I usually don't blog about data privacy issues, though I'm a native and resident of a country in which there's historically been a lot of interest in the topic. But I've just been able to obtain a copy of an interesting court filing by Apple that I wanted to share (before returning to my usual focus, patent litigation).
The problem is that the U.S. government does not allow companies like Apple to publish the aggregate number of national security demands they receive. This runs counter to the efforts by such companies to be transparent with their customers about how many instances there are in which customer data of certain kinds must be disclosed. This is not about whether national security agencies should be able to obtain such data under certain circumstances -- it's about whether companies can at least say how frequently this occurs in a given country.
To be clear, I'm very much for security, to a far greater extent than the majority of people who comment on data privacy issues. But transparency is also key. I agree with Apple, Google, Microsoft, Yahoo, Facebook and LinkedIn (I hold active online accounts with all of them) that the right balance between security and transparency is not struck if companies are not even allowed to publish aggregate numbers. Letting the public know those numbers would be reassuring. If you know that a company has hundreds of millions of accounts and you see a precise number of aggregate information requests that is rather limited, then you can figure how unlikely it is that any such request related to you (unless you've done something recently that makes you a very likely target of such requests).
Clearly, in the age of cloud computing, overreaching restrictions on transparency hurt the competitiveness of U.S. companies in global markets. I see calls over here in Europe to require U.S. Internet companies to keep European customer data only on local servers in Europe, and that's just one example of how the whole NSA/Snowden issue can adversely affect U.S. business interests in the rest of the world.
Apple today published a report on government information requests. There's a clear commitment to privacy and transparency right at the beginning:
"We believe that our customers have a right to understand how their personal information is handled, and we consider it our responsibility to provide them with the best privacy protections available."
This is what the section entitled "Advocating for Greater Transparency" says:
"At the time of this report, the U.S. government does not allow Apple to disclose, except in broad ranges, the number of national security orders, the number of accounts affected by the orders, or whether content, such as emails, was disclosed. We strongly oppose this gag order, and Apple has made the case for relief from these restrictions in meetings and discussions with the White House, the U.S. Attorney General, congressional leaders, and the courts. Despite our extensive efforts in this area, we do not yet have an agreement that we feel adequately addresses our customers' right to know how often and under what circumstances we provide data to law enforcement agencies.
We believe that dialogue and advocacy are the most productive way to bring about a change in these policies, rather than filing a lawsuit against the U.S. government. Concurrent with the release of this report, we have filed an Amicus brief at the Foreign Intelligence Surveillance Court (FISA Court) in support of a group of cases requesting greater transparency. Later this year, we will file a second Amicus brief at the Ninth Circuit in support of a case seeking greater transparency with respect to National Security Letters. We feel strongly that the government should lift the gag order and permit companies to disclose complete and accurate numbers regarding FISA requests and National Security Letters. We will continue to aggressively pursue our ability to be more transparent."
The above paragraph mentions an amicus brief filed with the Foreign Intelligence Surveillance Court (FISC, but often also referred to, like above, as the "FISA Court"). I've obtained a copy of that brief. Apple submitted it "in support of motions for declaratory judgment filed by Google Inc., Microsoft Corporation, Yahoo! Inc., Facebook, Inc., and LinkedIn Corporation seeking permission to publish the aggregate numbers of national security demands made on them and the number of users or accounts affected by those requests". Here's the amicus brief (this post continues below the document):
13-11-05 Apple Amicus Brief With FISA Court by Florian Mueller
The brief refers to a letter Apple received from the FBI, which is an example of the restrictions imposed on U.S. companies (this post continues below the document):
13-06-17 FBI Letter to Apple by Florian Mueller
In its amicus brief, to which the FBI letter is an exhibit, Apple mentions that it "sought permission from the FBI to disclose the aggregate number of national security requests that it received and the number of accounts affected by each applicable national security authority (e.g., NSL, FISA, and Section 702 of FISA)". But in mid-June 2013, "the General Counsel of the FBI refused the request" (by phone and by letter). Appple complains that "the FBI required [it] to group the receipt of national security requests with requests from police investigating robberies and other crimes, searching for missing children, or hoping to prevent a suicide". It also criticizes that it "must use ranges of 1,000 rather than disclose a precise number".
According to Apple's amicus brief, "the FBI did not identify anything in the law that authorizes the Government to prohibit disclosure of the aggregate number of national security requests received by Apple", but "portrayed its decision as an exercise of its discretion not to enforce the statute against Apple specifically". Apple complains that this is a "deliberate attempt to reduce public knowledge as to the activities of the Government".
Without a doubt, Apple's report and its amicus brief are important contributions to the privacy debate. Let's hope that a reasonable balance will be struck between security and transparency needs. As far as I can see, there is room for more transparency without compromising security, and there appears to be consensus on this among major industry players.
If you'd like to be updated on the smartphone patent disputes and other intellectual property matters I cover, please subscribe to my RSS feed (in the right-hand column) and/or follow me on Twitter @FOSSpatents and Google+.
Share with other professionals via LinkedIn: