Government // Cybersecurity
News
1/28/2014
04:56 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Government Loosens Data Disclosure Gag

Facebook, Google, LinkedIn, Microsoft, and Yahoo can now publish more of the details on user data that the government demands, but startups might suffer.

9 Notorious Hackers Of 2013
9 Notorious Hackers Of 2013
(click image for larger view and for slideshow)

Facebook, Google, LinkedIn, Microsoft, and Yahoo have settled their information disclosure case against the government with an agreement that allows them to publish more details about government demands for user data. But the compromise comes with conditions that put startups at a disadvantage.

Attorney General Eric Holder on Monday issued a letter to the companies containing new guidelines for reporting aggregate statistical data about demands for customer information sought through National Security Letters (NSLs) and Foreign Intelligence Surveillance Act (FISA) orders.

"Consistent with the President's direction in his speech on January 17, 2014, these new reporting methods enable communications providers to make public more information than ever before about orders that they receive to provide information to the government," Holder's letter says.

Because Google previously was forbidden from publishing any information about FISA orders, it published a blacked-out graph last November. Henceforth, it will be able to publish approximate numbers, six months after the fact.

[Is nothing sacred? Read NSA, British Spy Agency Collect Angry Birds Data.] 

Providers may publish requests made as part of a criminal legal process without restriction. Every six months, they may publish the following: the number of NSLs received, the number of customer accounts affected by NSLs, the number of FISA orders for content, the number of customer selectors (data field identifiers such as "email address" or "name") targeted under FISA content orders, the number of FISA orders for non-content (metadata), and the number of customer selectors targeted under FISA non-content orders.

These aggregate numbers, however, are limited in their accuracy as they must be reported in increments of 1,000, starting with zero to 999. For example, a provider that received one NSL and a provider that received 900 NSLs each would be allowed to report receiving between zero and 1000 NSLs.

The government is also allowing a second option. As with the first option, data demands made through criminal legal process remain unrestricted. Providers may also report the aggregate number of national security process demands received, including both NSLs and FISA orders, in increments of 250, starting with zero to 249. And separately they may report the number of customer selectors covered by these orders, also using increments of 250.

NSA headquarters, Fort Meade, Md. 
(Source: Wikipedia)
NSA headquarters, Fort Meade, Md.
(Source: Wikipedia)

"This is a victory for transparency and a critical step toward reining in excessive government surveillance," said Alex Abdo, staff attorney with the American Civil Liberties Union's National Security Project, in a statement. "Companies must be allowed to report basic information about what they're giving the government so that Americans can decide for themselves whether the NSA's spying has gone too far."

Abdo, however, called for Congress to require the government to publish basic information about intelligence gathering done without the compelled cooperation of technology companies. The recently disclosed collection of data from mobile apps represents an example of such covert data gathering.

Nate Cardozo, staff attorney for the Electronic Frontier Foundation, in a phone interview expressed disappointment that the technology companies accepted less freedom in the settlement than they had been seeking and said he hoped some other company would pursue the affirmation of broader free speech protection through the courts.

The Justice Department's new guidelines puts startups at a disadvantage, particularly if security is relevant to the company's business model. When a company receives its first demand for information, the government may designate the demand a "New Capability Order." In that case, the company must wait two years (in addition to the mandated six-month delay) to make its first report of aggregate numbers. So, were some entrepreneur to launch an encrypted email service, he or she could not disclose information about government demands for data for two and a half years.

Some companies, such as Apple, have used "warrant canaries" -- an online statement, such as "no government demands for information have been received," that gets deleted upon receipt of a government order -- to communicate the contrary case by the statement's absence. Were authorities to insist that the statement remain unaltered, they would be issuing an order to lie.

Although this tactic remains open to a legal challenge, Cardozo said he believes it's lawful. "If a company does receive an order, all of the same problems about compelled speech appear," he said. "You can't force someone to repeat a lie. There's very good Supreme Court precedent about that."

InformationWeek Conference is an exclusive two-day event taking place at Interop where you will join fellow technology leaders and CIOs for a packed schedule with learning, information sharing, professional networking, and celebration. Come learn from each other and honor the nation's leading digital businesses at our InformationWeek Elite 100 Awards Ceremony and Gala. You can find out more information and register here. In Las Vegas, March 31 to April 1, 2014.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
1/29/2014 | 8:54:05 AM
Re: Fingers crossed
There is no doubt in my mind that this is only the latest -- not the final -- word in the disclosure debate about the NSA surveillance programs. It's a step in the right direction. But only a step. Two court challenges are still winding their way through the federal judiciary and many legal experts predict that the US Supreme Court is where they will end up.  IMO that's where a resolution of the privacy/constitutionality issues belong. But the wheels of justice grind slowly....  
Whoopty
0%
100%
Whoopty,
User Rank: Ninja
1/29/2014 | 7:12:26 AM
Fingers crossed
I'm really hoping that being in the UK and therefore part of Europea means that the European Court of Human Rights takes our intelligence agencies and government to task over this blanket data gathering. I feel bad for my pals in the US that there isn't the same overwatch going on there - here's hoping local politicians can help push through changes. 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of October 26, 2014 and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.