The Problem With Transparency Reports? They're Not Very Transparent
So-called "transparency" reports remain annoyingly opaque.
In the continued push for transparency post-Snowden, many communications companies and service providers are publishing reports with more details on what sort of data, and how much, they're being asked to hand over to law enforcement.
But even with this shift, chunks of the reports rather obscure, rather than clear up, exactly what data is requested.
According to their latest transparency filing, cloud storage service Dropbox received 120 search warrants and 109 subpoenas for user information. Responding to the former, they handed over 103 pieces of "content and non-content"—files within the customer's account, and other pieces of their data such as IP address, respectively. When it came to subpoenas, Dropbox provided law enforcement with 80 pieces of "non-content."
"While that number is small compared to our 300 million users," Bart Volkmer, Dropbox's legal counsel, told the Guardian, "we treat all the requests we receive seriously and scrutinize them to make sure they satisfy legal requirements before complying. We also push back in cases where agencies are seeking too much information or haven't followed the proper procedures."
The report reads, "Protecting our users' privacy is a top priority at Dropbox, so we continue to apply our Government Data Request Principles to every request we receive." This means that they will fight blanket requests, or ones they deem too broad.
Dropbox may have also received over 200 requests for customers' data from the US government for reasons of national security. However, this is where the transparency becomes less clear.
Companies are often given a gag order, prohibiting them from talking publicly about the details of the case, or even the existence of the request itself.
The report states that "0-249" requests were received, as well as "0-249" accounts being affected by those. Obviously, that doesn't give much information about how many requests were actually made.
This is a problem not just for Dropbox but a plethora of other companies. Every six months, from the start of 2009 to June 2014, Google has claimed that it received between "0-999" National Security Letters (NSLs), and the same range for Foreign Intelligence Surveillance Act (FISA) requests.
Microsoft's report in February was similarly imprecise, stating that it had received 0-999 NSLs in July-December 2013, and that between 15,000-15,999 accounts were impacted by FISA orders in January-June 2013.
An NSL is a request made by the FBI when working on investigations that involve national security. The information companies such as Google or Dropbox are supposed to provide is ruled under the Electronic Communications Privacy Act (ECPA). Under the Act, the FBI can request "the name, address, length of service, and local and long distance toll billing records" of a customer, all without a warrant approved by a judge.
On top of this, companies are often given a nondisclosure provision—a gag order, prohibiting them from talking publicly about the details of the case, or even the existence of the request itself.
A FISA request, meanwhile, can be applied to the actual content of communications. Government agencies including the FBI and NSA can apply for these surveillance warrants.
It's only because of pressure from the service providers that reporting on FISA requests at all is allowed.
In their most recent Law Enforcement Disclosure Report, Vodafone described listing figures in this vague way as a problem for transparency. They said that in some countries they faced "restrictions on disclosing details of the aggregate number of demands received."
There are occasions where companies have fought back against these kind of data requests. Back in 2013, Microsoft successfully challenged an FBI National Security Letter seeking data on one of the company's enterprise customers. Under legal obligation to not inform the customer, or talk publicly about the case at all, Microsoft took the issue to court. "We concluded that the nondisclosure provision was unlawful and violated our Constitutional right to free expression," the company wrote on its blog.
They won, the FBI withdrew their request, and Microsoft were allowed to publish details of the dispute. Google, Yahoo and Facebook have also done this, arguing against the gag orders for the same reason.
Progress is being made on what can be published around government demands for data. The USA Freedom Act 2014, as well as attempting to reign in the NSA's metadata programme, will create new obligations for the government to provide information about their national security requests. It's only because of pressure from the service providers that reporting on FISA requests at all is allowed, though still in those wide "0-999" brackets.
However, so-called "transparency" reports remain annoyingly opaque. If we are to get a proper idea of how often law enforcement agencies use powerful legislation to access private data and communications, companies need to be allowed to publish more details.