Today the Department of Justice (DOJ) announced that it would allow companies to publicly report more details about the government’s demands for user data under national security authorities. Though this is a positive development, the DOJ’s new rules still do not permit the granular reporting needed for meaningful public debate, and fall short of proposals circulating in Congress and government oversight entities – such as PCLOB and the President’s Review Group – to authorize more detailed reporting.
Before today, companies were able to publish the numbers of law enforcement demands for data, as well as the number of users affected. Companies could also publish what types of law enforcement demands they received, such as a warrant, subpoena, or court order. However, companies were not able to publish separate figures on data requests related to intelligence and national security – with the exception of national security letters (NSLs), which companies could report in ranges of 1,000. Instead, if companies wanted to report national security-related data requests, companies were only authorized to lump a range of 1,000 with the number of data requests for law enforcement, without more detail as to what type of national security request they received.
Internet companies chafed at the U.S. government’s restrictions on public reporting after news reports suggested surveillance conducted under Foreign Intelligence Surveillance Act (FISA) authorities encompassed the data of all Internet companies’ users. The ensuing controversy spurred repeated denials from companies, lobbying efforts, and multiple lawsuits at the FISA Court aimed at relaxing government-imposed limitations on transparency. Companies argued that the restrictions on public reporting prevented them from proving that government national security orders compelled them to disclose data on far fewer users than news reports suggested, damaging their global reputations and leading to missed business opportunities.
Today’s announcement from the DOJ eases the restrictions a bit – giving companies two new options. Under both options, companies can continue to report law enforcement data requests with no restrictions.
Under the first option, the DOJ will allow companies to publish an aggregate number of all data demands originating under FISA authorities, as well as the number of user accounts affected, separately from law enforcement data requests and NSLs. The DOJ will also allow companies to distinguish between demands for content (such as the message in a communication) and non-content metadata (such as a communication’s to/from information). However, the government would still limit companies to reporting the numbers in a range of 1,000, and the government would continue to prohibit companies from specifying what provision of law authorized the order (for example, Section 702 or 703 of FISA).
Under the second option, the DOJ will allow companies to publish all national security requests, combining FISA orders and NSLs, as a single number in a range of 250. Companies choosing this option can also report the number of users targeted by both FISA orders and NSLs in a range of 250. However, companies cannot distinguish between content and non-content orders.
Under the DOJ’s new authorization, companies may publish these figures every six months, but with a six month delay (so the most current reports would contain data at least six months old). The government’s new authorization would also require a two-year delay on national security-related reporting for “new” products and services that had not yet received such data requests, though it remains to be seen how this stipulation will play out in practice.
The DOJ’s new authorization is a positive development, but we believe it should be a temporary step on the road to more meaningful reform. The DOJ’s authorization is considerably more limited than legislative proposals such as Rep. Sensenbrenner’s and Sen. Leahy’s USA FREEDOM Act and Rep. Lofgren’s Surveillance Order Reporting Act. Those bills would allow companies to report in ranges of 100, break out the orders under specific provisions of law, and impose no delays in reporting for new services. The DOJ’s authorization is also more limited than proposals in the recent reports from the Privacy and Civil Liberties Oversight Board (PCLOB) and the President’s Review Group, both of which recommended that companies be authorized to report separate numbers on national security orders by specific provision of law.
After DOJ’s authorization today, the major Internet companies collectively dismissed their suits without prejudice. This does not mean the push for greater transparency should halt, however. Legislation such as the USA FREEDOM Act is still needed to authorize reporting of more specific numbers and categories of surveillance demands. The DOJ may have made a small step, but it is up to Congress to make the leap to real transparency reform.