Edward Snowden's leaks have prompted many questions about government surveillance activity in the United States, including this one: How often do tech firms turn over user data to the feds? In recent years, companies including Google, Microsoft, and Twitter have released data on this front—but it's been incomplete, because the government has prohibited them from revealing the full extent of the requests they've received.
Last week, following Snowden's disclosures about the National Security Agency's PRISM program, Google, Facebook, Microsoft, and Twitter pressed the federal government to allow them to give the public a fuller picture of how often the authorities request user information, including the number of requests they receive under the Foreign Intelligence Surveillance Act (FISA). In response, the FBI and the Department of Justice granted permission on Friday to disclose the number of FISA requests they get—but with a pretty big catch. The companies must lump these top-secret surveillance orders in with ordinary criminal investigations by local, state, and federal authorities, a caveat that provides little insight into how often the government is invoking its surveillance powers, let alone the type of content that is being released to federal authorities. The government is "failing to offer the public anything but the bare minimum amount of transparency," argues Sina Khanifar, a privacy activist who helped launch Stopwatching.us, a coalition demanding more information about NSA surveillance efforts.
After the government relaxed the rules about the type of information they could make public, Microsoft and Facebook released data combining national security requests and criminal investigations. But Google and Twitter have so far declined to do so until the government allows them to break out FISA requests. "Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately," says Google spokesman Chris Gaither.
In an effort at transparency, Google, Microsoft, and Twitter (but not Facebook) have issued reports for the past several years disclosing bare bones information about the requests they receive from a variety of law enforcement authorities. Google and Microsoft (which owns Outlook and Skype) have also reported limited data about national security letters, controversial documents used by the FBI to secretly compel the disclosure of certain online records. The companies have permission to report only a vague range of the number of national security letters they receive. For instance, Google could only report that it had received as many as 999 national security letters in 2012, targeting between 1,000 and 1,999 user accounts.
Collectively, Google, Facebook, Microsoft, and Twitter report receiving tens of thousands of requests for user data from the US government annually. In 2012, Google received more than 16,400 requests covering 31,000-plus user accounts from federal, state, and local authorities. The number of data demands directed to Google has been increasing since 2010, when the company reported receiving less than 9,000 requests. (Gaither says he doesn't "want to speculate" on why the company is getting more requests—although he points out that each year more people are using the internet.)
Microsoft revealed on Friday that in the second half of 2012 it received between 6,000 and 7,000 criminal and national security warrants, subpoenas, and orders affecting up to 32,000 accounts. (Before it could factor in FISA orders, the company had reported 11,000 data requests affecting less than 25,000 accounts for all of 2012.) During the same time period, Facebook says government entities made between 9,000 and 10,000 requests, covering up to 19,000 accounts.
The tech companies don't comply with all law enforcement requests, but they go along with most of them. A Facebook spokesperson told Mother Jones that the company provided information in response to 79 percent of the data requests it received between July and December 2012. The other companies haven't released new data that incorporates FISA requests, but here are the compliance rates reported in 2012 by Google, Microsoft, and Twitter:
The companies still can't reveal much about the type of content released under national security requests. Google says that it will only hand over the content of an email if a search warrant is issued. According to Gaither, under a subpoena, Google can disclose the name listed when on the account, the IP address from which it was created, and the date and time a user signed in and out. Using a national security letter, Google says that the FBI can also only obtain limited information, excluding email content and Google search queries.
Twitter, which follows a similar policy, received 1,494 requests affecting 2,093 accounts from federal, state and local authorities in 2012. Between July and December 2012, most of the requests were subpoenas, which require Twitter to provide basic user information. In order to get direct messages, Twitter notes that the requester would have to present a court order.
Microsoft put together a chart detailing what is generally released when the company provides "non-content information" to the authorities:
Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, notes that normal restrictions on the type of information released may go out the window when FISA orders are involved. "What we know about FISA orders is that they seem to be targeting non-US persons, so they may actually request content, since Fourth Amendment protections don't apply." Snowden claimed Monday in a live chat with the Guardian that when a NSA analyst targets an email address, he or she gets "all of it…IPs, raw data, content, headers, attachments, everything." And even when the NSA isn't targeting domestic communications, Snowden claimed that the content of a US citizen's email is only protected by a "very weak" filter that can be "stripped out at any time."