The United States Department of Justice on Monday announced two new options for tech companies to report on government requests for information about their customers.
In response, Google, Microsoft, Facebook, LinkedIn and Yahoo withdrew their lawsuits against the Foreign Intelligence Surveillance Court over the issue.
“We filed our lawsuits because we believe that the public has a right to know about the volume and type of national security requests we receive,” they said in a joint statement sent to the E-Commerce Times by Katherine Kerrigan of Microsoft’s PR agency Waggener Edstrom. “We’re pleased the Department of Justice has agreed that we and other providers can disclose this information.”
The five will “continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”
The New Rules
The first new reporting option lets companies provide aggregate data in blocks of 1,000 requests for national security letters and FISC orders for content, as well as FISC orders for non-content — which apparently refers to bulk Internet metadata.
The number of customer accounts affected by NSLs, the number of customer selectors targeted under FISC content orders, and the number of customer selectors targeted under FISC non-content orders, also must be published in blocks of 1,000.
“Bands of 1,000 are better than not being able to report anything at all, which was the previous situation, but it’s still not granular enough,” Harley Geiger, deputy director on security and surveillance for CDT, told the E-Commerce Times.
Companies may publish the FISC and NSL data every six months, but FISC data will have to be published after a six-month delay.
The first order that is served on a company for a platform, product or service — whether developed or acquired — will be designated a “New Capability Order.” Disclosure of such first capability order data must be delayed for two years. After that, the six-month cycle will apply.
The second option lets providers report all NSL and FISC orders lumped together as a single number, in blocks of 250. The total number of customer selectors targeted under all national security processes also must be lumped together as a single number, in blocks of 250.
Reporting of telephone bulk metadata collected under the controversial Section 215 of the U.S. Patriot Act is yet to be determined.
Reaction to the Announcement
The new rules are “a positive development but still fall short of proposals that we think are appropriate that are circulating in Congress — that the presidential oversight group and the Privacy and Civil Liberties Board recommended,” Geiger said.
Exactly how the two-year delay stipulated for data requested under a New Capability Order will apply is unclear.
“If, say, Google buys Nest and repackages the existing product into their own service the way they did with YouTube, does that mean it becomes a new service for the purpose of the two-year delay?” asked the CDT’s Geiger. “What if there are a couple of new features that come in as the result of an acquisition?”
However, the rationale for the two-year delay seems to be more acceptable.
“I think they’re concerned that if there’s a new service and a bunch of suspects are flocking to it,” Geiger suggested, “the government wants to have extra lead time to spy on them before the bad guys figure out that it’s picking up information on them from that service.”