On Friday, tech giants Facebook and Microsoft both revealed for the first time the number of requests for customer data that they have received from government agencies. Well, sort of. The release was prompted by the heightened scrutiny of government collection of data from millions of people following Edward Snowden's revelations about the National Security Agency's (NSA) surveillance programs. Under a deal with the U.S. government, the two companies were allowed to release the numbers that give a broad overview but no specific, detailed breakdown of the requests.
The deal was made because such disclosures are currently illegal under U.S. law. Both companies, and others, had been pressing the government to let them release the data in a bid to restore public confidence in them after Snowden's leaks highlighted the widespread extent of the government's surveillance. Given the lack of detail, however, the releases are unlikely to reassure customers.
Snowden's leaks revealed that nine tech companies, including Google, Yahoo, Apple, Facebook, and Microsoft, were sharing their customers' private data with the government under the NSA's PRISM program. All companies implicated denied knowledge of the program. Despite Friday's disclosure that Facebook and Microsoft have received requests under the Foreign Intelligence Surveillance Act, as well as National Security Letters, because the figures given are only aggregates it is impossible to tell how many requests came from the NSA.
In a statement on Friday, Facebook said that for the six months ending on December 31 of last year, it had received between 9,000 and 10,000 user-data requests," involving between 18,000 and 19,000 Facebook accounts, from "government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests)."
The nature of these requests, according to the company, "run the gamut — from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat." The company also added that it frequently rejects government requests for data outright, although it did not elaborate on this. PolicyMic pundit Maxime Fischer-Zernin recently wrote that refusing to carry out a secret order under FISA "would put company executives in a legally ill-defined area of secret contempt, secret fines, and even secret jail time."
For the same period, Microsoft said that it received "between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal." The company also noted that it has not "received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers."
Both Google and Twitter are also seeking to disclose the number of requests they have received from government agencies, but both companies have emphasized the importance of being able to "publish numbers of national security requests — including FISA disclosures — separately," rather than just an overall number of all requests like Facebook and Microsoft published. Google even went as far as to say that publishing criminal and national security requests together "would be a step back for users."
In their statements, both Facebook and Microsoft emphasized that they are continuing to push for more transparency, with Microsoft saying that "what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues."
All companies implicated in the surveillance scandal should push hard for the ability to publish a detailed breakdown of the number and nature of the requests they have received, if not for the sake of transparency then at least because they have a vested interest in reassuring their customers that they are not providing the government with unfettered access to their data.
While Friday's disclosures confirm that the companies are receiving national security requests from the government, they simply raise more questions regarding the nature of the requests, how the companies have responded to them, trends over time in terms of the number of requests, and more.