In June of last year, Google, Microsoft, Facebook, and several other major US technology companies made headlines due to their requests to the US Government for increased transparency. Specifically, these tech companies wanted to be allowed to publish the general aggregate numbers about the type and quantity of national security related data requests they had complied with about their customers’ information.
Early this month, Apple similarly joined in this decision to no longer quietly go along with government investigation requests. Kristin Huguet, the main spokeswoman for Apple, made a statement detailing how Apple intends to change its security policy, such that when law enforcement requests data on a customer, Apple will notify that individual in most cases.
Apple has already shown signs of following through with this decision, as on May 7th the company gave brand new guidelines to government investigators and law enforcement agents detailing how to request customers’ electronic communications, devices, and other personal information. Those guidelines confirm that Apple intends to notify individuals when their data is requested, unless prohibited by a court gag order or if that notification results in endangering the lives of children or other individuals.
Many major US tech companies have been getting more and more involved with making user notification a greater priority, with Apple being one of the latest to join their ranks. According to the “Who Has Your Back?” 2013 report issued by the Electronic Frontier Foundation, big name tech companies that require a warrant for content and/or inform users about government data requests include: Dropbox, Facebook, Foursquare, Google, LinkedIn, Microsoft, MySpace, Sonic.net, SpiderOak, Twitter, Tumblr, and WordPress.
These updated security policies are not implemented in the same manner, however. Not all of these tech companies release their information the exact same way. Some, like Apple, opt for emphasizing user notification, while others tend towards what are called “transparency reports”. While it has always been legal for a company to report the number of law enforcement requests they get, it wasn’t until after Edward Snowden’s PRISM revelations in summer 2013 that the Department of Justice and the FBI allowed companies to report in general about National Security Letters and FISA requests.
National Security Letters are subpoenas issued by the FBI for national security investigations, while FISA, also known as the Foreign Intelligence Surveillance Act, allows extensive electronic evidence to be gathered about any individual suspected of being involved in espionage or terrorism. As mandated by the act, companies must wait 6 months before reporting NSLs or FISA information.
Several companies, including Google, Facebook, and Yahoo, have already disclosed their transparency reports online, with NSLs and FISA request numbers for the first half of 2013. Their reports are divided into categories such as “content” requests, which include emails, texts, and photographs, and “non-content” requests, which cover call records and individual subscriber information. In compliance with current government requirements, these transparency reports display a general range (such as 0 to 999 or 30,000 to 30,999) wherein the actual number of FISA orders, specified accounts, NSLs, or other requests fall into.