Last week we reported that several large tech companies including Apple, Microsoft, Google, and Facebook were working on changing their policies about notifying users when there was a government request for a user’s data. Those companies would join Yahoo and Twitter which already had such policies in place. This public move is in response to major tech companies being implicated as either complicit or ignorant of U.S government surveillance and data mining capability revealed in the Edward Snowden leaks of 2013 that exposed the NSA methods of spying.
Apple has published its policy document on its website for all to see. Essentially the policy outlines what most expected. Apple is still subject to government requests that as a part of the legal request require no notification to a user. Those requests that come with an accompanying gag order from the FBI, or from the Foreign Intelligence Surveillance Court (FISA) won’t fall under these new guidelines. Apple will also make an exception in cases where a request seeks to prohibit physical harm to a potential crime victim. There is a specific provision in the document that covers that circumstance.
The document is called Legal Process Guidelines U.S. Law Enforcement and it was posted by Apple yesterday. Apple’s notification policy is spelled out as follows:
Apple will notify its customers when their personal information is being sought in response to legal process except where providing notice is prohibited by the legal process itself, by a court order Apple receives (e.g., an order under 18 U.S.C. §2705(b)), or by applicable law or where Apple, in its sole discretion, believes that providing notice could create a risk of injury or death to an identifiable individual or group of individuals or in situations where the case relates to child endangerment.
Further Apple spells out what data is available and under what circumstances that data can be turned over to a government request in a section that includes specific information for device registration information, customer service records, iTunes information, retail store transactions, Apple online store purchases, iTunes gift cards, iCloud subscriber information, mail logs, email content, photos, documents, contacts, calendars, bookmarks, iOS device backups and Find my iPhone.
Apple also states clearly what information it does not have available including:
iCloud stores the content for these services that the customer has elected to maintain in the account while the customer’s account remains active. Apple does not retain deleted content once it is cleared from Apple’s servers. Apple will produce customer content in these categories only in response to a valid search warrant.
That also applies to email. In essence Apple is saying that once deleted the above referenced data is not available for Apple to turn over in response to a request. Apple also clearly states that it does not track GPS data. Apple can also not give law enforcement officials the passcode to a locked device.
In a FAQ section Apple explains its policy and procedures for a number of issues. Apple also states in that section that existing wiretap laws can be used to intercept certain communications as follows:
Apple can intercept users’ email communications, upon receipt of a valid Wiretap Order. Apple cannot intercept users’ iMessage or FaceTime communications as these communications are end-to-end encrypted.
In essence there are no real surprises here, but the value of Apple and others reviewing and posting their policies should to some degree help improve tech companies reputations after the damaging assertions that they either allowed the government to intercept data directly from its servers or were ignorant that the government could do so via unauthorized back doors. If nothing else this is a shrewd public relations move by Apple and similar steps by other companies will be as well.
This allegations were damaging on a number of fronts that left individual and business users deeply concerned about the data that streamed through the various cloud services that are now prevalent. But, the legal climate has slowly been changing regarding some government requests for information and how these companies respond. Some tech companies now refuse to disclose the content of emails or social media posts unless government sources provide a search warrant, which is a due process step beyond a subpoena. Those search warrants require a higher standard to prove probable cause. The U.S. 6th Circuit Court of Appeals has supported industry thinking on this issue when it comes to requests for digital content and the issuance of a warrant is now accepted as a standard in most cases.
Do these publicly displayed policy notices erase the concerns of privacy advocates? No. To say that the Snowden leaks have created an ongoing atmosphere of mistrust is an understatement. Perhaps that is healthy as it keeps everyone on their toes regarding privacy issues, including users. The new policy also raises legitimate law enforcement issues with some predicting that any notification could give a bad actor time to erase data. As in most things in life these issues come down to striking a balance, and when both sides of a debate are still dissatisfied perhaps that means there is some progress.