Government Loosens Data Disclosure Gag - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
04:56 PM
Connect Directly

Government Loosens Data Disclosure Gag

Facebook, Google, LinkedIn, Microsoft, and Yahoo can now publish more of the details on user data that the government demands, but startups might suffer.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

Facebook, Google, LinkedIn, Microsoft, and Yahoo have settled their information disclosure case against the government with an agreement that allows them to publish more details about government demands for user data. But the compromise comes with conditions that put startups at a disadvantage.

Attorney General Eric Holder on Monday issued a letter to the companies containing new guidelines for reporting aggregate statistical data about demands for customer information sought through National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders.

"Consistent with the President's direction in his speech on January 17, 2014, these new reporting methods enable communications providers to make public more information than ever before about orders that they receive to provide information to the government," Holder's letter says.

Because Google previously was forbidden from publishing any information about FISA orders, it published a blacked-out graph last November. Henceforth, it will be able to publish approximate numbers, six months after the fact.

[Is nothing sacred? Read NSA, British Spy Agency Collect Angry Birds Data.] 

Providers may publish requests made as part of a criminal legal process without restriction. Every six months, they may publish the following: the number of NSLs received, the number of customer accounts affected by NSLs, the number of FISA orders for content, the number of customer selectors (data field identifiers such as "email address" or "name") targeted under FISA content orders, the number of FISA orders for non-content (metadata), and the number of customer selectors targeted under FISA non-content orders.

These aggregate numbers, however, are limited in their accuracy as they must be reported in increments of 1,000, starting with zero to 999. For example, a provider that received one NSL and a provider that received 900 NSLs each would be allowed to report receiving between zero and 1000 NSLs.

The government is also allowing a second option. As with the first option, data demands made through criminal legal process remain unrestricted. Providers may also report the aggregate number of national security process demands received, including both NSLs and FISA orders, in increments of 250, starting with zero to 249. And separately they may report the number of customer selectors covered by these orders, also using increments of 250.

NSA headquarters, Fort Meade, Md. 
(Source: Wikipedia)
NSA headquarters, Fort Meade, Md.
(Source: Wikipedia)

"This is a victory for transparency and a critical step toward reining in excessive government surveillance," said Alex Abdo, staff attorney with the American Civil Liberties Union's National Security Project, in a statement. "Companies must be allowed to report basic information about what they're giving the government so that Americans can decide for themselves whether the NSA's spying has gone too far."

Abdo, however, called for Congress to require the government to publish basic information about intelligence gathering done without the compelled cooperation of technology companies. The recently disclosed collection of data from mobile apps represents an example of such covert data gathering.

Nate Cardozo, staff attorney for the Electronic Frontier Foundation, in a phone interview expressed disappointment that the technology companies accepted less freedom in the settlement than they had been seeking and said he hoped some other company would pursue the affirmation of broader free speech protection through the courts.

The Justice Department's new guidelines puts startups at a disadvantage, particularly if security is relevant to the company's business model. When a company receives its first demand for information, the government may designate the demand a "New Capability Order." In that case, the company must wait two years (in addition to the mandated six-month delay) to make its first report of aggregate numbers. So, were some entrepreneur to launch an encrypted email service, he or she could not disclose information about government demands for data for two and a half years.

Some companies, such as Apple, have used "warrant canaries" -- an online statement, such as "no government demands for information have been received," that gets deleted upon receipt of a government order -- to communicate the contrary case by the statement's absence. Were authorities to insist that the statement remain unaltered, they would be issuing an order to lie.

Although this tactic remains open to a legal challenge, Cardozo said he believes it's lawful. "If a company does receive an order, all of the same problems about compelled speech appear," he said. "You can't force someone to repeat a lie. There's very good Supreme Court precedent about that."

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Author
1/29/2014 | 8:54:05 AM
Re: Fingers crossed
There is no doubt in my mind that this is only the latest -- not the final -- word in the disclosure debate about the NSA surveillance programs. It's a step in the right direction. But only a step. Two court challenges are still winding their way through the federal judiciary and many legal experts predict that the US Supreme Court is where they will end up.  IMO that's where a resolution of the privacy/constitutionality issues belong. But the wheels of justice grind slowly....  
User Rank: Ninja
1/29/2014 | 7:12:26 AM
Fingers crossed
I'm really hoping that being in the UK and therefore part of Europea means that the European Court of Human Rights takes our intelligence agencies and government to task over this blanket data gathering. I feel bad for my pals in the US that there isn't the same overwatch going on there - here's hoping local politicians can help push through changes. 
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll