Google, Facebook, Yahoo, Microsoft and LinkedIn have for the first time released new data about U.S. information requests made under the Foreign Surveillance Intelligence Act (FISA), the controversial law that facilitates some of the National Security Agency's most secret surveillance programs. The new disclosures, which reveal that tens of thousands of user accounts were affected in 2013 alone, come one week after the tech titans struck an agreement with the government to be more transparent about such requests -- a deal that privacy advocates and civil liberties watchdogs say doesn't go far enough.
Echoing those concerns, Google and LinkedIn on Monday called for even greater transparency, because the agreement with the government only allows the companies to disclose data in broad numerical ranges of 1000, or in some cases 250. As one might expect, the new FISA data reports, which require a six-month lag, are filled with items published as 0-999, which means the actual figure could be one, or 999. Microsoft went even further still, calling for the government to renounce secret attempts to hack into the data networks that connect tech company facilities, reports of which have infuriated industry executives.
The new data disclosures are the result of a legal battle over transparency waged by the tech titans against the Justice Dept. following revelations by former NSA contractor Edward Snowden, who leaked documents to the press describing the role of the tech titans in secret U.S. surveillance programs. The companies were particularly stung by disclosures about a classified U.S. intelligence system called PRISM, which the NSA has used to examine user content -- including e-mails, videos and online chats -- via requests made under FISA. As part of the agreement, the tech titans have dropped their lawsuit before the Foreign Intelligence Surveillance Court (FISC) demanding greater transparency.
The new disclosures show that U.S. data requests only involve a tiny fraction of the user accounts at the tech companies. For the six month period between January and June of 2013, Google said it received 0-999 requests under FISA for content involving 9000-9999 users or accounts, and 0-999 "non content" requests involving 0-999 users or accounts. Google's report shows a dramatic increase in the number of user accounts involved in content requests over the last several years. For example, over the first six months of 2009, such FISA requests affected 2000-2999 users or accounts. By 2012, that number had jumped to 12000-12999 users or accounts.
In a blog post, Richard Salgado, Google's Legal Director for Law Enforcement and Information Security, said the company believes "more transparency is needed so everyone can better understand how surveillance laws work and decide whether or not they serve the public interest. Specifically, we want to disclose the precise numbers and types of requests we receive, as well as the number of users they affect in a timely way. That’s why we need Congress to go another step further and pass legislation that will enable us to say more." Salgado was referring to a pair of bills pending in Congress which would further increase transparency.
Yahoo's report was noteworthy because the number of user accounts affected by FISA content requests was substantially higher than for Google. For the first six months of 2013, Yahoo said it received 0-999 FISA requests affecting some 30,000-30,999 user accounts. In a blog post, Yahoo executives said the company will "advocate strenuously for meaningful reform around government surveillance, demanding that government requests be made through lawful means and for lawful purposes, and fighting government requests that we deem unclear, improper, over-broad, or unlawful."
In its new report, Facebook said that it received 0-999 requests under FISA for content involving 5000-5999 users or accounts, and 0-999 "non content" requests involving 0-999 users or accounts. "We will continue to advocate for reform of government surveillance practices around the world, and for greater transparency about the degree to which governments seek access to data in connection with their efforts to keep people safe," Facebook's General Counsel Colin Stretch said in a blog post.
Microsoft disclosed that during the first six months of 2013, it received 0-999 requests under FISA for content involving 15,000-15,999 users or accounts. Unlike the other tech companies, Microsoft explicitly referenced reports describing how the government taps into networks connecting company servers. "There has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies," Microsoft General Counsel Brad Smith said in a blog post. "We believe the Constitution requires that our government seek information from American companies within the rule of law."
The government gave the tech companies two options for reporting national security requests. The companies may disclose FISA orders and national security letters (NSLs) separately in increments of 1,000, or grouped together in increments of 250. NSLs are national security requests approved by the FBI that require companies to disclose information such as user names or addresses. Unlike FISA requests, NSA requests cannot be used to request content like emails or chat logs.
Google, Yahoo, Facebook, and Microsoft chose the first option (0-999), while LinkedIn chose the second option (0-249), and disclosed receiving 0-249 national security-related requests affecting 0-249 user accounts for the first six months of 2013. In a blog post, Erika Rottenberg, LinkedIn's general counsel, said the company will "continue to advocate for still narrower disclosure ranges, which will provide a more accurate picture of the number of national security-related requests that companies like LinkedIn receive.
Kevin Bankston, the Policy Director of New America’s Open Technology Institute, urged even greater transparency, with more granular disclosures. "What these reports reveal is far less than what we need for adequate accountability from the government," Bankston said in an email to TIME. "Lumping all of the different types of surveillance orders together into one number, then adding obscurity on top of obscurity by requiring that number to be reported in ranges of one thousand, is not enough to educate the American public or reassure the international community that the NSA is using its surveillance authorities responsibly."