Hacker News new | past | comments | ask | show | jobs | submit login
Apple, Facebook, others defy authorities, notify users of secret data demands (washingtonpost.com)
324 points by trusche on May 1, 2014 | hide | past | web | favorite | 82 comments

First: Thank you Snowden for introducing Privacy as a Banner issue which makes things like competing on providing greater privacy a "Business Differentiator". Before the disclosures there was only a murmur of privacy violations that too only amongst the tech literate. Yesterday the old guy manning the register at a store said "Now they can't track you when you pay by cash" to the customer in-front of me.

Second: What a lazy-ass way to dragnet everybody and get stuck with huge irrelevant data! If you really suspected some one, the govt. should be able to convince a judge to get a "tap&gag".

> [...] competing on providing greater privacy a "Business Differentiator".

Facebook described as "competing on privacy" shows us just how fucked our notions of privacy are.

Sorry for the tangent here, but I'm curious; how were they previously tracking customers paying with cash? Was it some form of membership with the store that would need to be provided on checkout?

I read it as a "Now listen here", not a "Now they have the internet on phones you know".

Haha, this is a late reply, but you got me parsing that statement correctly, thanks :)

Credit cards.

The dragnet is about lookin back through time once a great has been identified. Or to look at trending in different communities or countries.

...allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification

Yes, whine-away, when law enforcement is required to get an adult in the room before they go all Rambo, "obviously the terrorists have won".

Worth pointing out:

"The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders."

But also:

"The shifting industry practices force investigators to make difficult choices: withdraw data requests, allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification."

I hope that the public don't misunderstand these two things.

Along those lines, it's good to keep these numbers in mind:


So in the most recent time period reported, there were ~12,000 requests for data, and between 0 and 1000 of them for NSL/FISA requests. Meaning these policies theoretically affect over 90% of the requests.

Providing this perspective in contrast to the "this changes nothing" sentiment.

Administrative subpoenas have really been the hammer agencies have used to crack into business records, time and again.

I hope this change is as widespread as the article seems to claim. A lawful warrant should be the gold standard for record requests.

So nothing has really changed then. Its more marketing than substance in the hope that fluffy minimal changes to their policy will restore confidence while the same thing is continuing to happen.

No, this is different. In the past, tech companies might comply with requests from prosecutors to not inform customers that their data has been requested. This story claims that tech companies now require a gag order from a judge (FISC or otherwise).

I have a lot of issues with FISA, but it sounds as though FISA requests are a far rarer than prosecutors requesting records. To restore balance we really do need to get back to requiring judges to weigh each request for data individually.

Just PR, no real substance.

Meanwhile, all emails older than 180 days are still considered "legally abandoned" and any government agency can look at them with a simple statement saying they are relevant to an investigation.

Does anyone know if user notifications are being sent when those emails are accessed too?

"Can look" is not the same as "can compel the company to not notify the victim".

So, can one submit a FOIA request for all Obama, Clapper, Alexander emails older than 180 days?


The Electronic Communications Privacy Act of 1986 (ECPA)


TBH, the default at all tech companies once they reach a certain size is to make a page that notifies users every time they are included in any query and the purpose of that query.

I should be able to go to Facebook, Google or any other large company and see every single query where I was included in the results. Every query run should include a 1-4 sentence blurb explaining the purpose of the query run and an ID that can identify the employee/entity/user that ran the query. A large hash table could be used to anonymize the counterparty. Users, when seeing a suspicious query, could then petition the companies to divulge more information about the query in question, possibly even resorting to the courts if they can make a reasonable appeal for the information.

I would love to see the EU to push for this as the default. If this was the default, then public policies researchers could gather data from volunteers to get a better picture of how companies are using personal data.

Quis custodiet ipsos custodes?

This is a great step in the right direction but what about the other 6.7 billion people not living in the US?

Pressure your government to demand "we won't spy on your citizens" pledges from each of their allies. If the US declines, ask how it can seriously call itself an ally.

I think people in the US don't understand effectively how afraid US allies are about criticising it. No one ever wants to stick it's head above the parapet and risk damaging relations - even when the US does bad stuff like torture in Gitmo. Especially if your from a small country. Even a big country like Germany is more afraid about damaging relations than standing up for the rights of its own citizens.

