The Little-Known Loophole Obscuring Facebook and Google's Transparency Reports

The number of user data requests to Internet giants from foreign governments, are being lost in a legal loophole.

Image: Carlos Luna/Flickr

When it comes to Internet companies publishing transparency reports on law enforcement requests for user data, the figures they provide don't always tell the full story.

For example, law enforcement and government agencies in Canada made 366 requests for Facebook user data in 2013, according to the social network's transparency reports. But that's not the total number. An additional 16 requests are missing, counted instead with US requests.

It's not just Facebook, of course. Apple, Google, Microsoft, Yahoo, and Twitter have all received requests that are missing from the Canadian total. The exact numbers, which are otherwise secret, have been disclosed to Motherboard for the first time through an access to information request.

These requests were made via Mutual Legal Assistance Treaty, or MLAT, a little-known legal mechanism that law enforcement and government agencies outside of the US can use to request information from American companies. If a country has an MLAT with the US, that country's law enforcement and government agencies can request that the US Department of Justice obtain information on their behalf. And that's where things get messy.

"There's currently no way for a US company to reliably and consistently distinguish between a court order coming from the US government and one that the US government is making on behalf of a foreign government through MLAT," said Jochai Ben-Avie, policy director at the international digital rights organization Access.

As a result, certain requests from Canadian government and law enforcement agencies—and, assumedly, over 60 other countries that have signed an MLAT with the US—get counted as US requests.

In theory, MLAT is a useful legal process in theory. If implemented correctly, it can prevent international law enforcement and government agencies from seeking certain types of user data stored outside their jurisdiction through informal means. In its current state, however, it has been criticized by both privacy advocates and Internet companies as slow, lacking transparency, and in dire need of reform.

And international requests made via MLAT being counted among US requests isn't a secret. Most companies mention this fact in their transparency report and legal policies, often in a small, footnoted disclaimer. But no one really knows how many MLAT requests are made, not even the companies themselves.

Because the US DoJ is not transparent about how many MLAT requests it receives, it's hard to say just how many international requests are miscounted in transparency reports as US requests. Freedom of information requests submitted to the American DoJ on behalf of both Access and Motherboard have not yet been returned.

But an access to information request submitted to the Canadian Department of Justice offers a glimpse: In 2013, 30 requests by Canadian law enforcement agencies were sent via MLAT to six US technology companies. Microsoft received four, Google received six, Yahoo received two, and both Apple and Twitter each received one request. Facebook, according to the access request, received the most of all: 16. The nature of these requests, however, was withheld.

Prior to submitting the request, Carole Saindon, a spokesperson for the Canadian DoJ, said that the government did not keep statistical information on MLAT requests made by Canadian law enforcement and government agencies. When asked to clarify that point once Motherboard's request had been returned, Saindon said that "there has not been a need for systematic tracking or statistical analysis of the frequency of requests to ISPs in either the US or Canada."

If the number of requests seem low, it's because MLAT requests are essentially a last resort for law enforcement and government agencies.

"Canadian law enforcement, generally speaking, cannot require a company outside of Canada to do anything," said David Fraser, a lawyer specializing in privacy and technology law for the Halifax firm McInnes Cooper. That's because many US companies don't recognize other countries' jurisdictions, Canada included. It's the company's choice whether or not to respond. But if a request is valid under Canadian law, "and cooperating would not put them outside of U.S. law, then they can comply. And they often will," said Fraser.

Situations where a company might choose not to comply include requests for the contents of an account (in the US the content of emails, for example, can only be turned over through proper US legal process, typically requiring probable cause), requests that have been deemed overly broad, or requests that may comply with Canadian, but not American law.

"When an international request does not meet the strict standards that we set out in our terms of service, we would reject it and refer authorities to other lawful government-to-government channels of cooperation, such as the MLAT," wrote a Facebook spokesperson in an emailed statement.

But in doing so, any requests re-submitted via MLAT are essentially rendered invisible on Facebook's transparency reports. At present, they don't really have any other choice.

As a result, a group of nine US tech companies, including Facebook, Twitter, Google, and Apple, wrote an open letter to members of the US Senate in December of last year asking for MLAT reform, as part of a wider letter denouncing government surveillance practices. The group called for "a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions."

Around the same time, the US President's Review Group report on National Security Agency surveillance recommended MLAT review, calling the process today "too slow and cumbersome," and finding that "requests appear to average approximately 10 months to fulfill, with some requests taking considerably longer."

According to the US DoJ, MLAT requests have increased by nearly 60 percent over the past decade, with requests specifically for computer records increasing ten-fold. In response, the department in March requested an additional $24.1 million for its 2015 fiscal year budget to "significantly increase personnel dedicated to reviewing and executing MLAT requests as well as technological enhancements to vastly improve the way requests are analyzed, categorized, and prioritized."

But whether those reforms would also include increased transparency remains to be seen. When asked for comment, US DoJ spokesperson Peter Carr said the department is "currently examining the MLAT process," and declined to comment further.

The Internet Association, a Washington, DC-based lobby group which counts Google, Twitter, Yahoo and others among its members, supported the DoJ's funding request, but in a letter remarked that "an effective, well-documented and transparent treaty process is more critical now than ever before."

Access has suggested the US DoJ "publish regular government transparency reports, including breakdowns of number of requests received from different countries, the response provided, and the crimes to which the requests relate." None of which, as you might've guessed, is publicly accessible right now.