The deal struck by the federal government and the nation’s largest Internet companies to be more transparent about national security data requests is a good first step, but doesn’t go far enough, according to privacy watchdogs and industry experts. Google, Microsoft, Yahoo, Linkedin and Facebook have been waging a closely watched legal battle with the Justice Dept. over transparency ever since former National Security Agency contractor Edward Snowden leaked documents describing the role of the tech titans in secret U.S. surveillance programs.
The agreement, announced Monday by Attorney General Eric Holder and Director of National Intelligence James Clapper, will allow the Internet giants to reveal more information about national security data requests, including demands for user content under the Foreign Intelligence Surveillance Act (FISA), the controversial law that facilitates many of the government’s most secret snooping programs. In exchange, Google, Microsoft, Yahoo, Linkedin and Facebook have agreed to drop their lawsuit before the Foreign Intelligence Surveillance Court (FISC) demanding more transparency.
The Internet giants have faced mounting scrutiny following disclosures by Snowden about a classified U.S. intelligence system called PRISM, which the NSA has used to examine data—including e-mails, videos and online chats—via requests made under FISA. The companies have strenuously denied that they give the NSA “direct” access to their computer servers, but recent reports have described how the NSA taps directly into their networks, a disclosure that’s prompted professions of outrage from leading industry officials, most notably Eric Schmidt, Google’s executive chairman.
The deal appears to involve concessions by both the government and the Internet companies. The Justice Dept. has backtracked from its earlier contention that increased data disclosures would pose a risk to national security. For the first time, FISA orders may be disclosed, but importantly, such orders require a six-month delay before publication. The tech companies are still prohibited from revealing U.S. information demands at a level of specificity advocated by civil liberties groups and even some of the tech titans themselves. The companies may only disclose the number of FISA orders and national security letters if they do so in increments of 250. And that’s only lumped together. In order to disclose those requests separately, the companies may only publish in increments of 1,000.
That means that the companies are only allowed to disclose numerical ranges, such as 0-999 or 0-249. That’s a good start, but it’s not specific enough, according to Kevin Bankston, the Policy Director of New America’s Open Technology Institute, who says the agreement “falls far short of the level of transparency” that Internet companies, privacy advocates and civil liberties organizations called for last summer. Bankston is one of several free speech lawyers who signed a legal brief to the FISC supporting the tech companies.
“Fuzzing the numbers into ranges of a thousand—and even worse, lumping all of the different types of surveillance orders into a single number — serves no national security purpose while making it impossible to effectively evaluate how those powers are being used,” Bankston said in an emailed statement. “Asking the public and policymakers to try and judge the appropriateness of the government’s surveillance practices based on a single, combined, rounded number is like asking a doctor to diagnose a patient’s shadow. Only the grossest and most obvious problem, if even that, will be ever be evident.”
Alex Abdo, staff attorney with the American Civil Liberties Union’s National Security Project, called the agreement “commendable,” but said that further reforms are needed: “Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies’ involvement.” Google, Microsoft, Yahoo, Linkedin and Facebook echoed that view, saying in a joint statement that they will “continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”
The NSA spying scandal could cost the top U.S. tech companies billions of dollars over the next several years, according to industry experts. In addition to consumer Internet companies, hardware and cloud-storage giants like IBM, Hewlett-Packard, and Oracle could suffer billions of dollars in losses if international clients take their business elsewhere. Analysts at Forrester, the respected tech industry research firm, have projected a net loss for the Internet service provider industry of as much as $180 billion by 2016 due to the scandal, which would amount to a 25% decline in the overall information technology services market.
Small to medium size tech companies may also feel the brunt of the NSA scandal, according to David Snead, co-founder of the i2Coalition, a group that represents Internet infrastructure companies. “These companies gain little in the way of trust by disclosing their requests for data in large, vague quantities, or by grouping them in ways that fail to differentiate the type and extent of the request,” Snead said in a statement. “For example, this lack of specificity may make it appear that a small company has received as many as 999 requests for data when in fact they received few or even none. Ironically, these new rules may be an incentive for small and medium companies not to report at all, thus giving the appearance that the company is hiding something.”
Now that the Internet giants have come to an agreement with the Justice Dept., attention will shift to Congress, where several bills designed to reform the NSA and increase government transparency are under development. “The DOJ may have made a small step, but it is up to Congress to make the leap to real transparency reform,” Harley Geiger, an attorney and civil liberties expert at the Center for Democracy & Technology, a D.C.-based tech policy think tank, said in a statement. The USA FREEDOM Act, introduced by Rep. Jim Sensenbrenner, the Wisconsin Republican, and Sen. Pat Leahy, the Vermont Democrat, would allow Internet companies to report user data requests in ranges of 100 and break out specific legal authorities, as would another bill, the Surveillance Order Reporting Act, introduced by Rep. Zoe Lofgren, the California Democrat.