internet service providers

Which countries' law enforcement are data hungry?

One of the trends from the industry-wide transparency report that’s worth looking at more closely is which countries are making requests for user data, to which companies, and on what scale.  This post will break down these statistics and suggest some of the trends behind the numbers. As I mentioned in the last post, the figures in transparency reports only refer to requests that foreign law enforcement make directly to companies, not requests through the mutual legal assistance treaty process.  Requests that come through the MLAT process are treated like requests from US law enforcement, and are bundled into the statistics for the US.  This means that the US figures are artificially inflated and I have therefore removed the figures for US requests from this analysis.

When it rains, it pours

number of requests by company
number of requests by company

The first thing to note is that the number of direct foreign requests is still low for most internet companies.  Dropbox and Pinterest did not receive any direct foreign requests.  However, the big four companies are being inundated with requests, with Microsoft receiving almost 30,000 requests in the last six months of 2013.  Twitter is barely in the scene, with less than 723 requests (Twitter’s numbers are given as a range if they fall below 10, so this figure is only approximate).

Some companies, such as Twitter, LinkedIn, Pinterest and Wordpress are not likely to experience the same scale of requests as the big four companies.  This is because most of their content is intended to be publicly accessible.   Law enforcement therefore should not need to contact the companies to access user content; they are more likely only to need to contact the companies in order to access subscriber information to identify anonymous account holders, or to seek preservation of account information before it is deleted.  Other factors that can influence the number of requests from foreign law enforcement that a company receives include a company’s international presence, criminals’ preferences for particular platforms, and law enforcement’s familiarity with the particular company.

I have included Yahoo! in this analysis, but it is very important to note that the data in Yahoo!'s transparency report is quite different from the data in the other companies' reports.  There is still value in looking at Yahoo!'s data, but this is definitely a case of comparing apples with oranges.  Yahoo! only reports on requests that are made by countries in which they have a legal subsidiary.  This means that the requests referred to in Yahoo!'s report are made within those countries and are governed by each country's domestic laws, not US law.  For this reason, these requests can result in handing over content as well as subscriber details.  The big question is what about the countries in which Yahoo! does not have a legal subsidiary - where are those statistics?  Presumably there are Yahoo! users in countries in which Yahoo! does not have a legal subsidiary, and local law enforcement would try to request that data directly from Yahoo! in the US.  However, Yahoo! does not seem to publish any information on the number of those requests and how they responded.   Accordingly, we do not have an accurate figure to compare between Yahoo! and the other companies.

The data-hungry countries

Microsoft top 10
Microsoft top 10
Google top 10
Google top 10
Facebook top 10
Facebook top 10
Yahoo top 10
Yahoo top 10

The next breakdown that is interesting to consider is which countries are making requests to which companies.  These charts show the top 10 requesting countries to Microsoft, Google, Yahoo! and Facebook.  Some of this is unsurprising; Brazil, France, India and Germany have noticeable and reasonably consistent representation across the companies.  Australia seems to punch above its weight, with requests from its law enforcement officers comprising about 5-6% of each company’s total requests.  Singapore also makes a surprise entry in the Google statistics.

Some of the factors that could explain the different levels of requests from countries include:

  • the penetration levels of these companies’ products in particular markets;
  • local law enforcement’s level of awareness and competence in requesting online data; and
  • whether law enforcement feel more able to make direct requests to companies (rather than going through the slower, more cumbersome process of mutual legal assistance).

Taiwan and Hong Kong figure in Yahoo!'s top ten, but not the other companies'.  It is likely that this not only reflects the increased presence of Yahoo! in these countries, but also the skewed nature of the data set that Yahoo! provides because it only provides figures for countries in which there is a Yahoo! subsidiary.

Perhaps the standout issue in these statistics is the large number of requests to Microsoft from Turkey.  Turkey does not even make it into the top 10 for other companies, but accounts for 21% of requests to Microsoft.  This is particularly interesting given the political turmoil in Turkey during this period.  Of course, the next interesting statistic to consider is how the companies respond to the requests that they receive.  I will delve more into this issue in the next post.

