
Apple, Facebook, others defy authorities, notify users of secret data demands - trusche
http://www.washingtonpost.com/business/technology/apple-facebook-others-defy-authorities-increasingly-notify-users-of-secret-data-demands-after-snowden-revelations/2014/05/01/b41539c6-cfd1-11e3-b812-0c92213941f4_story.html?hpid=z1
======
suprgeek
First: Thank you Snowden for introducing Privacy as a Banner issue which makes
things like competing on providing greater privacy a "Business
Differentiator". Before the disclosures there was only a murmur of privacy
violations that too only amongst the tech literate. Yesterday the old guy
manning the register at a store said "Now they can't track you when you pay by
cash" to the customer in-front of me.

Second: What a lazy-ass way to dragnet everybody and get stuck with huge
irrelevant data! If you really suspected some one, the govt. should be able to
convince a judge to get a "tap&gag".

~~~
ZoF
Sorry for the tangent here, but I'm curious; how were they previously tracking
customers paying with cash? Was it some form of membership with the store that
would need to be provided on checkout?

~~~
GotAnyMegadeth
I read it as a "Now listen here", not a "Now they have the internet on phones
you know".

~~~
ZoF
Haha, this is a late reply, but you got me parsing that statement correctly,
thanks :)

------
amirmc
Worth pointing out:

 _" The changing tech company policies do not affect data requests approved by
the Foreign Intelligence Surveillance Court, which are automatically kept
secret by law. National security letters, which are administrative subpoenas
issued by the FBI for national security investigations, also carry binding gag
orders."_

But also:

 _" The shifting industry practices force investigators to make difficult
choices: withdraw data requests, allow notification to happen or go to
magistrate judges to seek either gag orders or search warrants, which
typically are issued under seal for a fixed period of time, delaying
notification."_

I hope that the public don't misunderstand these two things.

~~~
moskie
Along those lines, it's good to keep these numbers in mind:

[https://govtrequests.facebook.com/country/United%20States/20...](https://govtrequests.facebook.com/country/United%20States/2013-H2/)

So in the most recent time period reported, there were ~12,000 requests for
data, and between 0 and 1000 of them for NSL/FISA requests. Meaning these
policies theoretically affect over 90% of the requests.

Providing this perspective in contrast to the "this changes nothing"
sentiment.

------
joshfraser
Meanwhile, all emails older than 180 days are still considered "legally
abandoned" and any government agency can look at them with a simple statement
saying they are relevant to an investigation.

Does anyone know if user notifications are being sent when those emails are
accessed too?

~~~
ryanfreeborn
...citation?

~~~
joshfraser
The Electronic Communications Privacy Act of 1986 (ECPA)

[http://www.businessinsider.com/when-can-the-government-
read-...](http://www.businessinsider.com/when-can-the-government-read-your-
email-2013-6)

------
malandrew
TBH, the default at all tech companies once they reach a certain size is to
make a page that notifies users every time they are included in any query and
the purpose of that query.

I should be able to go to Facebook, Google or any other large company and see
every single query where I was included in the results. Every query run should
include a 1-4 sentence blurb explaining the purpose of the query run and an ID
that can identify the employee/entity/user that ran the query. A large hash
table could be used to anonymize the counterparty. Users, when seeing a
suspicious query, could then petition the companies to divulge more
information about the query in question, possibly even resorting to the courts
if they can make a reasonable appeal for the information.

I would love to see the EU to push for this as the default. If this was the
default, then public policies researchers could gather data from volunteers to
get a better picture of how companies are using personal data.

 _Quis custodiet ipsos custodes?_

------
secfirstmd
This is a great step in the right direction but what about the other 6.7
billion people not living in the US?

~~~
raldi
Pressure your government to demand "we won't spy on your citizens" pledges
from each of their allies. If the US declines, ask how it can seriously call
itself an ally.

~~~
secfirstmd
I think people in the US don't understand effectively how afraid US allies are
about criticising it. No one ever wants to stick it's head above the parapet
and risk damaging relations - even when the US does bad stuff like torture in
Gitmo. Especially if your from a small country. Even a big country like
Germany is more afraid about damaging relations than standing up for the
rights of its own citizens.

------
davidp
_"... companies grew determined to show that they prized their relationships
with customers more than those with authorities"_

I've noticed that the words 'customer' and 'user' are starting to draw my
conscious attention when I see them used (and misused) in mainstream
journalism.

Consider: For most of the companies listed in this article, the customer is
exactly that -- someone who pays the company for something, e.g. a cable or
internet subscriber.

But for Google, Facebook, et al, the customer isn't the user; the customer is
the advertiser. The user is the product. Google's _customers_ could care less
about privacy and user notification, except insofar as it spooks the users
away from the service.

The distinction is worth keeping in mind when trying to gauge just how far
companies might take this newfound willingness to resist.

~~~
skj
I'm not really sure about this customer/product distinction. Both the people
who view the ads and the people who buy the ad placement give Google something
they want in exchange for something they have.

That is, Google has products and services that it gives to customers in
exchange for their eyeballs. Then, Google is able to convert some of those
eyeballs into clicks, which they sell to advertisers in exchange for money.

The transfer of goods in exchange for value is not only possible when money
exchanges hands.

If Google was unable to create products that convinced one of its classes of
customers to sell their eyeballs, they would not be able to resell the
eyeballs for cash.

------
wellboy
What happens if a company ignores a gag order? What will realistically happen,
they won't put Sergey Brin in Jail will they?

~~~
kijin
They will not ignore a legal gag order (court order or national security
letter).

They will only ignore non-legally-binding requests to keep quiet, which they
previously complied with, but which they were never under any obligation to
comply with.

