Despite Justice Department objections, Apple, Facebook, and Microsoft plan to expand their policies on notifying customers whose data has been requested by law enforcement, says a report.
The news comes as a digital-rights organization gets set to release an influential privacy scorecard, and as bad publicity still hangs in the air regarding potential cooperation between tech firms and the US National Security Agency.
The customer notifications apparently wouldn't apply to requests made by the NSA, or requests involving national security letters -- administrative subpoenas -- issued by the FBI, says a Washington Post report.
"The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law," the Post notes, referring to the special court that oversees the NSA's controversial surveillance programs. (Those programs, of course, were made commonly known by Edward Snowden's leaking of top secret agency documents last summer). National security letters are also kept mum by default, the Post adds.
But other police requests for email records and online data would be covered, unless accompanied by a court-approved gag order.
The US Department of Justice says the notifications could tip off criminals and help them avoid prosecution, but a tech lawyer quoted by the Post says the change in policy would provide a check on wanton searches. "It serves to chill the unbridled, cost-free collection of data," the Post quotes attorney Albert Gidari Jr. as saying.
The Post cites unnamed company officials in reporting that Facebook and Microsoft are preparing policy changes. (Note: See updates at end of story for more information.) An Apple rep told the paper that the company would be updating its policy later in May "so that in most cases when law enforcement requests personal information about a customer, the customer will receive a notification."
Twitter routinely alerts customers about police requests for data, as does Google, the Post notes. Google updated its policy this week to clarify exceptions, such as when the company is prohibited by law or a court order or when notification would create danger of death or serious physical injury. Yahoo expanded its notification policy in July to make alerting users routine, except in situations similar to those noted by Google. A spokesperson for the company told CNET that such alerts give affected users a chance to legally challenge the data requests, and that in some cases such challenges have revealed that the user was mistakenly targeted (see update note at bottom of story for more details).
Digital-rights nonprofit The Electronic Frontier Foundation is getting set to release its annual "Who Has Your Back?" scorecard later this month. Last year, neither Apple, Facebook, Google, Microsoft, nor Yahoo got a gold star in the "Tells users about government data requests" column of the report card, though Twitter and others did.
Apple, Facebook, Google, Microsoft, and Yahoo were all name-checked in a top secret document about the NSA's Prism efforts that surfaced last summer and kicked off the avalanche of headlines about the agency's spy efforts. At the time, the companies said they provide investigators with data only when legally required to do so.
We've contacted Apple, Facebook, Microsoft, and Yahoo for comment on today's Post report and will update this post with any additional information.
Update, May 2 at 9:47 a.m. PT: Facebook provided this statement: "We are committed to transparency, and providing notice about government requests is an important part of being transparent. We are always working to improve our notification process as the law permits." And in response to our question about the DOJ's objections to any changes in notification policy, the company pointed to its law enforcement guidelines and called out this section: "Law enforcement officials who believe that notification would jeopardize an investigation should obtain an appropriate court order or other process establishing that notice is prohibited. Law enforcement officials may also request nondisclosure if notice would lead to risk of harm."
Update, May 2 at 9:59 a.m. PT: Clarifies information about Google's notification policy.
Update, May 2 at 10:31 a.m. PT: Microsoft confirmed that it's expanding routine notification about data requests and will alert users "unless specifically prohibited by law."
Update, May 2 at 10:44 a.m. PT: Clarifies information about Yahoo's notification policy.
Update, May 2 at 11:22 a.m. PT: A Yahoo spokesperson told CNET the following:
"When Yahoo Inc. receives a request for user data from a law enforcement agency, we inform the agency that we reach out to our users to let them know of the government request. We've noted that law enforcement agencies frequently choose to withdraw their request once we inform them of our user notification policy.
"Our notification policy gives users an opportunity to exercise any legal options to challenge demands by law enforcement agencies. In multiple cases, this has led to the realization that the wrong person's data was being sought, or that other legitimate reasons existed for not complying with the demand."