Transparency Reporting

Ryan Budish

A pervasive surveillance apparatus for collecting information about the users of services like Gmail and Facebook. I’m not talking about the NSA and the secret programs that Eric Snowden revealed: in the US, personal data is also collected under the legal and non-secretive Stored Communications Act (SCA), and other countries have their own, similar mechanisms. We don’t think of this form of collection as extensive or pervasive because accurate aggregate figures are hard to come by. That needs to change.

The US’s SCA is an outdated piece of legislation, passed well before we had high-speed Internet or gigabytes of free cloud storage. It gives law enforcement the ability to collect substantial personal data, often with minimal court supervision. For instance, a law enforcement agency can obtain a person’s name, physical address, IP addresses, data about when she signs on and off of an online service, and her payment processing information, simply by issuing a subpoena—a demand for information without court approval. If law enforcement notifies the target of the investigation, it can use a subpoena to collect opened emails of any age and unopened emails stored for longer than 180 days. In some circumstances, notice can be postponed. In other words: a tremendous amount of data is available without any court oversight. And law enforcement can use court orders and warrants to collect even more, if necessary.

What we know about this scale of this data collection comes from transparency reports – disclosures that some companies publish about the requests for user data that they’ve received from governments. In 2009, Google published the first transparency report; Twitter followed suit in 2012. Over a dozen companies are now releasing transparency reports, with more on the way.

These reports give us some information about the scale of governments’ criminal surveillance. For instance, we know that in 2012, US law enforcement agencies made 16,407 requests from Google on 31,072 accounts (not including secret foreign surveillance). When combined with similar data from Twitter and Microsoft, the totals are 28,974 requests on 57,730 accounts.

This is helpful information, but it provides only the faintest glimpse into the full scope of lawful domestic surveillance. The utility of transparency reports as an industry-wide measure is limited by three factors:

Obscured Data: Several transparency reports obscure the amount of domestic surveillance. Facebook and Yahoo!, for example, recently released reports that combine national security requests with domestic criminal requests instead of providing criminal requests as a standalone category. This decision, a concession to the Obama administration in exchange for the right to disclose some data relating to national security requests, diminishes the value of the reports in illuminating either of the surveillance categories.

Inconsistent Data: Even the reports that explicitly provide domestic criminal data differ in some significant ways. For instance, how the companies define critical terms such as “user” or “court order” make the reports difficult to compare and aggregate, leaving us with approximations at best.

Weak Internationalization: Some of the companies releasing reports have provided detailed information about US requests, but none provide the same level about other countries’ requests. How many countries use warrants? We can’t say because we have only US data.

With more consistency in transparency reporting, we’d be able to develop a more complete picture of the scale of data collection in criminal investigations.