Until now, all a company could say about national security requests was that a vague number — no specific numbers were allowed — of requests had been made. No further details, including the nature of the requests or how many requests had been fulfilled, were allowed to be shared.
But this afternoon, U.S. Attorney General Eric Holder and Director of National Intelligence James “Clap On… Clap Off.. Clap On Clap Off, the” Clapper announced they had filed documents with the Foreign Intelligence Surveillance Court that, if approved, would give companies the ability to make slightly more detailed disclosures.
“[T]he administration is acting to allow more detailed disclosures about the number of national security orders and requests issued to communications providers, and the number of customer accounts targeted under those orders and requests including the underlying legal authorities,” explained Holder and Clapper in a joint statement. “Through these new reporting methods, communications providers will be permitted to disclose more information than ever before to their customers.”
The changes come amidst a legal challenge from Internet titans Facebook, Google, LinkedIn, Microsoft, and Yahoo. They had petitioned the FISC last fall for permission to disclose more information to consumers about federal data requests.
The administration says that while it maintains that the previous restrictions were perfectly legal, it “has determined that the public interest in disclosing this information now outweighs the national security concerns that required its classification.”
A letter [PDF] from the DOJ to the five companies challenging the transparency rules spells out the two ways in which a company can provide more detailed information.
The first option allows a company to give more details on the kinds of request made, but keeps the numerical limits to bands of 1,000. So a company like Facebook could now tell users about the general number of accounts affected, requests for user content, and non-content requests, but each of those categories would have to be provided as a range within 1,000. (i.e. 2,000-2,999; or 12,000-12,999).
This form of reporting may be of use to a huge company with hundreds of millions of users, where the banding isn’t that important.
A company wishing to provide that breakdown of data is allowed to release this information every six months, but there must be a six-month delay between the period covered and the data released. So the info for the first half of 2014 could not be made public until Jan. 2015.
The second form of expanded disclosures would be for when a company wants to provide more precise information about the number of requests filed under the heading of national security. Under the new rules, a company could provide numbers about request in increments of 250, BUT only if it provides no additional information about requests for content. This form of reporting might be of use to a company like Verizon, which only claimed that it only received between 1,000 and 2,000 national security requests in 2013. Under the proposed rule, it could give consumers a more precise number, but it could not provide any more details.
The first option would not help consumers in the Verizon example, as the total number of requests is so low that breaking down the categories would likely just result in reports that say “between 0 and 999” for each type of request.