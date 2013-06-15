By Joseph Menn and Gerry Shih
SAN FRANCISCO, June 14 Facebook and Microsoft
have struck agreements with the U.S. government to release
limited information about the number of surveillance requests
they receive, a modest victory for the companies as they
struggle with the fallout from disclosures about a secret
government data-collection program.
Facebook on Friday became the first to release
aggregate numbers of requests, saying in a blog post that it
received between 9,000 and 10,000 U.S. requests for user data in
the second half of 2012, covering 18,000 to 19,000 of its users'
accounts. Facebook has more than 1.1 billion users worldwide.
The majority of those requests are routine police inquiries,
a person familiar with the company said, but under the terms of
the deal with Justice Department, Facebook is precluded from
saying how many were secret orders issued under the Foreign
Intelligence Surveillance Act. Until now, all information about
requests under FISA, including their existence, were deemed
secret.
Microsoft said it had received requests of all types for
information on about 31,000 consumer accounts in the second half
of 2012. In a "transparency report" Microsoft published earlier
this year without including national security matters, it said
it had received criminal requests involving 24,565 accounts for
all of 2012.
If half of those requests came in the second part of the
year, the intelligence requests constitute the bulk of
government inquiries. Microsoft did not dispute that conclusion.
Google said late Friday that it was negotiating with the
government and that the sticking point was whether it could only
publish a combined figure for all requests. It said that would
be "a step back for users," because it already breaks out
criminal requests and National Security Letters, another type of
intelligence inquiry.
Facebook, Google and Microsoft had all
publicly urged the U.S. authorities to allow them to reveal the
number and scope of the surveillance requests after documents
leaked to the Washington Post and the Guardian suggested they
had given the government "direct access" to their computers as
part of a National Security Agency program called Prism.
The disclosures about Prism, and related revelations about
broad-based collection of telephone records, have triggered
widespread concern and congressional hearings about the scope
and extent of the information-gathering.
The big Internet companies in particular have been torn by
the need to obey U.S. laws that forbid virtually any discussion
of foreign intelligence requests and the need to assuage
customers.
"We hope this helps put into perspective the numbers
involved and lays to rest some of the hyperbolic and false
assertions in some recent press accounts about the frequency and
scope of the data requests that we receive," Facebook wrote on
its site.
Facebook said it would continue to press to divulge more
information. The person familiar with the company said that it
at least partially complied with U.S. legal requests 79 percent
of the time, and that it usually turned over just the user's
email address and Internet Protocol address and name, rather
than the content of the person's postings or messages.
It is believed that FISA requests typically seek much more
information. But it remains unclear how broad the FISA orders
might be.
Several companies have said they had never been asked to
turn over everything from an entire country, for example.
However, the intelligence agencies could ask for all
correspondence by an account holder, or even all correspondence
from the users' contacts.
Among the other remaining questions are the nature of
court-approved "minimization" procedures designed to limit use
of information about U.S. residents. The NSA is prohibited from
specifically targeting them.
"If they are receiving large amounts of data that they are
not actually authorized to look at, the question then becomes
what are the procedures by which they determine what they can
look at?" said Kevin Bankston, an attorney at the Center for
Democracy & Technology. "Do they simply store that forever in
case later they are authorized to look at it?"
In addition, some legal experts say that recent U.S. laws
allow for intelligence-gathering simply for the pursuit of
foreign policy objectives, not just in hunting terrorists and
spies.
Google, Facebook and Microsoft have already directly
contradicted the Guardian and Washington Post reports about
"direct access" to their servers.
Both newspapers have since backtracked, and it now appears
that at least some of the companies allowed neither
government-controlled equipment on their property nor direct
searches without company employees vetting each inquiry.
Google has been the most forthright on the technology issue,
saying that it provides information only on request via an
old-school data-transfer protocol called FTP and that Google
legal staff must approve each request.
Beyond that, it is now clear that many of the companies have
objected, at times strenuously, to both individual requests and
the broad sweep of the program. It remains unclear how
successful they have been.
WRESTLING OVER SECRET ORDERS
The initial reports about Prism included an internal NSA
slide listing the dates that each of nine companies began
allowing Prism data collection, starting with Microsoft in 2007
and Yahoo in 2008. The other companies include Apple,
AOL and PalTalk as well as YouTube and Skype, which are
owned by Google and Microsoft respectively.
Sources familiar with the conversations between the
government and the Internet companies say there are frequent
disagreements over how to handle specific requests.
Only one company, Yahoo, is known to have taken the highly
unusual step of appealing an order from the Foreign Intelligence
Surveillance Court. The company argued in 2008 that the order
violated the Fourth Amendment protection against unreasonable
searches and seizures.
But U.S. District Judge Bruce Selya, who headed the FISA
court's Court of Review, ruled the data collection program did
not run afoul of the Bill of Rights.
Selya's ruling was published in redacted form, only the
second time such a decision had ever been made public. A Justice
Department spokesman said it was published at the court's
behest, but the executive branch would have had to approve the
waiving of secrecy rules.
Two days after that, according to the leaked NSA slides,
Google joined the Prism data-collection effort.
"When Yahoo lost that case, it dissuaded everyone else from
going to court," a person at another company told Reuters.
"A provider seeing that decision erases the doubt about
whether a judge would approve this process," said a former
lawyer for Yahoo.
Twitter, which has positioned itself as a hard-line defender
of free speech and customer privacy, is still not participating
in Prism. But people familiar with talks between the tech
companies and the government said it will likely be forced to
comply.
In Twitter's case, as in that of some other companies, the
objections have ostensibly been about the technological
difficulty in complying with orders and the format in which the
information will be shared, people familiar with the situation
say.