Revelations about the National Security Administration's Orwellian PRISM surveillance system have prompted a lot of questions about how much—and where—the government is watching people on the Internet.
In an effort to answer these questions, and quell public outrage over their supposed compliance with PRISM, tech companies have been pushing the federal government to allow them to disclose how often they get national security-related requests for user information.
Since reaching a deal with the Obama administration Friday, so far, four of the companies implicated in the PRISM program—Facebook, Microsoft, Apple, Yahoo—have revealed the number of data requests they get from the US government and law enforcement authorities, including requests submitted under the Foreign Intelligence Surveillance Act.
But those numbers don't tell the whole story. As part of their deal with the the DOJ, the companies have to lump together all of the requests—including everything from local sheriffs' warrants to FISA requests—so it's impossible to know how many of the requests come from the National Security Administration or from the secret court that handles FISA orders. This is a pretty big caveat that makes it impossible to grasp the full extent of the PRISM program, or to discern how the government is using its surveillance powers.
Because of that catch, Google is refusing to participate in the disclosures, and is instead demanding that the government allow it to break out FISA request numbers from the rest of its government requests. On Tuesday, the search giant filed a motion with the FISA court requesting permission to publish aggregate information about FISA orders, citing its First Amendment rights.
Although we don't yet have a full picture of the government's online surveillance, the new information does provide an interesting look at where authorities are looking for intel online.
Here's what we know:
Facebook: The social media giant led the pack Friday night, releasing its FISA-inclusive data just minutes after tech companies reached a deal with the FBI and the DOJ. According to the disclosure, Facebook received between 9,000 and 10,000 requests for user data from local, state, and federal authorities in the last six months of 2012. Those requests affected between 18,000 and 19,000 user accounts. So, on average, each request affected about two user accounts.
This is the first time that Facebook has ever published any information about the requests it gets from the government.
Microsoft: Microsoft disclosed Friday that, for the last six months of 2012, the company received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts. That means that, on average, each request affected around 5 user accounts. (It is not clear if these numbers include Skype requests.)
What's interesting here is that Microsoft previously disclosed that, for all of 2012, it received 11,073 requests from U.S. authorities affecting 24,565 user accounts, although these numbers did not include the FISA orders. As Arik Hesseldahl at AllThingsD points out, this suggests that the FISA requests affect a much larger number of user accounts than the non-FISA requests.
Yahoo: In a Tumblr post Tuesday, Yahoo disclosed that the company received between 12,000 and 13,000 requests for user data between Dec. 1, 2012 and May 31, 2013. These numbers make Yahoo the overall leader in requests from the government, although the company did not disclose how many user accounts were affected.
Apple: Apple disclosed this week that from Dec. 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement, affecting between 9,000 and 10,000 accounts or devices. (On average, each request affects about two users.)
Apple's release also explained that the company cannot decrypt data on encrypted iMessage and FaceTime chats, and does not store data on personal location, map searches, or Siri requests, and therefore doesn't turn over that information to the government.
Google: In its 2012 Transparency Report, Google disclosed that it received 8,438 requests from U.S. authorities, affecting 14,791 user accounts, or 1.7 user accounts per request. Google complied with 88 percent of those requests. Google also disclosed that it received between 0 and 999 National Security Letters, affecting between 1,000 and 1,999 user accounts, the first time a tech company has disclosed these types of requests. (National Security Letters are requests for non-content information, like transactional records, and are different from regular subpoenas and FISA court requests.)
As we mentioned earlier, Google has said it won't disclose its FISA-inclusive numbers until the feds allow the company to report those numbers separately. Basically, Google's beef is that because the FBI allowed Google to publish the annual number of National Security Letters it had received, separately from other criminal data requests in the company's 2012 Transparency Report, lumping the FISA numbers in with the regular criminal data requests would actually be a step backwards in terms of transparency.
"Google's reputation and business has been harmed by the false or misleading reports in the media, and Google's users are concerned by the allegations," the company wrote in its motion to the FISA court. "Google must respond to such claims with more than generalities. Moreover, these are matters of significant weight and importance, and transparency is critical to advancing public debate in a thoughtful and democratic manner."
Google's point is apt. Without knowing how many of requests are coming from the NSA or the FISA court, the numbers don't give us much insight into how the government is running the PRISM program. It also remains unclear how often the companies are complying with these requests, and what kind of content the government is looking for to begin with.
Source: By Grace Wyler, Motherboard