International data privacy: what we need is an industry transparency report

Cross-posted from https://cyberlaw.stanford.edu/blog/2014/05/international-data-privacy-what-we-need-industry-transparency-report  GoogleYahoo!, MicrosoftTwitterAppleDropboxLinkedIn, and Pinterest all publish transparency reports.  Wordpress is the latest company to join the party, recently publishing their first transparency report.   However, it’s difficult to see trends and anomalies when the information is scattered across multiple individual company reports.  In order to get a comprehensive view of what is happening, we need to pull all of these fragments into a comprehensive picture.  We need an internet industry-wide transparency report.

To create a kind of hacked industry transparency report, I have consolidated the July-December 2013 transparency data from the main internet companies.  There is such a wealth of information to pore over and slice and dice in different ways that I will separate the analysis into a series of blog entries.  My interest is the international aspect, so I will focus on requests from foreign law enforcement.  This post will outline some of the key themes emerging from my comparison.Combined law enforcement data table

Only part of the picture

The first thing to note is that the transparency reports only show requests from foreign law enforcement that are made directly to the company.  As I have previously noted, there are at least three main ways in which foreign law enforcement can access user data that is held by a US company:

1.     through the US government via the mutual legal assistance treaty (MLAT) process;

2.     directly asking the company; or

3.     asking the FBI to obtain the data on their behalf.

The transparency reports only show requests made via method (2).  This is not the companies’ fault; by the time an MLAT request filters down to companies’ inhouse lawyers and paralegals, it simply looks like a search warrant issued by the US District Court.  For this reason, any requests that go through the MLAT system show up as US requests.  This has the unfortunate consequence of over inflating the statistics for US government requests and hiding where the requests are really coming from.

Same-same but different

The companies’ reports are similar, but not the same.  As the pioneer in this field, Google has set the template that many of the other companies now use.  The Google-inspired template includes (1) number of requests (2) percentage of requests for which data was provided and (3) number of accounts/users affected.   However, there are subtle differences in layout and content, which make it difficult to draw meaningful comparisons across companies.

For example, Microsoft divides their responses into percentages for content and non-content, which means that you can’t easily do a direct comparison with the percentages listed by companies that use the Google template.  Of course, with some 8th grade algebra, you can overcome this, but it slows down the comparison process.  A couple of other notable anomalies are that Twitter does not give a specific number for countries for which there were fewer than 10 requests.  This could be because when the numbers of requests are small, criminal suspects may be tipped off that they are under suspicion.  Dropbox does not break down their foreign requests by country at all (intriguingly, although 90 foreign requests were made, 0 accounts were affected – I can only imagine that this means that they refused all 90 requests).

There isn’t necessarily anything sinister going on here; it just makes direct comparison across companies difficult.  It would be great to see consistent reporting across the internet companies (or even some consolidating reporting!).

Content vs non-content

One of the differences in the transparency reports that reveals a more substantive issue is that the Yahoo! and Microsoft reports indicate whether content or non-content has been handed over to foreign countries.  This is more than just a question of template consistency; Yahoo! and Microsoft are notable exceptions in that they will accept jurisdiction for data requests in certain countries outside of the US.  The other companies will generally only provide content through their US headquarters, in response to a US court order (eg through the MLAT process) or in emergency situations.

It’s harder to see overseas

There is an increase in the granularity of Google’s data with each year since 2010 and other companies are starting to follow suit. The improved transparency of national security requests is also a new development.  However, when it comes to foreign requests, the level of detail takes a nosedive.  There are at least two areas where this is important:  legal process; and user notification.

Legal process

Google, LinkedIn and Dropbox break down the number of US requests according to which process was used eg subpoena, court order, or search warrant.  This is not possible for foreign requests - as noted above, the only foreign law enforcement requests that are separately shown in the transparency reports are those that are made directly to the companies and this means that there has not been any US legal process.  As I’ve noted [previously], the Electronic Communications Privacy Act does not apply to foreign governments, so they cannot use US legal process and companies have unfettered discretion about whether or not to provide non-content information to them.  Some companies take this responsibility very seriously and apply their own due diligence processes before handing over user records.  However, there is no visibility of what these standards and processes are.  As I will discuss in a later post, there are notable differences between different companies’ compliance rates for requests from the same countries, which suggests that the companies may be exercising this discretion quite differently.

