Internet firms release data on NSA requests

Friday, January 31, 2014, Vol. 38, No. 5

WASHINGTON (AP) — A flurry of new reports from major technology companies show that the government collects customer information on tens of thousands of Americans every six months as part of secret national security investigations. And the companies' top lawyers struck a combative stance, saying the Obama administrative needs to provide more transparency about its data collection.

Freed by a recent legal deal with the Obama administration, Google, Microsoft, Yahoo, Facebook, LinkedIn and Tumblr provided expanded details and some vented criticism about the government's handling of customers' Internet data in counterterrorism and other intelligence-related probes.

The figures from 2012 and 2013 showed that companies such as Google and Microsoft were compelled by the government to provide information on as many as 10,000 customer accounts in a six-month period. Yahoo complied with government requests for information on more than 40,000 accounts in the same period.

The companies earlier had provided limited information about government requests for data, but an agreement reached last week with the Obama administration allowed the firms to provide a broadened, though still circumscribed, set of figures to the public.

Seeking to reassure customers and business partners alarmed by revelations about the government's massive collection of Internet and computer data, the firms stressed details indicating that only small numbers of their customers were targeted by authorities. Still, even those small numbers showed that thousands of Americans were affected by the government requests approved by judges of the secret Foreign Intelligence Surveillance Court.

The data releases by the major tech companies offered a mix of dispassionate graphics, reassurances and protests, seeking to alleviate customer concerns about government spying while pressuring national security officials about the companies' constitutional concerns. The shifting tone in the releases showed the precarious course that major tech firms have had to navigate in recent months, caught between their public commitments to Internet freedom and their enforced roles as data providers to U.S. spy agencies.

In a company blog post, Microsoft General Counsel Brad Smith scolded the U.S. and allied governments for failing to renounce the reported mass interception of Internet data carried by communications cables. Top lawyers and executives for major tech companies had raised alarms previously about media reports describing that hacking by U.S. and United Kingdom spy agencies and cited them during conversations with U.S. officials during President Barack Obama's internal review of planned changes to the government's spying operations.

"Despite the president's reform efforts and our ability to publish more information, there has not yet been any public commitment by either the U.S. or other governments to renounce the attempted hacking of Internet companies," Smith said in a Microsoft blog release. He added that Microsoft planned to press the government "for more on this point, in collaboration with others across our industry."

The new figures were released just a week after major tech firms announced a legal agreement with the Justice Department. But lawyers and executives for the companies openly vented their discomfort with the government's continuing insistence that they could only provide broad ranges instead of the actual numbers of government requests.

The companies said they would press for narrower data ranges that would offer more details. "We will also continue to advocate for still narrower disclosure ranges, which will provide a more accurate picture of the number of national security-related requests," said Erika Rottenberg, LinkedIn's general counsel.

On Tuesday, Director of National Intelligence James Clapper said that the tech firm reports show "how infrequently these capabilities are called upon." He also said that officials were still discussing whether they could loosen restrictions on other information, such as figures involving non-U.S. citizens.

Google and all the other companies denied that they gave any government unfettered access to their users' info. The companies are worried more people will reduce their online activities if they believe almost everything they do is being monitored by the government. A decline in Web surfing could hurt the companies financially by giving them fewer opportunities to show online ads and sell other services.

The companies can only reveal how many total requests they receive every six months, with the numbers in groupings of 1,000. And even those general numbers must be concealed for at least six months after any reporting period ends. That restriction means the FISA requests for the final half of last year can't be shared until July, at the earliest.

The data released Monday indicated the U.S. government is digging deeper into the Internet as people spend more time online.

Most of the companies showed the number of government requests fell between 0 and 999 for each six-month period. But the numbers of customers affected by those searches ranged more widely.

Google, for instance, has seen the number of people affected by FISA court orders rise from 2,000 to 2,999 users during the first half of 2009 to between 9,000 and 9,999 users during the first half of last year. The company showed an unusual spike in the number of Americans whose data was collected between July and December 2012. During that period, metadata was collected from between 12,000 and 12,999 users. Under the restrictions imposed by the government, no explanation was provided for that anomaly.

Yahoo listed the highest number of people swept up in FISA requests for online content during the first half of last year. The orders seeking user content spanned 30,000 to 30,999 accounts, according to the company. The requested content could have included emails, instant messages, address books, calendar items and pictures.

All the companies also received FISA requests that weren't aimed at scooping up online communications or photos. Those demands sought things such as billing information and locations of where people made an Internet connection.

Google described Monday's disclosure as a positive step while promising to keep fighting for the right to provide more precise numbers about the FISA requests and more specifics about the data being sought. "We still believe more transparency is needed so everyone can better understand how surveillance laws work and decide whether or not they serve the public interest," Richard Salgado, Google's legal director of law enforcement and information security, wrote in a blog post.

Even if the companies can share more information about the FISA requests, they still might face doubts raised by other National Security Agency documents leaked by former NSA contractor Edward Snowden asserting that the U.S. government has found ways to tap into the lines transmitting personal information between data centers. The companies are trying to thwart the hacking by encrypting most, if not all, the data stored on their computers.