They won't even refuse to provide data to law enforcement. Today's
announcement only concerns whether the person whose data it is gets notified
or not.

~~~
tantalor
> refuse to provide data to law enforcement

That would be illegal. They are subject to subpoena, i.e., "under penalty".

~~~
wellboy
Yeah it's illegal, but what the government does is also illegal apparently. So
what if a company ignored the gag order, what would REALISTICALLY happen. Will
the CEO be jailed or will they not be able to put anybody into prison. Will
they have have to pay a $5M fine, will they have to pay a $500M fine? Or will
the companies be able to supersede the government.

~~~
lgas
I'm not sure exactly what would happen but I'd bet against the companies
replacing the government by just not complying with a gag order.

------
sounds
"Others" would in this case be "Google, Microsoft."

~~~
shimon_e
Apple wouldn't be my example of choice of a provider holding tons of private
data.

~~~
comex
In addition to the types of data mentioned in other replies, they also have:

\- Mail and calendar for people who use the iCloud services.

\- Reminders.

\- All documents (e.g. Pages, notes) synced to iCloud.

~~~
TheSoftwareGuy
True, but compared to google or facebook, apple has almost no user data.

~~~
ZoF
Are you sure? I think it's definitely a significant enough amount to be
mentioned with the others either way.

Not to mention the fact that a users interaction with Facebook is completely
different from their interaction with Apple. Most people keep especially
private data off of Facebook, but practically no I-phone user stops to think
if a photo might be incriminating/embarrassing in the future before they take
it. And that's just Photostream.

People backing up their devices to iCloud stand to lose even more.

~~~
shimon_e
Enough to be mentioned. To be used as the primary example and including Google
as others?! Sounds more like an author that is getting paid for every Apple
mention in an article title.

------
hoodoof
They might face devastating consequences like fines of hundreds of millions of
dollars.

~~~
joelrunyon
Is that really devastating to billion dollar companies?

Also - what's the opportunity cost in lost business from _not_ doing this?

~~~
hoodoof
Shattering consequences.

~~~
tsaoutourpants
The consequences will never be the same!

------
mark_l_watson
+1000 to these companies, if they are truly doing this.

Time for us all to contact our Congress-critters, supporting this.

------
Eye_of_Mordor
Obama hasn't done his job of bringing change. Quite what the word "hope" means
to him is anyone's guess. What we've got instead is a system of government so
ridiculous and bizarre that it's not worth following at all.

------
orky56
What are the legal consequences to these large tech companies tipping off
users? Are these companies just calling the bluff of enforcement agencies who
are not willing to risk the bad PR? I'd love to hear from someone who has a
better idea on why this issue is as gray as it seems.

~~~
rtpg
> Apple, Microsoft, Facebook and Google all are updating their policies to
> expand routine notification of users about government data seizures, _unless
> specifically gagged by a judge or other legal authority_

To my knowledge people are allowed to say they were questioned by the police.

I think this is mainly a "we don't feel like helping you guys out anymore"
move (as well as a "hey our customers would probably trust us a bit more" move
and being generally the Right Thing™

------
Istof
"...unless specifically gagged by a judge or other legal authority..."

a legal authority... that is very broad

------
perlpimp
“It serves to chill the unbridled, cost-free collection of data,” said Albert
Gidari Jr.,

... I thought corporations received some number of millions of dollars to
perform these procedures?

------
telecuda
I hope there's some discretion used here based on the nature of the request.
Child Sextortion (send me naked photos or record these sex acts with your
sibling or I'll send this devastating photo to all of your friends on
Facebook) is a very real and frequent problem. If mom & dad show the
sextortion messages to their local police detective and s/he fills out a
Facebook records request to see if the suspect is victimizing other minors,
will Facebook notify the suspect?

The average local investigator is low-tech, has good intentions to help a
victim, and has nothing to do with FISA or national security issues. I'd much
rather see a tech company say, "Hey, we're not just going to give you
everything on this user. In fact, we'll notify the user unless you provide
more justification or background on the reason for your request," than notify
the suspect without warning. At least then the investigator can provide more
info for consideration, or go back to a judge.

~~~
sillysaurus3
_" Hey, we're not just going to give you everything on this user. In fact,
we'll notify the user unless you provide more justification or background on
the reason for your request,"_

It seems like it isn't necessarily a good idea to let companies decide whether
an individual request is justified. Suspects are innocent until proven guilty
in a court of law. It's up to our society to remember that they are indeed
innocent unless proven otherwise, and there's no way at that point for the
investigator to prove anything.

Imagine that an investigator comes to Facebook and asks them for information
regarding one of Facebook's employees. Facebook asks why, and the investigator
responds that they suspect they're involved in something like what you've
mentioned. At that point there's a chance FB might become extremely
uncomfortable retaining the services of that employee, even though nothing has
actually been proven yet. Accusations like that can ruin lives.

You make some good points, and it might be good to have more open
communication between law enforcement and companies. It just seems a little
dangerous. There are some unexpected ways that it could turn out to be a bad
thing.

~~~
telecuda
You make some good points as well, and I admit there's not a clear answer
here. However, Facebook can very quickly look at the suspect's messages to the
victim for example and see clearly if the s/he is a real threat before
notifying anyone.

"More open communication between law enforcement and companies" as you said is
the key, especially at the state and local level.

~~~
sillysaurus3
_Facebook can very quickly look at the suspect 's messages to the victim for
example and see clearly if the s/he is a real threat before notifying anyone._

The thing is, at that point we'll have to concede that it's normal and proper
for companies to be examining private communications. It's equivalent to a
phone company keeping a log of all phone conversations transmitted on their
network, then listening to them on a case-by-case basis. It strikes me as odd
that it's illegal to do that for voice conversations but not illegal to do
that for text conversations.

------
free2rhyme214
They still can do whatever with your data so whoop dee do.