User notification

In the domestic context, Dropbox and Pinterest show whether they notified the user that their records had been accessed by US law enforcement.  Apple, Google, Microsoft, and Facebook are all apparently updating their policies to increase their rate of user notification.  Depending on the legal process used, ECPA establishes different obligations with respect to notification for access by law enforcement.  This is quite an interesting statistic but it would arguably be more important to see the statistics for foreign requests.  The fact that ECPA does not apply to foreign governments means that there is no obligation on companies to notify users if foreign law enforcement accesses their records.  Since there is no legal obligation on companies, it is entirely a matter of policy as to whether or not they notify users and we have no visibility of how this plays out in practice.

I have attached the raw data from my unified industry transparency report, but will be sharing charts and diagrams that break up the data into more intelligible chunks over the next week or so.

One heck of a timely UN report on government surveillance of communications

If it had happened on House of Cards, you’d have enjoyed the theater of it, but figured that the writers had taken some artistic license in the timing.  I mean, it just doesn’t happen in real life that the UN releases a report on the dangers of government surveillance on the internet immediately before the news breaks that the US Government has been conducting internet surveillance of previously unimagined proportions.  Critics could unkindly say this is because the UN is never ahead of the game, but in this case, you have to hand it to Frank La Rue – he has clearly authored an exceptionally timely report: 4 June 2013 – “Freedom of expression cannot be ensured without respect to privacy in communications,” United Nations Special Rapporteur Frank La Rue said today, calling for more global attention to the widespread use of surveillance technologies by States in violation of the human rights to privacy and freedom of expression.

5 June 2013 - The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America's largest telecoms providers, under a top secret court order issued in April.

6 June 2013 - The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants …. The NSA access is part of a previously undisclosed program called PRISM, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says. 

The right to privacy is a fundamental freedom in its own right (pardon the pun), but also as an important enabler for other rights such as the freedom of speech.  And yet, the right to privacy is a qualified right.  La Rue’s report notes that international human rights law is not sufficiently nuanced to provide clear guidance for countries and individuals when trying to understand what (if any) government intrusions into an individual’s electronic communications are acceptable.  In general terms, the right to privacy can be limited if the restrictions:

  1. are provided by the law;
  2. do not go to ‘the essence’ of the human right
  3. are necessary in a democratic society;
  4. are not subject to unfettered discretion;
  5. are necessary for reaching an enumerated legitimate aim; and
  6. are proportionate (ie the least intrusive instrument to achieve the desired result, and the restrictions are proportionate to the interest to be protected).

It may well be that the US government’s electronic surveillance activities are permissible restrictions on the right to privacy under international human rights law.  The answer is in the detail of whether the restrictions are ‘necessary’, ‘proportionate’ and sufficiently fettered.  To satisfy this test, the government would certainly need to make some pretty convincing arguments.  President Obama’s brief defence of the program focuses on the fact that the surveillance only looks at ‘meta-data’, in order to identify patterns. This type of pattern can be invaluable in identifying potential security threats, and national security is clearly a legitimate aim in a democratic society.  However, the intrusion on privacy is only acceptable if the level of discretion, oversight and proportionality are adequate, and this can by no means be assumed in the current circumstances.

La Rue’s report concludes by making 17 recommendations.  Many of these recommendations relate to transparency, accountability and public awareness.  For example, he states that laws governing electronic surveillance should meet ‘a standard of clarity and precision that is sufficient to ensure that individuals have advance notice of and can foresee their application’.  In essence, his recommendations capture a sense that reasonable citizens should not be alarmed to learn of the type of surveillance that occurs, should acknowledge that the surveillance is of value and should be reassured that there are adequate oversight mechanisms in place.  Once again, his report is right on the money; the level of outcry in the US media and around water coolers this morning indicates that the current surveillance policies are not meeting the public 'sniff test'.  Something smells decidedly off.

