Today, February 11, is a digital day of protest against surveillance by the National Security Agency. Billed ‘The Day We Fight Back“, participants in the protest range from activist groups to the Reform Government Surveillance Coalition, an business entity which includes Google, Microsoft, LinkedIn, Twitter, Facebook, Yahoo!, and AOL. Protesters’ demands include Congressional support for the Freedom Act, proposed legislation which would limit the collection of Americans’ data under existing surveillance statutes.
Corporate participation in this protest highlights a key challenge facing Internet companies today. Companies must comply with lawful requests from governments for access to user data. At the same time, companies must also build and maintain the trust of their users by operating as responsible stewards of that data. When companies are restricted with regard to what they can say about national security requests received from the U.S. Government, they face the challenge of earning trust without being transparent. In this context, establishing credibility requires active and continued efforts to engage proactively with users and other stakeholders, including policymakers, regarding what can — and cannot — be said.
Several companies – including Google, Microsoft, Yahoo!, Facebook, and LinkedIn — have sought to reduce the extent of the U.S. Government’s non-disclosure requirements through motions for declaratory relief filed with the Foreign Intelligence Surveillance Court. In January, in response to these petitions, the U.S. Department of Justice released new rules with regard to disclosures of national security requests, and the companies agreed to dismissed their claims, without prejudice.
Historically, companies have been prohibited from providing any information regarding requests received pursuant to U.S. national security laws. Pursuant to the new rules, companies may disclose at six-month intervals, and in bands of 1000, the following information:
the number of national security letter requests that they have received;
the number of customer accounts affected by national security letters;
the number of Foreign Intelligence Surveillance Act (“FISA”) orders for content that they have received;
the number of customer selectors targeted under FISA content orders;
the number of FISA orders for non-content that they received; and
the number of customer selectors targeted under FISA non-content orders.
Alternatively, companies can disclose, in bands of 250:
the total number of all national security letter and FISA requests received; and
the total number of customer selectors targeted by national security letter and FISA requests.
Since the new rules were released, several companies have updated their transparency reports with regard to government requests for user data. For example, for the period January to June 2012, Google stated that it received between 0-999 requests under FISA for content data that involved 9000-9999 user accounts. For the same period, LinkedIn stated that it received 0-249 national security requests involving 0-249 user accounts.
Notably, the new rules maintain restrictions on what can be said with regard to new platforms, products, or services. Requests specific to a new platform, product, or service cannot be disclosed for two years.
Ultimately, these disclosures represent greater — but still significantly limited — transparency, and at least one company, Twitter, has stated that it may pursue further legal action seeking reduced restrictions. Ultimately, these new rules alter, ever so slightly, the platform for debate regarding the balance that must be struck between civil liberties and national security. Companies are an essential participant in that dialogue as they navigate both compliance challenges and the need to respect the privacy rights of their users.