Feds Loosen Gag Order on Demands for User Data

Settlement allows Web firms to report approximations of secret data requests.

Google, Yahoo, Microsoft and other Internet companies will be able to disclose a lot more about the kind of private information demanded by government agencies, following a deal announced by the Department of Justice late Jan. 27.

Internet service- and content providers have become increasingly vocal in their opposition to portions of the USA Patriot Act and other rules designed to counter the threat of foreign terrorist attacks by allowing the FBI and other federal agencies to demand information on customers using only National Security Letters rather than warrants approved by federal courts. National Security Letters (NSL) can be used to demand some information about people without a warrant, but can also be used to order the Internet provider not to disclose that the request has been made.

In complaints and lawsuits filed against the Department of Justice, Internet companies including Google, Yahoo, Facebook, LinkedIn, Microsoft and Yahoo have accused the agency of overusing National Security Letters to gather far more information than could be justified by legitimate investigations.

The frequency and intensity of those complaints increased following revelations by Edward Snowden that the National Security Agency’s (NSA) bulk collection of data includes demands for telephone metadata, covert taps on the datacenter networks of major Internet providers, and a list of other methods that continues to grow.

Barred from disclosing details of the requests, Internet companies (beginning with Google) began issuing Transparency Reports disclosing as much information as possible about federal demands for information, often pointing out gaps in the data and complaining about the gag orders that kept them from saying more.

“We believe it’s your right to know what kinds of requests and how many each government is making of us and other companies,” Google Legal Director Richard Salgado wrote in a blog accompanying a Nov. 14, 2013 Google Transparency Report. “The U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know.”

Google turned the report into a call for U.S. technology companies to oppose, or at least demand more open-disclosure about federal data-gathering efforts. “Our promise to you is to continue to make this report robust, to defend your information from overly broad government requests, and to push for greater transparency around the world,” Salgado wrote.

Figures from Google, Yahoo, Twitter and others show demands for customer data rising rapidly – 68 percent during 2013 alone, according to Google’s most recent report.

Google teamed up with members of Congress to demand more transparency. Microsoft filed a similar demand with the FISC itself, as did Facebook and Yahoo.

The government’s response (a detailed counterargument it filed for the consideration of FISC judges but wouldn’t release to the companies that raised the complaint without heavily redacting the documents first) made the conflict worse. (A public version of the DoJ’s full legal analysis of the NSL conflict is available here.)

Following similar criticisms panels appointed by the White House, the Obama administration ordered the DoJ to back down… a little. “The administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, and the number of customer accounts targeted under those orders and requests including the underlying legal authorities,” reads a statement released the afternoon of Jan. 27 in the names of U.S. Attorney General Eric Holder and Director of National Intelligence James Clapper.

Under terms of the settlement, Internet providers will be able divide information requests into categories, but only approximate the numbers in each. Companies can announce the number of national security letters they get in a given year, for example, and the number of users who would be affected by them, but could only round those numbers to the nearest 1000.

Providers will also be able to report the number of demands for metadata or the actual content of messages made using the more-comprehensive Foreign Intelligence Surveillance Act – but only with a lag time of six months. A report dated Dec. 31, 2014, for example, could report only FISA requests from Jan. 1 2013 to June 30, 2013.

The new rules require Internet companies wait two full years before reporting the first FISA request for information on a new platform – a new form of text- or video-service, for example.

Like the count of NSL requests, FISA orders can only be counted to the nearest thousand. Reports can get more precise about the numbers – rounding to the nearest 250 rather than the nearest thousand – but only if they combine all NSL and FISA orders into one category rather than detailing them.

Transparency reports can still only come out every six months.

“I have appreciated the opportunity to discuss these issues with you, and I am grateful for the time, effort and input of your companies in reaching a result we believe strikes an appropriate balance between the competing interests of protecting national security and furthering transparency,” wrote Deputy Attorney General James M. Cole in a letter to the plaintiffs that “memorializes the new and additional ways in which the government will permit your company to report data concerning requests for customer information.”

The letter was part of a package that included a notice to the Foreign Intelligence Surveillance Court, noting that the Internet companies agreed to withdraw their complaints following the agreement. The language of the notice to the court itself, however, makes clear “the Government” is the entity making a final ruling on the dispute, rather than presenting a settlement for approval by the court.

In most lawsuits concerning the behavior of a government agency, a settlement would be presented as binding on the government, but would have to be approved by a judge, who could throw it out as either being an impractical solution to the problem, or for failing to resolve an ongoing violation of laws or regulations.

“We look forward to continuing to discuss with you ways in which the government and industry can find common ground on other issues raised by the surveillance debates of recent months,” Cole’s letter concludes.

Image: Shutterstock.com/Alexeev Boris