So often, UN reports end with a plea for increased public awareness and further discussion about the issues, but any resulting debate is limited to the international law nerds and human rights nuts amongst us.  However, the freakishly good timing of La Rue’s report may just mean that the issues that he has raised capture mainstream attention and generate some real public debate.

 

What is the greatest risk to online rights - government, companies or anarchy?

Nick Merrill is building an internet service provider called Calyx. Calyx will be designed to encrypt user's data in such a way that it'll be inaccessible to anyone but that user. Which means that if the government asks for your browser history or emails, Calyx will be technologically unable to hand them over.’. When I stumbled across this, I was horrified.  As a civil servant and government lawyer, I bridled at the blatant attempt to undermine the criminal justice process.  But then I read on and watched videos of Nick Merrill telling his story of fighting a national security letter requiring him to disclose details about one of the clients of his ISP company.  It is quite compelling to hear of his 6 year battle for recognition of his entitlement to speak with his attorney and his right to tell others that he was issued with a national security letter.  So Nick Merrell’s encrypted ISP project started to sound less like paranoia and more like a rational reaction.

Just this week, I read that at the recent Black Hat Conference, when the room full of internet and security professionals was asked who they trusted less, Google or the government, the majority raised their hands for Google.  This surprised me, given the deeply ingrained distrust of big government and led me to wonder whether we were sliding into a situation in which the public will not trust anyone with regulation of online activities.  Is the web to become a wild west of anarchy because we are too afraid to trust anyone with any form of monitoring or enforcement?

FEAR OF THE GOVERNMENT

The US PATRIOT Act has a lot to answer for.  One part of the post-9/11 legislative reforms was provisions extending the FBI’s ability in certain circumstances to request records from ISPs, financial institutions and credit providers without the need for a court-issued warrant.  Moreover, recipients of national security letters were unable to challenge the request and were prohibited from telling anyone that they had received a letter (let alone the content of the letter) for an indeterminate period. Nick Merrell was the first person to challenge the constitutionality of the regime.  The personal and financial toll that the battle has taken on him makes you question whether the 9/11 terrorists were more successful at undermining the most highly-prized values in our system than we will ever care to admit.

Meanwhile, media attention on the ‘great firewall of China’ and the role of internet censorship in the Arab Spring has brought home the power of the internet internationally as a tool of oppression in the hands of an unscrupulous government.

Domestically, the fear that the government will exploit the power of the internet has found a focal point in the campaign against the Cybersecurity Act 2012.  Alarm bells are ringing for privacy advocates as the Cybersecurity Act seeks to expand the ability for ISPs to share user information with the government outside of the current judicial oversight mechanism.

Internationally, many civil society bodies seem to see the upcoming 2012 World Conference on International Telecommunications in December as an opportunity for governments to seize control of the internet for their own purposes.  The WCIT seeks to renegotiate the International Telecommunications Regulations with a view to expanding the ITU’s mandate to include regulation of the internet.  Distrust of the intention behind this move has led to the creation of a wikileaks-style site that posts the preparatory reports and proposals.

FEAR OF COMPANIES

While the public might have been willing to cut Google some slack over the ‘inadvertent’ capturing of private data in the UK during its street view operations (everyone makes mistakes, right?), their subsequent failure to follow through on their undertaking to delete the data might start to undermine the credibility of the ‘don’t be evil’ mandate.

I suspect that the friendly glow of social networking and web companies is also fading as the public confronts the fact that these companies are not benevolent societies established to help us share information and stay in touch with friends, but are businesses that ultimately need to make money.  Facebook’s much-analysed IPO and disappointing profits underscore the imperative for companies to find ways in which to capitalise on all that ‘big data’ that they have amassed from their user base.  The popularity of the ‘do not track’ movement, which allows users to request that websites not collect information about their online browsing habits reveals a growing distrust of web companies and their moves to use our personal data for profit.

FEAR OF ANARCHY?

