate transparency data

Another major technology company is now releasing regular “transparency reports” describing the number of times government agents have sought customer information from it.

Apple’s “Report on Government Information Requests (PDF),” released on Tuesday, shows it is a minnow compared to other big players when it comes to such requests. (See chart above).

We imported Apple’s data into a spreadsheet. You can sort and download it here.

In the first half of this year, U.S. law enforcement agencies filed between 1,000 and 2,000 requests for information affecting 2,000 to 3,000 accounts. That is between 5 and 11 requests a day, compared to almost 70 for Yahoo and Facebook. Because the data includes those related to national security, companies are required by law to only release ranges of numbers and not specifics if the data as mingled with non-national security-related numbers.

Apple said it disclosed customer data or content data in up to half the requests and rejected it up to half the time (0 to 1,000 in both cases).

“The most common account requests involve robberies and other crimes or requests from law enforcement officers searching for missing persons or children, finding a kidnapping victim, or hoping to prevent a suicide,” Apple said. “Responding to an account request usually involves providing information about an account holder’s iTunes or iCloud account, such as a name and an address. In very rare cases, we are asked to provide stored photos or email. We consider these requests very carefully and only provide account content in extremely limited circumstances.”

The US by far made most of the requests, with No. 2 the UK at 127 affecting 141 accounts.

The US also led in the number of times it asked Apple for information about one of its devices, logging 3,542 requests involving 8,605 devices. In 88% of those cases, some information was released. Germany with 2,156 requests was second.

“Device requests and account requests involve very different types of
data. Many of the device requests we receive are initiated by our own customers working together with law enforcement,” Apple noted in its report. “Device requests never include national
security–related requests.”

Part of the reason that one of the very largest tech companies gets among the fewest government inquiries: Apple says it’s not in the customer information gathering business.

“We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches, or Siri requests in any identifiable form.”

Microsoft got 44 requests for data a day from US agencies in first half of 2013


By SB Anderson

U.S. government agencies asked Microsoft to share customer information or content nearly 8,000 times in the first half of 2013. Those requests involved 22,300 accounts, new data released by the Seattle-based firm on Friday said.

Based on so-called “transparency” reports released so far this year from Microsoft, Yahoo, Twitter and Facebook, US agencies between January and the end of June made, on average, up to 183 requests per day across the four companies, for a total of 33,338 requests affecting 84,597 accounts.

Google, which has been releasing law enforcement request data longer than any major competitor, has yet to release its data for the first half of the year. Microsoft first released some data early last summer after former NSA employee Edward Snowden began leaking top-secret documents about government surveillance programs involving the major internet companies.

Turkey, Germany, the United Kingdom and France followed the U.S. in the No. 1 spot for requests from Microsoft. Together, the five made up 3 in 4 of the global 37,196 requests affecting 66,539 accounts.

Just over 1 in 10 U.S. requests led to user content being released. In 2 out of 3 cases, at least some user account information such as name, gender and Zip Code was turned over. Only about 1 in 100 was rejected for not meeting legal requirements. And in just under 1 in 20 cases — 17% — no customer data was found.

Continue reading

U.S. government asked to snoop on 40,000 Yahoo accounts in first half of year


By SB Anderson

Yahoo on Friday reported that U.S. authorities asked for user data 12,444 times in the first six months of this year — covering 40,322 accounts. That is 69 requests a day, on average.

Most of those cases resulted in the government getting at least some data, including e-mails, photos and uploaded files.

Friday’s was Yahoo’s first-ever transparency report and it says it will continue every six months. Twitter and Microsoft released their reports earlier this summer; Google, which has been releasing reports longer than the other major players, has yet to for the first half of 2013. (Related: The Washington Post reported this morning that Google has stepped-up its efforts to encrypt that data that moves between its servers in an attempt to thwart spying).

“Democracy demands accountability, and accountability requires transparency,” Yahoo General Counsel Ron Bell wrote in a blog post on Friday. “We hope our report encourages governments around the world to more openly share information about the requests they make for users’ information.”

Yahoo Data ReleaseYahoo reported that in about 8% of cases, either no data was found or Yahoo rejected the request. So in just over 9 in 10 cases, at least some data was turned over.

About half the time — 55% — that was “non-content data,” which Yahoo describes as “basic subscriber information including the information captured at the time of registration such as an alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from email headers).”

In nearly 2 in 5 cases, other content was turned over. Yahoo’s description: “Data that our users create, communicate, and store on or through our services. This could include words in a communication (e.g., Mail or Messenger), photos on Flickr, files uploaded, Yahoo Address Book entries, Yahoo Calendar event details, thoughts recorded in Yahoo Notepad or comments or posts on Yahoo Answers or any other Yahoo property.”

Yahoo reported about the same number of government requests as Facebook, but affecting substantially more user accounts — 40,300 vs. up to 21,000. Twitter reported 902 requests affecting 1,319 accounts for the first half of the year.

Germany, Italy, Taiwan and France filled out the Top 5 in number of requests after the U.S. Outside the U.S., requests totaled 17,026, involving 22,453 accounts.

The government requests usually involve criminal investigations and came come by way of warrant or subpoena. Yahoo says it only complies “in response to valid, compulsory legal process from a government agency with proper jurisdiction and authority.”

National security authorities also make the requests. All companies are restricted about how much they can say — even specific numbers — about requests under the Foreign Intelligence Surveillance Act. Yahoo and others have been pressing the government to allow them more freedom to divulge those details.

Sorted Yahoo Transparency Report First Half 2013

Earlier stories on transparency report data.