You're not a part of 'we the people'.

True, but the constitution does make deliberate distinction between 'people' rights and 'citizen' rights. Due process is among those that affect more than just citizens.

Today I noticed my French insurance contract for my company explicitly forbid me from storing data in the US. It's certainly not related to privacy, but I'm happy they push that way.

"... companies grew determined to show that they prized their relationships with customers more than those with authorities"

I've noticed that the words 'customer' and 'user' are starting to draw my conscious attention when I see them used (and misused) in mainstream journalism.

Consider: For most of the companies listed in this article, the customer is exactly that -- someone who pays the company for something, e.g. a cable or internet subscriber.

But for Google, Facebook, et al, the customer isn't the user; the customer is the advertiser. The user is the product. Google's customers could care less about privacy and user notification, except insofar as it spooks the users away from the service.

The distinction is worth keeping in mind when trying to gauge just how far companies might take this newfound willingness to resist.

I'm not really sure about this customer/product distinction. Both the people who view the ads and the people who buy the ad placement give Google something they want in exchange for something they have.

That is, Google has products and services that it gives to customers in exchange for their eyeballs. Then, Google is able to convert some of those eyeballs into clicks, which they sell to advertisers in exchange for money.

The transfer of goods in exchange for value is not only possible when money exchanges hands.

If Google was unable to create products that convinced one of its classes of customers to sell their eyeballs, they would not be able to resell the eyeballs for cash.

Hmmm... Let's try on a different quote for size:

  "... companies grew determined to show that they prized 
   their relationship with their product more than their
   relationships with paying customers, such as advertisers, 
   as well as other non-paying, but similarly coercive 
   entities, such as law enforcement organizations"
Yeah... I'm not sure how I feel about that version... It kind of makes me want to crawl in a hole and die.

What happens if a company ignores a gag order? What will realistically happen, they won't put Sergey Brin in Jail will they?

They will not ignore a legal gag order (court order or national security letter).

They will only ignore non-legally-binding requests to keep quiet, which they previously complied with, but which they were never under any obligation to comply with.

They won't even refuse to provide data to law enforcement. Today's announcement only concerns whether the person whose data it is gets notified or not.

> refuse to provide data to law enforcement

That would be illegal. They are subject to subpoena, i.e., "under penalty".

Yeah it's illegal, but what the government does is also illegal apparently. So what if a company ignored the gag order, what would REALISTICALLY happen. Will the CEO be jailed or will they not be able to put anybody into prison. Will they have have to pay a $5M fine, will they have to pay a $500M fine? Or will the companies be able to supersede the government.

I'm not sure exactly what would happen but I'd bet against the companies replacing the government by just not complying with a gag order.

That was not his question now was it?

"Others" would in this case be "Google, Microsoft."

Apple wouldn't be my example of choice of a provider holding tons of private data.

Every push notification ever sent and the data it holds. Text messages, location data, credit cards, addresses and even backups. Apple's data mines are virtually endless.

In addition to the types of data mentioned in other replies, they also have:

- Mail and calendar for people who use the iCloud services.

- Reminders.

- All documents (e.g. Pages, notes) synced to iCloud.

True, but compared to google or facebook, apple has almost no user data.

Are you sure? I think it's definitely a significant enough amount to be mentioned with the others either way.

Not to mention the fact that a users interaction with Facebook is completely different from their interaction with Apple. Most people keep especially private data off of Facebook, but practically no I-phone user stops to think if a photo might be incriminating/embarrassing in the future before they take it. And that's just Photostream.

People backing up their devices to iCloud stand to lose even more.

Enough to be mentioned. To be used as the primary example and including Google as others?! Sounds more like an author that is getting paid for every Apple mention in an article title.

Billions of text messages.

iPhone location data of millions of people?


800 million credit cards on file.

That's extremely valuable data to Apple and a great target for criminals, but I'm not sure the government would have much interest in it.

This should be qualified with: since they already have it via credit card companies. You give your social security number when getting a credit card for a /lot/ of reasons. And these tend to be a good reasons.

The majority of Apple's revenue is from outside the US. I have no idea what proportion of their credit card data is from outside the US, but we don't have these ID numbers. http://www.worldofapple.com/archives/2014/01/27/apple-posts-...

