What issues should companies be considering when it comes to handing over privileged information? Karen Epper Hoffman investigates.
The issue of how much access a government is and should be allowed to its people's private electronic information is perhaps the biggest privacy issue of current times. And one that Nate Cardozo is keeping a close watch on.As senior staff attorney for the Electronic Frontier Foundation's (EFF) digital civil liberties team, Cardozo focuses on the group's free speech and privacy litigation, which includes the on-going and increasingly complicated concerns surrounding government requests to companies for access to their customers' data.
“We're seeing a big increase in the government making these requests, it's increasing at a pretty algebraic slope,” Cardozo says, adding that the federal investigators are starting to “catch up with technology,” realizing they could use it to their advantage. State and local law enforcement agencies are starting to see data requests as a potential resource.
But Cardozo, like many legal experts and technology industry insiders, has a fair share of concerns about the growing number of data requests being fielded by the likes of Apple, Microsoft, Facebook, Google, Snapchat and virtually every other technology, telecommunications and social media company. The main underlying question is: Where do we draw the line?
“Our financial data is very sensitive and a lot of us may view our bank transactions and balances as our most private data,” Cardozo explains. “But most of that information is not as sensitive or [encompassing] as what we all have put online and on our phones over the past decade.”
Mike Janke (left), co-founder and chairman of Silent Circle, an encrypted communications firm based in Geneva, Switzerland, says that while these data requests are on the rise among many sectors, technology and telecommunications companies receive the lion's share. “Our digital life has so many footprints, we now see government asking companies like Netflix, Hulu, HBO and cable providers for information,” Janke says, adding that services-oriented outfits like Uber, Lyft and Airbnb are seeing them too.
Indeed, government agencies or federal law enforcement have for many years been requesting access to relevant data – be it proprietary corporate data or customer information – to help in solving or stopping a crime, finding a potential terrorist, or to determine a paper trail of proof. But it has been in the last few years that these requests are aimed more often and more frequently at leading tech companies like Apple, Microsoft, Google, Reddit, LinkedIn, Snapchat, and a host of other companies that are privy to millions of customers' texts, emails, photos, calendars, contacts, search and dating histories, GPS information, and other details and preferences.
“There's just a lot more information available than before and much more of personal and business activity, a much richer trail of information,” says Bill Anderson (right), CEO of OptioLabs, and a long-time cryptography and mobile security expert. “Law enforcement is just being really practical collecting clues. It stands to reason that is happening, the information is there.”
Requests on the rise
There simply was not the sheer amount of stored electronic data on phones, laptops and in the corporate cloud, 10 or even five years ago as exists today, points out Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF), a leading science and tech policy think tank. And, with the addition of smart home devices like Alexa, and the ongoing march toward the Internet of Things, there will be a rising tide of more information that governments and law enforcement may want to access for the purposes of an investigation.
Indeed, government data requests worldwide to Google had already increased 29 percent from 2014 to 2015 alone, according to the search engine's publicly posted “transparency report.” And Facebook's recent transparency report cited a 27 percent increase in government requests for user data in the first half of 2016, compared to the last half of 2015.
Further, in recent years, more Silicon Valley companies are publishing these transparency reports as a means of laying out their position on information privacy and where the company stands on what it will and will not share with a government. Google has been publishing a semi-annual transparency report since 2011, and Apple, Microsoft, Dropbox and many other technology companies do something similar. (While LinkedIn, Twitter and Reddit spokespersons all declined to comment for this story, they all sent links to their own companies' transparency reports.) For his part, Cardozo authors the EFF's “Who Has Your Back?” report, which describes companies' various practices and policies related to government data requests and data retention – and even ranks their efforts on a one-to-five score.
Cardozo says he expected to see decreases in these government requests after the leaks from Edward Snowden, and not so many over-reaches for greater amounts of information that may or may not be relevant. But instead, he says such requests are growing – and tech companies are pushing back. Most notably, early last year Apple locked horns with the Federal Bureau of Investigation when it denied the FBI's request that the computing giant change its password mechanism so federal investigators could unlock the iPhone used by a man involved in a shooting in San Bernardino, Calif., in December 2015 that left 14 people dead. Eventually, the FBI found another way to access the information it needed from the mobile device. But the case raised huge concerns about whether governments should be allowed to have broad-based access to personal data on individual customers – and whether government agencies could further be allowed to compel companies not to tell their customers when their personal information is accessed by the government.
