Apple, Google, Microsoft, and Facebook are changing policies to appear as if they are standing up to the authorities in the wake of revelations of NSA snooping set loose on the world by the Edward Snowden leaks. Each of those large companies, and other smaller players, have, or are about to, change their policies so that they can provide notice to users in some instances when authorities request user data for an investigation.
Will this be enough to mollify security and privacy conscious consumers? Will it be enough to restore the reputations of these tech companies that were harmed by some of the Snowden leaks? Will these steps be enough to achieve a balance between user privacy and government security concerns? Is it setting the stage for larger battles with the NSA and other authorities? Those questions won’t get answered in any short or long term view given the circumstances, but it is, if nothing else, a shrewd public relations move.
The Washington Post is reporting that Apple, Google, Microsoft and Facebook are revamping their policies in order to routinely notify users of a government request for information. They join Yahoo which did so last July, and Twitter which has also had a policy of notifying users. Before you get too excited, it is important to note that any requests that come with an accompanying gag order from the FBI, or from the Foreign Intelligence Surveillance Court (FISA) won’t fall under these new guidelines. Companies with notification policies also make exceptions in cases where a request seeks to prohibit physical harm to a potential crime victim.
Users can check out the Electronic Frontier Foundation’s (EFF) annual Who Has Your Back report that scores major U.S. tech companies on which companies protect your data and how. The link above is to the 2013 report. The 2014 EFF report is due mid-May of this year and has prompted these policy revaluations. Skeptics might think that revamped policies are merely an attempt to look good in the EFF annual report and have no real value.
Apple is expected to announce its new policies later this month according to a spokesman:
“Later this month, Apple will update its policies so that in most cases when law enforcement requests personal information about a customer, the customer will receive a notification from Apple.”
Critics, mostly within law enforcement, are already complaining that any kind of user notification would allow bad actors to delete data ahead of any information being turned over to the authorities and harm investigations.
When Edward Snowden famously, or infamously, revealed information in 2013 that the National Security Agency (NSA) was capable of routinely monitoring any and all user data it set off a political and business firestorm. In the initial leaks major tech companies were implicated for allowing back door access to user data through their servers. All of those tech companies denied any willfully complicit action on their parts, while stating plainly that they did comply with legal requirements that requested user data.
In the ongoing debate since the Snowden leaks, U.S. tech companies have been vocal about how any possible complicit connection with the NSA or other government agencies could, and possibly have, damaged business relationships with foreign companies and governments. Apple’s CEO Tim Cook famously stated,
“I’ve been pushing very, very hard to open the books and be totally transparent. Much of what has been said isn’t true; there is no back door. The government doesn’t have access to our servers. They would have to cart us out in a box for that. And that just will not happen.”
Already the legal climate is changing regarding some government requests for information. Some tech companies now refuse to disclose the content of emails or social media posts unless government sources provide a search warrant, which is a due process step beyond a subpoena. Search warrants require a higher standard to prove probable cause. The U.S. 6th Circuit Court of Appeals has supported industry thinking on this issue when it comes to requests for digital content and the issuance of a warrant is now accepted as a standard in most cases.
But as the Washington Post points out:
For data other than content — such as records showing the senders and recipients of e-mails, the phone numbers registered with accounts or identifying information about the computers used to access services — companies have continued accepting subpoenas but warn investigators that users will be notified before disclosure occurs.
This is where the rubber will meet the road in this part of the debate going forward. The so called “metadata” collection instead of content collection became a fine line distinction when political leaders defended the various security measures that were in place. Polls continue to show that many just don’t trust government pronouncements on the issue any longer, as politicians and businesses continue to find a way forward balancing security concerns with user privacy.
New notification policies by major tech companies may be an important step from both public relations and business relations perspectives. Indeed they may also be an important line in the sand in terms of corporate versus government priorities. That said, in a climate of mistrust that has only become more toxic since the initial and subsequent Snowden revelations, privacy advocates will point out that U.S. tech companies will still be subject to FISA and other court restrictions, that if expanded, might keep Apple, Google, Facebook, Microsoft, Yahoo, and others in a never ending contest to balance user concerns with their legal responsibilities.