It seems we’re at risk of descending into a Mad-Eye Moody state of ‘constant vigilance’, unwilling to trust anyone.  But short of finding a real life Dumbledore, this is not a sustainable approach.  Without effective policing of the internet, it becomes a modern wild west; a safe haven for criminals and a dangerous place for the rest of us.  But when there is no public visibility of the many times when police or security authorities’ access to online information has helped thwart criminal activities and protect users’ rights, it is difficult to assess the value of government access to online records.

At the risk of sounding like a government stooge, I think the answer lies not in efforts to circumvent government access to information, but in better systems for managing government access to our information.  Law enforcement and security authorities need quick and effective access to the information held by web companies in order to enforce the criminal laws.  Of course, all governmental power needs appropriate checks and safeguards.   This is where the national security letter scheme went wrong and this is where we should be focusing our attentions.  While I can't deny the logic of Nick Merrill's latest encrypted ISP project, I hope that this is not the direction that we end up taking.  I still hope that we can work to fix the system, rather than taking ourselves outside of the system.

Going beyond the guidelines - legal and moral responsibilities on ICT companies

YouTube this week introduced a face-blurring tool to protect activists from being recognised by their online activities.  Human rights groups will no doubt welcome the initiative as it comes in response to calls from groups such as Witness.  Some web companies demonstrate a commitment to not only reducing the negative human rights impacts of their activities, but also to actively improving the positive impacts that they may have.  The uptake of some of the voluntary guidelines on corporate social responsibility and human rights demonstrates a willingness to go beyond the minimum requirements.  But what responsibilities do tech companies really owe to users in other countries?  Is this solely a question of moral responsibility and ethics, or is there a legal obligation?  And should moral responsibility be reflected in a legally-binding regime? Broadly speaking, international human rights law is only binding on States, not companies or individuals.  States have obligations to persons within their jurisdiction. In order to protect the rights of persons within their jurisdiction, States may need to regulate the conduct of companies operating there.  In this way, a State may use its domestic law to impose obligations on companies in an effort to implement its obligations under international law.  However, in many cases there will not be any relevant domestic law, particularly in States that do not have a robust approach to human rights protection or those that are actively abusing their residents’ human rights.  So, while international human rights law provides a useful benchmark for companies in understanding the scope and permissible limits on human rights, it does not actually impose any direct obligations on companies.

Even though international human rights law does not impose direct obligations on companies, there are still ways in which companies may be legally liable for actions that breach individual human rights.  Red Flags provides a great, very brief summary of some of the ‘liability risks for companies operating in high-risk zones’ and I will mention a few of the key legal areas in the following discussion.  It is also worth noting that actions that have an adverse human rights impact can be regulated by laws that are not specifically targeted at ‘human rights’ protection.  For example, many countries have criminal legislation that operates extraterritorially for companies that bribe foreign public officials (this is mandated under the UN Convention against Corruption and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions).

Human rights obligations under US law

The US is unusual in potentially imposing domestic liability on companies for actions not complying with international law standards even when they occur beyond US territory.  The Alien Tort Claims Statute (28 USC §1350) is the most (in)famous of these, with companies potentially having civil liability for actions that they commit ‘in violation of the law of nations or a treaty of the United States’.  Yahoo! previously settled a case that was brought under the ATS arising from the alleged provision of information by a Yahoo! subsidiary to the Chinese Government that enabled authorities to identify, arrest and subsequently torture political activists (Wang Xiaoning v Yahoo!).  Similarly, Cisco is in the middle of defending an action under the ATS as a result of their provision of software to the Chinese Government that is alleged to have been a part of the ‘Great Firewall of China’ that enabled the torture of political dissidents (Du v Cisco and Doe v Cisco).  The future of actions against companies under the ATS is currently in the balance.  This is because the Supreme Court is grappling with the question of whether companies (ie legal persons, as opposed to ‘real’ persons) can be liable under the ATS in the case of Kiobel v Royal Dutch Petroleum Co.  Depending on the decision in Kiobel, companies that commit major human rights violations may find themselves squarely in the cross hairs of ATS litigants in the US courts.

