The PRISM slide that first implicated major companies in dragnet surveillance, even if they were forced by law to comply. Image: Wikipedia
How many people have had their data lawfully collected by the US intelligence community? For the first time, we've got an answer from the big tech giants: Tens of thousands a year.
Today, Google, Facebook, LinkedIn, Microsoft, and Yahoo all released updated transparency data concerning FISA requests, and while Facebook notes that data is collected "a small fraction of one percent of Facebook user accounts"—a point that rings true for all of the above—that's about all we know.
Such opacity in reporting is exactly what Attorney General Eric Holder and Director of National Intelligence James Clapper were going for when they announced that tech companies could finally disclose Foreign Intelligence Surveillance Act records. FISA is the law that largely governs how agencies like the NSA collect bulk metadata.
According to the new rules, companies are only allowed to report on how many specific requests they received in bands of 1000, or total requests in bands of 250. They're also allowed to split FISA requests across content and non-content types, which Yahoo describes thusly:
FISA Requests for Disclosure of Content may be used to get content that users create, communicate, and store on or through our services. This could include, for example, words in an email or instant message, photos on Flickr, Yahoo Address Book or Calendar entries and similar kinds of information.
FISA Requests for Disclosure of Non-Content Data (NCD) are limited to NCD such as alternate e-mail address, name, location, and IP address, login details, billing information, and other transactional information (e.g., “to,” “from,” and “date” fields from email headers).
So while the newly-allowed reports help shed some light on how pervasive the government's lawful data collection is—and that the government largely makes requests that include user content—it doesn't get much more specific than that. Let's run through the companies numbers real quick:
In its post, Google broke its numbers down into non-content and content requests per the Justice Department's guidelines. It's notable that Google received far more requests for reports including content of users' communications than without.
Google also noted its previous legal action with regards to disclosure, writing that "last year we filed a lawsuit asking the FISA Court to let us disclose the number of FISA requests we may receive and how many users/accounts they include. We’d previously secured permission to publish information about National Security Letters, and FISA requests were the only remaining type of demands excluded from our report."
Facebook's data doesn't go as far back as Google's, and the company also receives fewer requests. In its post, Facebook highlighted the fact that in previous transparency reports, the company wasn't allowed to differentiate between data requests by law enforcement and government intelligence agencies. Again, the numbers here aren't very specific, but they don't include a massive number of users.
LinkedIn chose to report its national security requests in bulk as part of an updated transparency report. The firm's data only cover the first half of 2013, in which the company received between 0-249 data requests concerning between 0-249 accounts. According to older LinkedIn transparency reports, the company receives vary few government data requests in total.
Microsoft
Microsoft still has a ton of Hotmail and Outlook users, which means it also had a ton of records requests, which are collated in the fairly ungainly chart above. (I squished it a bit, sorry if it looks weird.) In his post detailing the release, Microsoft general counsel Brad Smith makes an important distinction about the disclosure that Microsoft was compelled to give content data on, say, 15,000-15,999 accounts in the first half of last year.
"It’s important to note that this does not necessarily mean that more than 15,000 people were covered by these data requests," he wrote. "This is because one individual may have multiple accounts, each of which would be counted separately for the purposes of reporting this data." Aside from potentially inflating numbers, this also shows just how little the DoJ's allowed disclosures actually say.
Yahoo!
Thanks to its massive mail service, Yahoo had the most requests for user content last year. As the others have said, Yahoo explained that "the number of Yahoo accounts specified in global government data requests comprised less than one one-hundredth of one percent (<.01%) of our worldwide user base for the reporting period."
Bonus: Apple
Apple has been working on its own disclosure relationship with the Justice Department, which it detailed in a January 27 letter. While it doesn't get specific on FISA requests, Apple noted that it received between 0-249 National Security Order requests pertaining to 0-249 accounts.
So what do all these numbers mean? First, it's a good sign that more light is being shed on FISA. While the law itself isn't secret, how it's interpreted and used has been until recently. The change announced by Holder and Clapper is thus laudable.
But by its very nature doesn't allow for much disclosure. The fact that FISA requests for six of the biggest tech companies encompass less than 80,000 accounts a year at most supports those firms' longstanding assertions that the NSA and DoJ's surveillance activities are fairly limited.
At the same time, the companies are still legally barred from notifying the owners of all those accounts that they've been surveilled. And don't let the limited number of accounts involved in FISA requests fool you: the NSA still has been shown to collect billions of social interactions a day on the public web, and its metadata collection affected millions of people.