Why do Apple need to keep your voice recordings for 2 years? http://www.wired.com/2013/04/siri-two-years/

1) It actually tells you why in the article and 2) She's asking why a particular question isn't answered in a FREQUENTLY ASKED questions section but is under the settings. That's kind of the point of an FAQ - to only answer frequently asked questions.

that is why I pointed to this article, but the reason I asked this question was to let everyone know (who didn't already know) because I think it is important.

They might face devastating consequences like fines of hundreds of millions of dollars.

Is that really devastating to billion dollar companies?

Also - what's the opportunity cost in lost business from not doing this?

Hundreds of millions of dollars is something to seriously consider no matter how big the company.

Shattering consequences.

The consequences will never be the same!

+1000 to these companies, if they are truly doing this.

Time for us all to contact our Congress-critters, supporting this.

Obama hasn't done his job of bringing change. Quite what the word "hope" means to him is anyone's guess. What we've got instead is a system of government so ridiculous and bizarre that it's not worth following at all.

What are the legal consequences to these large tech companies tipping off users? Are these companies just calling the bluff of enforcement agencies who are not willing to risk the bad PR? I'd love to hear from someone who has a better idea on why this issue is as gray as it seems.

> Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority

To my knowledge people are allowed to say they were questioned by the police.

I think this is mainly a "we don't feel like helping you guys out anymore" move (as well as a "hey our customers would probably trust us a bit more" move and being generally the Right Thing™

"...unless specifically gagged by a judge or other legal authority..."

a legal authority... that is very broad

“It serves to chill the unbridled, cost-free collection of data,” said Albert Gidari Jr.,

... I thought corporations received some number of millions of dollars to perform these procedures?

I hope there's some discretion used here based on the nature of the request. Child Sextortion (send me naked photos or record these sex acts with your sibling or I'll send this devastating photo to all of your friends on Facebook) is a very real and frequent problem. If mom & dad show the sextortion messages to their local police detective and s/he fills out a Facebook records request to see if the suspect is victimizing other minors, will Facebook notify the suspect?

The average local investigator is low-tech, has good intentions to help a victim, and has nothing to do with FISA or national security issues. I'd much rather see a tech company say, "Hey, we're not just going to give you everything on this user. In fact, we'll notify the user unless you provide more justification or background on the reason for your request," than notify the suspect without warning. At least then the investigator can provide more info for consideration, or go back to a judge.

"Hey, we're not just going to give you everything on this user. In fact, we'll notify the user unless you provide more justification or background on the reason for your request,"

It seems like it isn't necessarily a good idea to let companies decide whether an individual request is justified. Suspects are innocent until proven guilty in a court of law. It's up to our society to remember that they are indeed innocent unless proven otherwise, and there's no way at that point for the investigator to prove anything.

Imagine that an investigator comes to Facebook and asks them for information regarding one of Facebook's employees. Facebook asks why, and the investigator responds that they suspect they're involved in something like what you've mentioned. At that point there's a chance FB might become extremely uncomfortable retaining the services of that employee, even though nothing has actually been proven yet. Accusations like that can ruin lives.

You make some good points, and it might be good to have more open communication between law enforcement and companies. It just seems a little dangerous. There are some unexpected ways that it could turn out to be a bad thing.

You make some good points as well, and I admit there's not a clear answer here. However, Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.

"More open communication between law enforcement and companies" as you said is the key, especially at the state and local level.

Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.

The thing is, at that point we'll have to concede that it's normal and proper for companies to be examining private communications. It's equivalent to a phone company keeping a log of all phone conversations transmitted on their network, then listening to them on a case-by-case basis. It strikes me as odd that it's illegal to do that for voice conversations but not illegal to do that for text conversations.

Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.

This is a Pandora's Box that I can pretty much guarantee Facebook does not want to open unless legislation is passed against their ever having civil or legal liability for doing so. Just speculate to the next school shooting where a parent/politician/newsperson asks "Why didn't Facebook tell us what was in their messages?"

You haven't provided any reasoning for why these requests need to be secret. People have the right to face their accusers, and by the time dumps of their online accounts are happening (akin to a search of their home), they should be able to exercise that right.

Are you suggesting all law enforcement agencies should notify a person or group prior to commencing an investigation? How amusing would it be if a detective turned up at your door and said "Oh hai! We'll be parked across the street in an unmarked vehicle for a few days while we observe your suspected illegal activities."

