What a lazy-ass way to dragnet everybody and get stuck with huge irrelevant data!
If you really suspected some one, the govt. should be able to convince a judge to get a "tap&gag".
Facebook described as "competing on privacy" shows us just how fucked our notions of privacy are.
Yes, whine-away, when law enforcement is required to get an adult in the room before they go all Rambo, "obviously the terrorists have won".
"The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders."
"The shifting industry practices force investigators to make difficult choices: withdraw data requests, allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification."
I hope that the public don't misunderstand these two things.
So in the most recent time period reported, there were ~12,000 requests for data, and between 0 and 1000 of them for NSL/FISA requests. Meaning these policies theoretically affect over 90% of the requests.
Providing this perspective in contrast to the "this changes nothing" sentiment.
I hope this change is as widespread as the article seems to claim. A lawful warrant should be the gold standard for record requests.
I have a lot of issues with FISA, but it sounds as though FISA requests are a far rarer than prosecutors requesting records. To restore balance we really do need to get back to requiring judges to weigh each request for data individually.
Does anyone know if user notifications are being sent when those emails are accessed too?
I should be able to go to Facebook, Google or any other large company and see every single query where I was included in the results. Every query run should include a 1-4 sentence blurb explaining the purpose of the query run and an ID that can identify the employee/entity/user that ran the query. A large hash table could be used to anonymize the counterparty. Users, when seeing a suspicious query, could then petition the companies to divulge more information about the query in question, possibly even resorting to the courts if they can make a reasonable appeal for the information.
I would love to see the EU to push for this as the default. If this was the default, then public policies researchers could gather data from volunteers to get a better picture of how companies are using personal data.
Quis custodiet ipsos custodes?
I've noticed that the words 'customer' and 'user' are starting to draw my conscious attention when I see them used (and misused) in mainstream journalism.
Consider: For most of the companies listed in this article, the customer is exactly that -- someone who pays the company for something, e.g. a cable or internet subscriber.
But for Google, Facebook, et al, the customer isn't the user; the customer is the advertiser. The user is the product. Google's customers could care less about privacy and user notification, except insofar as it spooks the users away from the service.
The distinction is worth keeping in mind when trying to gauge just how far companies might take this newfound willingness to resist.
That is, Google has products and services that it gives to customers in exchange for their eyeballs. Then, Google is able to convert some of those eyeballs into clicks, which they sell to advertisers in exchange for money.
The transfer of goods in exchange for value is not only possible when money exchanges hands.
If Google was unable to create products that convinced one of its classes of customers to sell their eyeballs, they would not be able to resell the eyeballs for cash.
"... companies grew determined to show that they prized
their relationship with their product more than their
relationships with paying customers, such as advertisers,
as well as other non-paying, but similarly coercive
entities, such as law enforcement organizations"
They will only ignore non-legally-binding requests to keep quiet, which they previously complied with, but which they were never under any obligation to comply with.
They won't even refuse to provide data to law enforcement. Today's announcement only concerns whether the person whose data it is gets notified or not.
That would be illegal. They are subject to subpoena, i.e., "under penalty".
- Mail and calendar for people who use the iCloud services.
- All documents (e.g. Pages, notes) synced to iCloud.
Not to mention the fact that a users interaction with Facebook is completely different from their interaction with Apple. Most people keep especially private data off of Facebook, but practically no I-phone user stops to think if a photo might be incriminating/embarrassing in the future before they take it. And that's just Photostream.
People backing up their devices to iCloud stand to lose even more.
Also - what's the opportunity cost in lost business from not doing this?
Time for us all to contact our Congress-critters, supporting this.
To my knowledge people are allowed to say they were questioned by the police.
I think this is mainly a "we don't feel like helping you guys out anymore" move (as well as a "hey our customers would probably trust us a bit more" move and being generally the Right Thing™
a legal authority... that is very broad
... I thought corporations received some number of millions of dollars to perform these procedures?
The average local investigator is low-tech, has good intentions to help a victim, and has nothing to do with FISA or national security issues. I'd much rather see a tech company say, "Hey, we're not just going to give you everything on this user. In fact, we'll notify the user unless you provide more justification or background on the reason for your request," than notify the suspect without warning. At least then the investigator can provide more info for consideration, or go back to a judge.
It seems like it isn't necessarily a good idea to let companies decide whether an individual request is justified. Suspects are innocent until proven guilty in a court of law. It's up to our society to remember that they are indeed innocent unless proven otherwise, and there's no way at that point for the investigator to prove anything.
Imagine that an investigator comes to Facebook and asks them for information regarding one of Facebook's employees. Facebook asks why, and the investigator responds that they suspect they're involved in something like what you've mentioned. At that point there's a chance FB might become extremely uncomfortable retaining the services of that employee, even though nothing has actually been proven yet. Accusations like that can ruin lives.
You make some good points, and it might be good to have more open communication between law enforcement and companies. It just seems a little dangerous. There are some unexpected ways that it could turn out to be a bad thing.
"More open communication between law enforcement and companies" as you said is the key, especially at the state and local level.
The thing is, at that point we'll have to concede that it's normal and proper for companies to be examining private communications. It's equivalent to a phone company keeping a log of all phone conversations transmitted on their network, then listening to them on a case-by-case basis. It strikes me as odd that it's illegal to do that for voice conversations but not illegal to do that for text conversations.
This is a Pandora's Box that I can pretty much guarantee Facebook does not want to open unless legislation is passed against their ever having civil or legal liability for doing so. Just speculate to the next school shooting where a parent/politician/newsperson asks "Why didn't Facebook tell us what was in their messages?"
People have the right to Habeas corpus, they shouldn't necessarily have the right to know they are under investigation. In my opinion.
Also I am very skeptical about using "protect the children" as a policy justification.
If there is policy of not notifying the child abuse suspects then every request from the prosecution office made will also have - probably the person is also an online predator.
What is wrong with the concept of giving affirmative oath in front of the judge and make him sign warrant and if he deems necessary to sign also the temporary gag order.
A play on Four Horsemen of the Apocalypse, it refers to types of criminals who use the internet to facilitate crime and consequently jeopardize the rights of honest internet users. There does not appear to be an exact definition for who the Horsemen are, but they are usually described as terrorists, drug dealers, pedophiles, and organized crime. Other sources use slightly different descriptions but generally refer to the same types of criminals. The term was coined by Timothy C. May in 1988, who referred to them as "child pornographers, terrorists, drug dealers, etc." when discussing the reasons for limited civilian use of cryptography tools. Among the most famous of these is in the Cypherpunk FAQ, which states:
Isn't the detective too late at this point? Can't they tell the user until the gag order arrives?
Investigative procedure is not a new concept and we have a pretty well working system. There's really no need to give law enforcement fascist powers to do whatever they want without oversight under the excuse of "think of the children!"
Does it matter? You'll have already caught him and have the evidence.
In the former (businessman example), a social network has a 'right' to refuse law enforcement and notify the user. In the latter example, it's my belief (which I understand isn't popular here!) that the network has a civic 'duty' not to inform the user and to assist how they can - as many of them do right now. My question has more to do with asking if social networks will examine the background of the $CRIME before notifying the user.
Phone companies recognize this distinction and, for example, will provide an emergency ping location when a child is in danger before any paper work is submitted, requiring in good faith that it will follow within 24 hours. If the following paperwork is not in order, they lose the ability to do that again.
It's a wonderful thing that the average HN reader doesn't have to deal with these issues, and disappointing honestly that real questions from someone who does are heavily downvoted. But hey, it's fine not to agree with my view.