fb-pixelUS to let firms release data on NSA requests - The Boston Globe Skip to main content

US to let firms release data on NSA requests

WASHINGTON — The Obama administration will let Internet companies give customers a better idea of how often the government demands their information, but will not allow companies to disclose what is being collected or how much.

The new rules — they prompted Google, Microsoft, Yahoo, and Facebook to drop their lawsuits before the nation’s secret surveillance court — also contain a provision that bars companies less than two years old from revealing information about government requests for two years.

Attorney General Eric H. Holder Jr. and James R. Clapper, director of national intelligence, said the new declassification rules were prompted by President Obama’s speech on intelligence reform this month.

Advertisement



“Permitting disclosure of this aggregate data addresses an important area of concern to communications providers and the public,” Holder and Clapper said in a joint statement.

The companies’ dispute began last year after former government contractor Edward Snowden revealed that FBI and National Security Agency surveillance programs rely on data from e-mail providers, video-chat services, and social-networking companies.

“We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” Google, Microsoft, Yahoo, and Facebook said in a joint statement. “While this is a very positive step, we’ll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”

Privacy advocates say the new rules will prevent the public from knowing if the government is snooping on an e-mail platform or chat service provided by a young tech outfit.

Sometimes, FBI agents demand data with administrative subpoenas known as national security letters. Other times, the Justice Department makes the demand under the authority of the surveillance court but without a specific warrant. Either way, the justification is typically secret and companies are prohibited from saying much.

Advertisement



The companies wanted to be able to say how many times they received court orders, known as FISA orders, for the Foreign Intelligence Surveillance Act. The government opposed that.

Currently, they are allowed to disclose only the number of administrative subpoenas, but only in increments of 1,000. That made it impossible for users to know whether government agents grabbed data from their e-mail provider once or 999 times.

Under the new agreement, companies will be able to disclose the existence of FISA court orders. But they must choose between being more specific about the number of demands or about the type of demands. Companies that want to disclose the number of FISA orders and national security letters separately can do so as long as they only publish increments of 1,000. Or, they can narrow the figure to increments of 250 if they lump FISA court orders and national security letters together.

Technology firms will be allowed to publish the information every six months, with a six-month delay. They will also be allowed to release the number of “selectors” — user names or e-mail addresses, for instance — that the government sought information about.

The Justice Department had endorsed the new rules months ago but intelligence officials argued they still revealed too much. But the new rule for startups persuaded intelligence officials, a US official said.

“The bottom line is that this is a positive step forward but still falls short of proposals before Congress right now,” said Harley Geiger, at the Center for Democracy and Technology. “It’s a good step, but a temporary step towards greater transparency.”

Advertisement



Ladar Levison, founder of Lavabit, a secure e-mail service used by Snowden, said the rules do not provide information consumers really need.

“They could be ordered to turn over their source code to the government. A single request could cover 1,000 different user accounts,” Levison said. “Just simply disclosing the number of FISA court orders, doesn’t tell you how pervasive the request is or how much information is being turned over.”