People have the right to Habeas corpus, they shouldn't necessarily have the right to know they are under investigation. In my opinion.

Passive surveillance is a far cry from having your home and belongings secretly searched. Standard procedure is not and should not be no-knock warrants to covertly sneak in while suspects are not home.

Just a nitpick but when mom&dad know about the sextorsion it is over - every kid should hear "Calm down, it's not your fault". The dangerous situation is when the kid comply because it is afraid/ashamed to go to mom/dad.

Also I am very skeptical about using "protect the children" as a policy justification.

If there is policy of not notifying the child abuse suspects then every request from the prosecution office made will also have - probably the person is also an online predator.

What is wrong with the concept of giving affirmative oath in front of the judge and make him sign warrant and if he deems necessary to sign also the temporary gag order.

I'm naïve, is sextortion a very real and frequent problem? Do you have stats?

I don't have stats, no, but Facebook openly acknowledges the problem at child safety conferences. Google "Facebook Child Sextortion" and you'll find your share of articles. I recognize "take my word for it" doesn't go very far!

The Four Horsemen of the Infocalypse is a term for internet criminals, or the imagery of internet criminals.

A play on Four Horsemen of the Apocalypse, it refers to types of criminals who use the internet to facilitate crime and consequently jeopardize the rights of honest internet users. There does not appear to be an exact definition for who the Horsemen are, but they are usually described as terrorists, drug dealers, pedophiles, and organized crime. Other sources use slightly different descriptions but generally refer to the same types of criminals. The term was coined by Timothy C. May in 1988, who referred to them as "child pornographers, terrorists, drug dealers, etc."[1] when discussing the reasons for limited civilian use of cryptography tools. Among the most famous of these is in the Cypherpunk FAQ,[2] which states:


As I understand it, things go like this. Detective: "give me all this users data and don't tell them you did." Facebook: "Without a court issued gag order we will tell the user." Detective: "Ok, I'll get a court issued gag order and get back to you." (LEO have this part down pat) So where is the problem exactly?

> Detective: "Ok, I'll get a court issued gag order and get back to you." (LEO have this part down pat) So where is the problem exactly?

Isn't the detective too late at this point? Can't they tell the user until the gag order arrives?

In that case it behooves the detective to obtain a proper warrant with or without a gag order, as necessary, before contacting them.

Investigative procedure is not a new concept and we have a pretty well working system. There's really no need to give law enforcement fascist powers to do whatever they want without oversight under the excuse of "think of the children!"

From my understanding, at this point if the detective still wanted the data (without a warrant), he'd get the data, but the user would be notified. However, if he gets a court order and come back to google, he will get the data without the user being notified. Basically it forces LE to go through a judge to get a warrant. This is a good thing imo.

> If mom & dad show the sextortion messages to their local police detective and s/he fills out a Facebook records request to see if the suspect is victimizing other minors, will Facebook notify the suspect?

Does it matter? You'll have already caught him and have the evidence.

Why call out "sextortion" specifically? You could just say that $CRIME is a very real and frequent problem, and if people show the $CRIME messages to their local police detective, will Facebook notify the suspect?

Hi Mike. I call it out specifically because crimes against children are a particular category of crime that deserves special attention from the community. Sextorting a business man with a picture of him having an affair and other $CRIMES 'should' be handled differently than the predator who drives a young teen to suicide or gets them to take pictures of their younger siblings, or face humiliation on a social network.

In the former (businessman example), a social network has a 'right' to refuse law enforcement and notify the user. In the latter example, it's my belief (which I understand isn't popular here!) that the network has a civic 'duty' not to inform the user and to assist how they can - as many of them do right now. My question has more to do with asking if social networks will examine the background of the $CRIME before notifying the user.

Phone companies recognize this distinction and, for example, will provide an emergency ping location when a child is in danger before any paper work is submitted, requiring in good faith that it will follow within 24 hours. If the following paperwork is not in order, they lose the ability to do that again.

It's a wonderful thing that the average HN reader doesn't have to deal with these issues, and disappointing honestly that real questions from someone who does are heavily downvoted. But hey, it's fine not to agree with my view.

They still can do whatever with your data so whoop dee do.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact