A Deeper Dive Into Yahoo and Facebook's Transparency Reports
Ever since Google issued its first transparency report in early 2010, EFF has called on other companies to follow suit and disclose statistics about the number of government requests for user data, whether the request they receive is an official demand (such as a warrant) or an unofficial request. After all, users make decisions every day about which companies they trust with their data, therefore companies owe it to their customers to be transparent about when they hand data over to governments and law enforcement.
Since 2010, other companies have risen to the challenge, including Microsoft, Internet service provider Sonic.Net, cloud storage providers SpiderOak and DropBox, as well as social media companies such as LinkedIn and Twitter.
While we wish they had not taken this long, the two companies deserve kudos for taking this important step. Companies are under no legal obligation to inform their customers about government requests for their data—this is a voluntary step. Both companies are members of the Global Network Initiative, however, which counts transparency among its core principles.
But in light of this summer’s revelations about the NSA’s PRISM—the program under which the NSA gains the ability to access to the private communications of users of many of the most popular Internet services, including those owned by Google, Microsoft, Facebook, and Yahoo—Internet giants are rushing to do what they can to restore user trust.
In September, Google, Facebook, and Yahoo all filed requests to the U.S. Foreign Intelligence Surveillance Court (FISC), asking for permission to publish the specific number of National Security Letters (NSL) that the companies received in the past year as well as the total number of user accounts affected by those requests. Of all the dangerous government surveillance powers that were expanded by the USA PATRIOT Act, the NSL power provided by five statutory provisions is one of the most frightening and invasive. These letters—the type served on communications service providers such as phone companies and ISPs and are authorized by 18 U.S.C. 2709—allow the FBI to secretly demand data about ordinary American citizens' private communications and Internet activity without any prior judicial review. To make matters worse, recipients of NSLs are subject to gag orders that forbid them from ever revealing the letters' existence to anyone. A federal judge found NSLs unconstitutional in March, but the order is on hold pending the government's appeal.
Some companies have published aggregate numbers, ranging from 0-999 or 1000-1999 that give us a broad and blurry view of just how widespread the use of NSLs has been, but more detailed numbers would much more helpful to the public understanding of the surveillence, without compromising security.
So now that Facebook and Yahoo have issued transparency reports, what do they tell us?
Facebook’s Global Government Requests Report covers January-June 2013 and reveals that 71 countries requested data on a total of 37,954 to 38,954 users. Unsurprisingly, the US demanded the largest amount of user data, making somewhere between 11,000 to 12,000 requests for 20,000 to 21,000 users.
India came in a close second, with 3,245 requests for 4,144 accounts, and the United Kingdom ranked third with 1,975 requests for 2,337 users. Facebook also revealed the number of times the requests produced "some data." Facebook handed over data to the U.S. 79% of the time, but only 50% and 68% of the time for India and the United Kingdom, respectively.
The vast majority of requests made to Facebook by less democratic countries (including Cote d’Ivoire, Nepal, and Qatar) were refused, however two nations stood out in the report: Pakistan and Turkey. In the case of Pakistan, 35 requests were made for 47 users, 77% of which Facebook complied with. In the case of Turkey, 96 requests for 170 users were made, and complied with 47% of the time.
What makes this unique is that no other major company has reported compliance with requests from Pakistan. The South Asian country is nominally a democracy, but censors the Internet heavily and has made a relatively transparent effort of seeking Western companies to enable greater censorship and surveillance, a role that Canadian company Netsweeper has been all too eager to fill. It is notable that Facebook has no offices in Pakistan (an office in-country could allow Pakistan to directly seek information from a local employee), nor has Pakistan signed a mutual legal assistance treaty (MLAT) with the US, putting Facebook under no legal obligation to comply with requests from the government.
With no offices in Turkey, either, it’s surprising to see such a high rate of compliance. Complaints of Facebook censoring certain content in Turkey abound, and as a recent blog post by a Kurdish activist demonstrates, some of that censorship seems quite arbitrary.
At the same time, if Facebook doesn’t comply, it undoubtedly risks being blocked in these countries, just as YouTube was for several years, and a tool used by opposition figures and activists might become unavailable. On balance, we think most countries would rightly be hesitant to remove popular Internet tool, as it may create more unrest than the information sought to be quashed.
While Facebook has been transparent about its law enforcement guidelines, information regarding its processes when it comes to international requests is vague - the data use policy allows disclosure when "consistent with internationally recognized standards," which are not defined. Facebook could enhance its transparency by clarifying its standards for complying with requests; even if its standards are perfect in every way, users are legitimately concerned when they do not know what standards might apply.
Like Facebook, Yahoo also reported that the United States led the number of requests, with 12,444 data requests that included 40,322 Yahoo accounts. Yahoo handed content-related data, including communications in Yahoo Mail or Messenger, photos on Flickr or Yahoo Address Book entries, over to American agencies in 4,604 cases. The company gave the government non-content related information, which includes a person’s name, location or Internet Protocol address, in 6,798 cases.
Yahoo received fewer requests from the United Kingdom (1,709) and India (1,490) than did Facebook, with similar compliance rates. Once nice feature of Yahoo’s report is that it breaks down the type of data disclosure (non-content vs. content) in a pie chart for each country. In the UK, for example, 44% of requests were responded to with disclosures of non-content data, while in 20% of cases, content was disclosed to law enforcement.
Surprisingly, Yahoo received far more requests from Hong Kong than any other company, and complied with 100% of them (content was only disclosed in 1% of those cases). The South China Morning Post quoted lawmaker Charles Mok as saying that the number was high, and called on Yahoo to disclose which government agencies requested the data.