Similarly, Microsoft filed a lawsuit against the Justice Department in April 2016, claiming that a government data request from this department would have violated the Redmond, Wash.-based giant's First and Fourth Amendment rights to communicate with customers. In that suit, Microsoft noted that at the time it had received 5,624 legal orders within the previous 18 months, 2,576 of which asked the company not to notify customers about warrants or subpoenas for information.
“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft said in its lawsuit, adding that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.” In fact, Bill Ho, CEO of Biscom, a secure file-sharing company based in Chelmsford, Mass., believes a potential side effect may be seeing “companies going back to on-premises solutions – which provide companies with more control over their information, and requests for information must go straight to the organization rather than the cloud service provider…This is especially true for companies outside the United States that are concerned with data privacy and government access to their data vis-à-vis the Patriot Act.”
Biscom recently conducted a survey about information privacy and how people's perspective changed based on external factors and found that people overwhelmingly (85 percent) did not want companies like Google and Facebook to share their personal information with the government, Ho says. However, he added that the percentage dropped to 75 percent if the information request was linked to a possible commission of a crime; and if the request was terror-related, it plummeted to 34 percent.
“This phenomenon is not unexpected,” Ho says. “After September 11th, we all accept the heightened TSA screening – so large events affect not only the increase in government requests, but also our willingness to allow access to our private information.”
Cardozo points out that many data requests are “very cookie cutter, open and shut,” and easy for a company to comply with without breaking its ethical boundaries. But it is the unusual data requests, the ones in which the government is asking for much broader access to individual customers' data (not just overarching metadata) that could set bad precedents for the future of privacy.
“It's important for the company to know what the government is actually trying to do,” says Cardozo, adding that in the case of Apple, it was not the request for data but the legal authority to compel the computing company to change its product that went too far.
Considering requests
But how can a company discern whether that request, especially a request made in the face of an ongoing crime or attack, is a bridge too far? According to Sean O'Brien, spokesman for Microsoft, the computing giant “adheres to the same principles for all requests from government agencies for user data, requiring governmental entities to follow the applicable laws, rules and procedures for requesting customer data. Microsoft does not provide any government with direct and unfettered access to our customers' data, and we do not provide any government with our encryption keys or the ability to break our encryption.”
If a government wants customer data, it needs to follow applicable legal process, O'Brien says, meaning, it must serve the company with a warrant or court order for content or a subpoena for subscriber information or other non-content data. “We require that any requests be targeted at specific accounts and identifiers,” he explains. “Microsoft's compliance team reviews government demands for user data to ensure the requests are valid, rejects those that are not valid, and only provides the data specified in the legal order.”
Similarly, Biscom has “had a few instances where the government has asked us to provide customer data,” Ho says. “Our default stance is that we respect the privacy of our customers, but under a lawful order, such as a subpoena, we will do what we can to provide information once we verify the veracity of the request.”
In two recent cases, Ho says that government agencies – one federal and one state – approached the company requesting information stemming from fraud. In one instance, an individual used Biscom's fax service to unlawfully participate in a class action suit; and in another, a state agency was investigating a case of identity theft and welfare fraud.
When considering a data request, companies must look at whether they are truly obligated, according to Castro of ITIF. “The consumer concern is not access to information, but access in inappropriate situations. That's where companies have to use their judgment.”
The infrastructure, culture, reputation and size or scope of the company itself can all play a role in how corporations make a decision to share information, according to Anderson at Optio Labs. Therefore, two companies in the same industry of the same approximate size might come to completely different responses if presented independently with the same request for data. “A company that is truly a leader will show some insight and consideration and communication and thinking beyond the current incident to what happens next,” Anderson points out.
Perhaps most importantly, in a long-term sense, companies must consider what kind of precedents they are setting for policies – not just in the United States, but all over the world. For example, in the case of access to the iPhone, Apple may have considered that if it had offered the mechanism requested by the U.S. government to make iPhones more accessible, it might also be compelled to offer the same access to other governments, like China and Turkey, Anderson says. “Companies have to think responsibly about the ecosystem as a whole. And it's more global than just our government,” he adds.
Cardozo says that the EFF endorses companies to comply with every data request that “follows the law.” (For example, EFF filed an amicus brief in support of Apple's decision to deny changing its system to give access to the FBI.) But, as with other experts, Cardozo believes companies should be mindful of the potential for these requests to be precedent-setting, and create new obligations that might chip away at individual rights and privacy – even in the case of perceived exceptional situations.
“Laws exist for a reason,” Cardozo says. “Once the exception is made, the system falls apart.”
