Data now being published regularly by many U.S. tech companies reveal the scale and scope of government requests for user information.
Last Monday, Verizon revealed for the first time approximately how many national security requests for customer data it receives. During the first six months of 2013, the company said, the U.S. government made national security-related requests for information about 5,000 to 6,000 individual customers under the Foreign Intelligence Surveillance Act (FISA).
The data were disclosed in an update to Verizon’s first-ever transparency report, published in January. The report revealed over 320,000 requests by conventional United States law enforcement entities for Verizon customer data over the same period.
Google started the transparency report trend four years ago, and it has reported a steady rise in requests with each report. In its latest report, Google lists 25,879 total requests from governments around the world, including 10,918 from U.S. law enforcement. That’s up from 12,549 and 3,580, respectively, since its first report was issued in late 2009.
In recent years, several major software and Internet companies have followed Google’s lead by releasing their own reports, and Verizon and AT&T both recently issued their first reports. Verizon’s is the latest in a fresh round of public disclosures covering the first six months of 2013.
It has always been legal for companies to report the number of conventional law enforcement requests they receive. Early in 2013, however, the U.S. government began allowing companies to report the number of National Security Letters (or NSLs: requests from the FBI for customer data limited to the name, address, length of service, and toll billing records of a subscriber) they received as well, as long as this was reported in bands of 1,000. (In other words, a company can’t give a specific number, but can say, for example, that between 1,000 and 1,999 requests were made.)
Then, last summer, in the wake of Edward Snowden’s revelations about the National Security Agency’s surveillance efforts, the FBI and the Department of Justice agreed to allow companies to also report FISA requests made by the government—though not separately from conventional law enforcement requests. Finally, in January 2014, the Department of Justice gave in to pressure from several companies and provided two new reporting options that allowed for the separate disclosure of FISA requests.
In the first option, FISA requests for “content” (posts, e-mails, texts, photos, etc.) and “non-content” (subscriber information and call records), together with the number of individual customers specified in each of those requests, can be reported in bands of 1,000.
In the second reporting option, companies can add up all national security requests, including FISA requests and National Security Letters, and report them as one number, in bands of 250.
AT&T and Verizon each received over 300,000 total conventional law enforcement requests.
Tech companies that chose to report FISA requests using the first option did so one of two different ways.
Facebook, Yahoo, and Tumblr reported total U.S. government requests, a figure that includes national security-related requests. But these companies also broke out the national security-related requests separately, in bands of 1,000.
Microsoft and Google both report conventional law enforcement requests and national security-related requests separately.
Absent from the group of companies that chose to report national security requests is Twitter, which reported 833 conventional U.S. law enforcement requests that specified 1,323 individual accounts.
Several companies have expressed a desire to disclose national security requests with more precision, and in greater detail, in future reports. In Twitter’s latest report, Jeremy Kessel, manager of global legal policy, criticized the requirement to report in large ranges, which he said “do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of—or any—national security requests.”
The next round of transparency reports is due in about six months.