Today, the Department of Justice announced that it has reached an agreement with Google and Microsoft to allow them and other tech companies to report, within broad ranges, the number of Foreign Intelligence Surveillance Court orders they receive, and the number of user accounts surveilled. Google and Microsoft have agreed to drop their lawsuit, which argued that they have a First Amendment right to report such information, but reserve the right to refile the lawsuit.
The following statement may be attributed to TechFreedom President Berin Szoka:
This agreement allows greater transparency about how much user data companies are required to turn over to national security agencies. But these concessions seem to go just far enough to provide the President to back up his lofty talk of reform with a concrete example in tomorrow’s State of the Union address — without providing Americans the full transparency we need to have a rational debate about balancing national security with privacy.
There may well be good reasons for limiting the scope of transparency: if a single company’s total number of requests or affected users is small enough, publishing precise numbers immediately might tip off terrorists that they’re under surveillance. But the right way to address that problem is to allow disclosures within an initial range, and precise numbers above that. Instead, the agreement allows only reporting of requests and affected users broken down as between criminal process, the FBI’s National Security Letters and FISC orders only in increments of 1000. The agreement does allow reporting in increments of 250 — but only if all three categories are lumped together. Either way, the transparency allowed by the agreement will paint only a picture of surveillance in the broadest of brush strokes.
The agreement requires a six month delay for reporting data. This may be sensible, but the the agreement imposes an additional delay of two years before a company can report any FISC data after receiving its first FISC order for a particular service. This delay means we won’t know about the full scope of FISA surveillance for the newest products and companies.
In short, the agreement is a major improvement, but doesn’t remove the pressing need for Congress to strike a better balance between privacy and national security. Transparency should be as granular and fresh as possible without compromising ongoing investigations. Also, the government should publish clearer transparency reports on its own. If Congress doesn’t act quickly, some company will eventually force the other question still unsettled: Just how far does the First Amendment go in allowing companies to speak about government surveillance?
Szoka is available for comment at firstname.lastname@example.org. Last summer, TechFreedom joined 59 civil society groups and 39 Internet companies in a coalition letter urging more granular transparency. TechFreedom also joined four other leading privacy advocacy groups in an amicus brief supporting the lawsuit brought by Google and Microsoft.