Google, Apple, Facebook, others defy authorities, notify users of secret data demands
Apple, Facebook, others defy authorities, notify users of
secret data demands
By Craig Timberg, Thursday, May 1, 2:11 PM
Major U.S. technology companies have largely ended the
practice of quietly complying with investigators’ demands for e-mail records
and other online data, saying that users have a right to know in advance when
their information is targeted for government seizure.
This increasingly defiant industry stand is giving some
of the tens of thousands of Americans whose Internet data gets swept into
criminal investigations each year the opportunity to fight in court to prevent
disclosures. Prosecutors, however, warn that tech companies may undermine cases
by tipping off criminals, giving them time to destroy vital electronic evidence
before it can be gathered.
Fueling the shift is the industry’s eagerness to distance
itself from the government after last year’s disclosures about National
Security Agency surveillance of online services. Apple, Microsoft, Facebook and
Google all are updating their policies to expand routine notification of users
about government data seizures, unless specifically gagged by a judge or other
legal authority, officials at all four companies said. Yahoo announced similar
changes in July.
As this position becomes uniform across the industry,
U.S. tech companies will ignore the instructions stamped on the fronts of
subpoenas urging them not to alert subjects about data requests, industry
lawyers say. Companies that already routinely notify users have found that investigators
often drop data demands to avoid having suspects learn of inquiries.
“It serves to chill the unbridled, cost-free collection
of data,” said Albert Gidari Jr., a partner at Perkins Coie who represents
several technology companies. “And I think that’s a good thing.”
The Justice Department disagrees, saying in a statement
that new industry policies threaten investigations and put potential crime
victims in greater peril.
“These risks of endangering life, risking destruction of
evidence, or allowing suspects to flee or intimidate witnesses are not merely
hypothetical, but unfortunately routine,” department spokesman Peter Carr said,
citing a case in which early disclosure put at risk a cooperative witness in a
case. He declined to offer details because the case was under seal.
The changing tech company policies do not affect data
requests approved by the Foreign Intelligence Surveillance Court, which are
automatically kept secret by law. National security letters, which are
administrative subpoenas issued by the FBI for national security
investigations, also carry binding gag orders.
The government traditionally has notified people directly
affected by searches and seizures — though often not immediately — when
investigators entered a home or tapped a phone line. But that practice has not
survived the transition into the digital world. Cellular carriers such as
AT&T and Verizon typically do not tell customers when investigators collect
their call data.
Many tech companies once followed a similar model of
quietly cooperating with law enforcement. Courts, meanwhile, ruled that it was
sufficient for the government to notify the providers of Internet services of
data requests, rather than the affected customers.
Twitter, founded in 2006, became perhaps the first major
tech company to routinely notify users when investigators collected data, yet
few others followed at first. When the Electronic Frontier Foundation began
issuing its influential “Who Has Your Back?” report in 2011 — rating companies
on their privacy and transparency policies — Twitter was the only company to
get a star under the category “Tell users about data demands.” Google, the next
mostly highly rated, got half a star from the civil liberties group.
The following year, four other companies got full stars.
The preparation of this year’s report, due in mid-May, has prompted a new
flurry of activity in the legal offices of tech companies eager to gain a
coveted star.
Google already routinely notified users of government
data requests but adopted an updated policy this week detailing the few
situations in which notification is withheld, such as when there is imminent
risk of physical harm to a potential crime victim. “We notify users about legal
demands when appropriate, unless prohibited by law or court order,” the company
said in a statement.
Lawyers at Apple, Facebook and Microsoft are working on
their own revisions, company officials said, although the details have not been
released. All are moving toward more routinely notifying users, said the
companies, which had not previously disclosed these changes.
“Later this month, Apple will update its policies so that
in most cases when law enforcement requests personal information about a
customer, the customer will receive a notification from Apple,” company
spokeswoman Kristin Huguet said.
The trend toward greater user notification gained new
urgency amid the government surveillance revelations made by former NSA
contractor Edward Snowden. Although the bulk data collection he disclosed was
for national security purposes, not routine criminal investigations, companies
grew determined to show that they prized their relationships with customers
more than those with authorities — a particularly sensitive issue overseas,
where the American tech industry has been lambasted as too cozy with the U.S.
government.
“Post-Snowden, there is a greater desire to compete on
privacy,” said Marc Zwillinger, founder of ZwillGen, a Washington-based law
firm that has major tech companies as clients. “Companies have had notice
policies and cared about these issues for years. It’s only now that it’s being
discussed at the CEO level.”
The changing legal standards of technology companies most
directly affect federal, state and local criminal investigators, who have found
that companies increasingly balk at data requests once considered routine. Most
now refuse to disclose the contents of e-mails or social media posts when
presented with subpoenas, insisting that the government instead seek search
warrants, which are issued only by judges and require the stricter legal
standard of probable cause.
Subpoenas, by contrast, can be issued by a broader range
of authorities and require only that the information sought be deemed
“relevant” to an investigation. A 2010 ruling by the U.S. Court of Appeals for
the 6th Circuit backed the industry’s contention that search warrants should be
required for digital content, a standard now widely accepted.
For data other than content — such as records showing the
senders and recipients of e-mails, the phone numbers registered with accounts
or identifying information about the computers used to access services —
companies have continued accepting subpoenas but warn investigators that users
will be notified before disclosure occurs.
“That was one of the purposeful burdens that was supposed
to limit government surveillance,” said Marc Rotenberg, a Georgetown University
law professor and executive director of the Electronic Privacy Information
Center. “As a historic matter, the intent always was that a person would be
notified.”
The shifting industry practices force investigators to
make difficult choices: withdraw data requests, allow notification to happen or
go to magistrate judges to seek either gag orders or search warrants, which
typically are issued under seal for a fixed period of time, delaying
notification. Such choices were made even more difficult by the rising
skepticism of magistrate judges, many of whom in recent years have scrutinized
such requests more carefully or rejected them altogether, legal experts say.
“It’s sort of a double whammy that makes law
enforcement’s job harder,” said Jason M. Weinstein, former deputy assistant
attorney general of the Justice Department’s criminal division, now a partner
at Steptoe & Johnson. “It has the potential to significantly impair
investigations.”
Ronald T. Hosko, a former FBI special agent who until his
recent retirement oversaw the criminal division at the Washington field office,
said the development of cases has been hurt by the threat of user notification,
especially during early phases when investigators try to work discreetly,
before a suspect potentially can destroy evidence. He said the shift among tech
companies has been driven mainly by concern about their public images, at the
expense of public safety — an issue he said was particularly acute when it came
to cases involving child predators or terrorists.
“My fear is that we will be less secure in our country,
in our houses, because of political decisions, because of the politics of the
day, rather than what will keep us safe,” Hosko said. “I’m concerned that that
gets people killed, that that gets people hurt.”
Companies that have policies to notify users of
government data collection say they make exceptions for cases of imminent
danger to potential victims, especially if the safety of a child is at risk. In
the vast majority of situations, however, users deserve to know who is
collecting their data and why, the companies say. The exceptions, they say,
should be decided by a judge — not by a company lawyer, and not by an
investigator.
“The intent is to make sure it’s not a rubber stamp,”
said Dane Jasper, chief executive of Sonic.net, an Internet and phone provider
in California whose notification policy has won a star from EFF. “That way
we’re not releasing customer information without due process.”
Ann E. Marimow contributed to this report.
Related stories: Google encrypts data amid backlash
against NSA spying Microsoft to ramp up encryption to guard against NSA NSA
infiltrates links to Yahoo, Google data centers
© The Washington Post Company
Comments
Post a Comment