Facebook, Google, LinkedIn, Microsoft, and Yahoo have settled their information disclosure case against the government with an agreement that allows them to publish more details about government demands for user data. But the compromise comes with conditions that put startups at a disadvantage.
Attorney General Eric Holder on Monday issued a letter to the companies containing new guidelines for reporting aggregate statistical data about demands for customer information sought through National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders.
"Consistent with the President's direction in his speech on January 17, 2014, these new reporting methods enable communications providers to make public more information than ever before about orders that they receive to provide information to the government," Holder's letter says.
Because Google previously was forbidden from publishing any information about FISA orders, it published a blacked-out graph last November. Henceforth, it will be able to publish approximate numbers, six months after the fact.
[Is nothing sacred? Read NSA, British Spy Agency Collect Angry Birds Data.]
Providers may publish requests made as part of a criminal legal process without restriction. Every six months, they may publish the following: the number of NSLs received, the number of customer accounts affected by NSLs, the number of FISA orders for content, the number of customer selectors (data field identifiers such as "email address" or "name") targeted under FISA content orders, the number of FISA orders for non-content (metadata), and the number of customer selectors targeted under FISA non-content orders.
These aggregate numbers, however, are limited in their accuracy as they must be reported in increments of 1,000, starting with zero to 999. For example, a provider that received one NSL and a provider that received 900 NSLs each would be allowed to report receiving between zero and 1000 NSLs.
The government is also allowing a second option. As with the first option, data demands made through criminal legal process remain unrestricted. Providers may also report the aggregate number of national security process demands received, including both NSLs and FISA orders, in increments of 250, starting with zero to 249. And separately they may report the number of customer selectors covered by these orders, also using increments of 250.
"This is a victory for transparency and a critical step toward reining in excessive government surveillance," said Alex Abdo, staff attorney with the American Civil Liberties Union's National Security Project, in a statement. "Companies must be allowed to report basic information about what they're giving the government so that Americans can decide for themselves whether the NSA's spying has gone too far."
Abdo, however, called for Congress to require the government to publish basic information about intelligence gathering done without the compelled cooperation of technology companies. The recently disclosed collection of data from mobile apps represents an example of such covert data gathering.
Nate Cardozo, staff attorney for the Electronic Frontier Foundation, in a phone interview expressed disappointment that the technology companies accepted less freedom in the settlement than they had been seeking and said he hoped some other company would pursue the affirmation of broader free speech protection through the courts.
The Justice Department's new guidelines puts startups at a disadvantage, particularly if security is relevant to the company's business model. When a company receives its first demand for information, the government may designate the demand a "New Capability Order." In that case, the company must wait two years (in addition to the mandated six-month delay) to make its first report of aggregate numbers. So, were some entrepreneur to launch an encrypted email service, he or she could not disclose information about government demands for data for two and a half years.
Some companies, such as Apple, have used "warrant canaries" -- an online statement, such as "no government demands for information have been received," that gets deleted upon receipt of a government order -- to communicate the contrary case by the statement's absence. Were authorities to insist that the statement remain unaltered, they would be issuing an order to lie.
Although this tactic remains open to a legal challenge, Cardozo said he believes it's lawful. "If a company does receive an order, all of the same problems about compelled speech appear," he said. "You can't force someone to repeat a lie. There's very good Supreme Court precedent about that."
(By Thomas Claburn)