It had been argued that the Torture Victim Protection Act (18 USC §2340) creates liability for corporations as well as individuals who committed acts of torture outside of the United States.  After an inconsistent approach in various courts, in April of this year the Supreme Court held unanimously that the TVPA only applies to natural persons, not organisations (and, by corollary, not to corporations) (Mohamad v Palestinian Authority).

Two pieces of legislation are worth mentioning even though they do not create liability as such: The California Transparency in Supply Chains Act; and the Global Online Freedom Act.  Since entering into force at the start of this year, the Transparency in Supply Chains Act requires retailers or manufacturers doing business in California with annual worldwide gross receipts exceeding $100 million to disclose via a ‘conspicuous link’ on their main website their efforts to address risks related to slavery and human trafficking in their supply chains.

At the federal level, the Global Online Freedom Act is a Bill that aims to ‘prevent United States businesses from cooperating with repressive governments in transforming the Internet into a tool of censorship and surveillance, to fulfill the responsibility of the United States Government to promote freedom of expression on the Internet, to restore public confidence in the integrity of United States businesses’.  It has been floating around in various incarnations for several years, with the most recent version being passed by a House Committee on 27 March.  Similar to the Transparency in Supply Chains Act, the GOFA would create a reporting regime for internet communications services companies.  Companies would be required to detail their ‘human rights due diligence’ (drawing on the OECD Guidelines for Multinational Enterprises), privacy policies and policy on advising users when content has been filtered or blocked.  It would also establish export controls on certain telecommunications equipment.  The jury seems to be out on whether the latest incarnation of the GOFA could eventually become law, but in any case it does not seem likely that it will enter into force any time soon.

Moral obligations and duties beyond the law?

Anupam Chander wrote an interesting article setting out some of the philosophical arguments that could form the basis for a moral obligation owed by web companies to people in the ‘unfree’ world.  He argues that it is erroneous to apply the same ideas about corporate obligations (or lack thereof) in their interaction with citizens in a free society to corporate interactions with those living in repressive regimes.  As part of this, he argues that ‘given the special role of new media in empowering or oppressing individuals, it seems incumbent upon us to demand the inculcation of a professional ethic among new media companies to protect the freedom-enhancing aspects of cyberspace’.  He explains that ‘new media can either help give voice to dissidents or help perfect totalitarianism’.

Since the Arab Spring, there have certainly been some compelling arguments made about the power of web companies to affect the rights of users in repressive regimes and the moral responsibility that this creates.  However, it is not just the persuasiveness of the arguments about a moral responsibility that cause web companies to go above and beyond the low bar that is set by the international legal framework.  Instead, there seems to be something delightfully self-reinforcing about the freedom of the internet and web companies’ reliance on the trust of their users.

In other global businesses, it is often not the companies’ customers whose human rights are most likely to be affected by the companies’ actions.  For example, in the extractive industries, workers in Burma who may be subject to labour rights violations by a multinational company are not intended to be customers for the oil and gas that they are working to extract.  Instead, the customers are half a world away in developed countries in Europe and America.  This contrasts with a social networking business such as Twitter, where individuals in repressive regimes such as Egypt are able to be users of the product.  While perhaps not possessing the commercial clout of users in more wealthy markets, they are nonetheless part of the business structure.

Moreover, web companies’ branding and reputation is often tightly intertwined with notions of freedom of information and expression. Google’s mission is ‘to organize the world’s information and make it universally accessible and useful’.  In light of this mission statement, being implicated in censorship and suppression of freedom of expression would undermine their brand credibility.  The richness of information sharing and transparency on the internet also makes it more difficult for web companies to adopt sloppy human rights policies because their users are likely to catch them out.  Companies that rely on users’ willingness to share their personal information using their products cannot afford to be caught out too many times!

While there may not be a perfect alignment between the human rights policies that it is in a web company’s business interests to uphold and the human rights standards embodied in international law, there is at least some overlap.  It is this overlap that encourages companies to adopt voluntary guidelines and participate in industry initiatives.