Feds Reach Settlement With Internet Companies Allowing Them To Report Not Nearly Enough Details On Surveillance Efforts
from the too-bad dept
Not too long ago, the government had started allowing companies to reveal, for the first time, how many national security letter (NSL) requests they get, but said they had to reveal that number in ranges of 1,000 starting with 0 to 999. However, they did not allow any such reporting on FISA Court (FISC) orders, which covered things like the now infamous PRISM program under Section 702 of the FISA Amendments Act. It appears that the settlement more or less follows the outline of what the government allowed with NSLs. Companies are given two options. One is to basically report FISC requests like NSL requests, in bands of 1,000, and to similarly report "number of customer accounts affected" for NSLs, "FISA orders for content," "number of customer selectors targeted under FISA content orders," "FISA orders for non-content," and "number of customer selectors targeted under FISA non-content orders." All of those can be revealed separately, but always in bands of 1,000, starting with 0 to 999.
Alternatively, if companies are willing to lump these various programs together, they are allowed somewhat more granularity. So, if they lump together NSLs and FISA orders into a single number, they can reveal the details in bands of 250, starting with 0 to 249. Similarly, they can list the lumped together "customer selectors targeted" under combined NSLs and FISA orders in bands of 250.
This is a step forward, but it's not nearly far enough. As Kevin Bankston notes:
"Asking the public and policymakers to try to judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow: only the grossest and most obvious problem, if even that, will be ever be evident."Among the problems here, are that while they can reveal the number of customer accounts impacted for NSLs, that's not what they can do with FISC orders. Instead, they can only reveal "customer selectors targeted." That can be very different. You can imagine a "customer selector" that impacts many, many user accounts. And that's what many people are worried about -- and with this agreement, we won't actually know.
Furthermore, the agreement has a ridiculous clause that says if a FISA court order covers a "new capability" (i.e., getting access to a service that previously was not being tapped by the NSA/FBI), the companies cannot share that information for two years. The thinking here is rather obvious. Say, for example, a company launches a new voice communications service, like Skype -- and then gets hit with a FISA court order demanding that the NSA be able to listen in. The companies would be blocked from revealing that for two years. Clearly, the idea is to keep people from knowing how quickly the NSA is able to tap into any new form of communication, but that also opens up plenty of opportunities for the NSA to abuse its powers.
There is still some indication that Congress may require greater transparency here. I can understand why the tech companies agreed to settle, but it's a bit disappointing that they threw in the towel so quickly.
Apple has already updated its transparency report to note 0 - 249 "national security orders" and 0 - 249 "total accounts affected."