updated 11:56 pm EDT, Thu May 1, 2014
Goal is to force greater openness, courts to weigh in on secret collection
Apple and other tech companies are planning to adjust privacy policies to begin notifying customers when their information is requested by most law enforcement agencies, according to reports. Microsoft, Facebook and Google are also said to be planning to implement the same idea, as all four companies strongly support the right of users to know when their data is being requested by government officials in most cases. The move is widely seen as an attempt to force the process to become more lawful and transparent.
There is a limit to the notifications the companies plan to sending out. National security investigations are still handled by America's "secret" Foreign Intelligence Surveillance Court, which can authorize both investigations and issue gag orders on the companies expected to supply the data. In other cases, however, the user would be notified of the nature of the request and what agency was making it.
Yahoo was among the first such companies to implement such a policy, doing so last July, and following the lead of Twitter. The government, according to the Washington Post, argues that such notifications could tip off criminals and give them time to destroy evidence "before it can be gathered." Albert Gidari Jr., a partner at a legal firm representing some of the tech companies, said that the defiance of the companies would likely "chill the unbridled, [penalty]-free collection of data" on US citizens, which he described as "a good thing."
The tech companies are likely to be implementing the change in policy as a way of both forcing the issue out into public awareness, as well as demonstrate that it is committed to the security of its customers. Concern has been growing among both CEOs of data-centric companies as well as their clients about the secretive and often unsupervised abuse of warrantless "fishing expeditions" and the general collapse of privacy enforcement and due process in the US, as revealed in documents obtained by former NSA contractor Edward Snowden and recent public court cases. Some companies are keen to see more public review of the validity of requests before being forced to reveal customer data.
As reported yesterday, the Supreme Court is hearing arguments in two cases where law enforcement agencies claim the right to do warrantless searches of a detainee's cell phone or other mobile device, even if there is no grounds to do so, in order to find possible cause to further detain or arrest a citizen. Facebook CEO Mark Zuckerberg and Apple CEO Tim Cook have both publicly spoken out against what they see as "overly intrusive" government spying on its own citizens.
"As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests," the paper quotes industry sources as saying. "Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries."
Prior to the events of 9/11, the US government would notify people "directly affected" by searches and seizures -- "though often not immediately," the newspaper notes -- when a home-phone wiretap or a search warrant was executed. As the public moved its personal data onto digital devices, however, those rights have been largely trampled -- in part by technologically-impaired judges and authoritarian agencies that compare Internet data to the public domain, and even equate encrypted cloud service users as having "no reasonable expectation of privacy." Google itself has argued that it has the right to search users' mail without prior notification or consent, calling it a condition of using the service (and making the company's opposition to government searches look hypocritical).
Carriers and data companies now normally do not inform customers of government inquiries for data, in part a reaction to the draconian measures enacted after 9/11. However, reports of abuses uncovered by Snowden and others, combined with time and further consideration from America's initial reactions to the terrorist event, have emboldened the public and some companies to demand more accountability, transparency and greater respect for privacy from the government.
Apple has confirmed its participation in the scheme, with a spokesperson saying that "later this month, Apple will update its policies so that in most cases when law enforcement requests personal information about a customer, the customer will receive a notification from Apple." Google has already implemented a more basic version of Apple's revised policy, but adopted a stronger stance this week and detailed under what circumstances the company wouldn't notify users of a government request.
Most tech companies, the paper reports "now refuse to disclose the contents of emails or social media posts when presented with subpoenas, insisting that the government instead seek search warrants -- which are issued only by judges, and require the stricter legal standard of probable cause." The companies can and often do still accept subpoenas for vaguer data other than content -- things like senders and recipients of emails rather the actual messages, for example, or the IP address of an originating computer -- but have increasingly begun to refuse requests for the content of emails or social media posts without search warrants, a move backed by a 2010 6th Circuit US Court of Appeals ruling.
The change in policies pits tech companies -- many of which collect very detailed information about their own users for the purposes of selling advertising, and thus cannot exactly be considered vanguards of privacy -- against law enforcement, which following 9/11 saw itself as having a clear license to gather information on anyone, at any time, for no identified cause. That line of thinking eventually persuaded both the Bush and Obama administrations to develop programs that effectively attempt to collect and analyze every bit of Internet and telephone communication made in or to the United States.
The invasive tools granted to authorities in 2001, they say, help them find and stop both terrorist actions and routine crimes -- or people likely to commit crimes. Privacy advocates accuse the government of overreaching, but authorities point to (and often play on) the public's desire to avoid the possibility of terrorist attacks to justify its Fourth Amendment-busting bulk data collection tactics.
"My fear is that we will be less secure in our country, in our houses," said former FBI Special Agent Ronald T. Hosko, echoing various law enforcement managers quoted in the Post article, "because of political decisions, because of the politics of the day, rather than what will keep us safe. I'm concerned that that gets people killed, that that gets people hurt."
Critics argue that authorities are "drunk with power" and tend to abuse the traditional limitations that separate a democracy from a police state. "[Notifications to suspects that they were under investigation] was one of the purposeful burdens that was supposed to limit government surveillance," said Marc Rotenberg, an executive director of the Electronic Privacy Information Center. "As a historic matter, the intent always was that a person would be notified."
The tech companies say they already make exceptions for cases in which notification would cause imminent danger to potential victims, but that in the "vast majority" of situations, "users deserve to know who is collecting their data and why," the paper says. Dane Jasper, the CEO of Internet provider Sonic.net, summed up the resistance by saying that the companies aren't putting customer relations over cooperation with authorities or patriotic interest, but that the intent is to serve as a check and balance on excessive law enforcement overzealousness, to "make sure [the requests for customer data] are not a rubber stamp. That way, we're not releasing customer information without due process."