With NSA reform, what does more disclosure from tech firms mean?

While technology companies can now release the number of user data requests they receive from the government, civil liberties groups say this is just a small step.

Dara Kerr Former senior reporter
Dara Kerr was a senior reporter for CNET covering the on-demand economy and tech culture. She grew up in Colorado, went to school in New York City and can never remember how to pronounce gif.
Dara Kerr
3 min read
People protesting the NSA's surveillance programs march in San Francisco in July 2013. Dara Kerr/CNET

The US Department of Justice announced on Monday that it made a preliminary deal with a handful of top technology companies that will let them publicly disclose the number of times the government requests user data. While it appears this is a step toward greater transparency, what does it really mean?

For years, it's been unclear how much and what type of information the National Security Agency has been collecting from tech companies. The NSA is one of the biggest surveillance and eavesdropping agencies in the US and was where Edward Snowden worked before he decided to leak some of the agency's top-secret documents to the press last June.

That document leak opened the public's eyes to the government's collection of data on US residents through both cellular records and metadata from Internet companies. The NSA apparently has routinely demanded that tech companies like Yahoo, Apple, Google, and Facebook hand over user data, while severely limiting those firms' ability to tell users about it.

Yahoo outlined this government directive in a motion (PDF) it filed with the Foreign Intelligence Surveillance Court last September. In the motion, Yahoo sought permission to disclose aggregate data regarding FISA court orders in its company transparency reports.

"The government prohibited Yahoo from disclosing the number of national security demands that it has received (if any) and the numbers of accounts affected by such demands," Yahoo wrote in its motion. "In addition, based on the government's response to similar requests made by both Google and Microsoft, it appears that the government maintains that publishing aggregate numbers of national security demands received is unlawful."

The NSA has maintained that its surveillance programs were carried out to protect Americans and track down foreign terrorists, and therefore the type and quantity of information gathered must remain classified.

On Monday, the Department of Justice said the deal it made with Facebook, Microsoft, Google, LinkedIn, and Yahoo would allow tech companies to disclose the total number of FISA court orders they receive annually and the total of number of users affected by those requests. The government agreed to the deal in exchange for the companies dropping a lawsuit related to the disclosure restrictions. A FISA court judge still must approve the agreement.

"We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive," the companies said in a joint statement e-mailed to CNET. "We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."

Additionally, Apple released an updated letter (PDF) on national security and law enforcement orders following the Department of Justice's Monday announcement. In this letter, Apple breaks down the government requests with more specific numbers. The company originally disclosed this information last November, but it had less information and figures.

While it appears the tide is beginning to switch with the government's secrecy in its surveillance practices, some civil liberties groups are saying this is just a small step.

Even though tech companies will be able to disclose the number of FISA court orders they receive -- these numbers can only be revealed in bands of 250 or 1,000 (PDF). Also, to maintain the effectiveness of the data to law enforcement, the deal sets up a two-year buffer for any companies that have yet to receive their first order.

"While we welcome this small crack in the wall of secrecy that surrounds the Foreign Intelligence Surveillance Court and everything it does, it is only a first step. Today's deal does not allow the companies to disclose details about which laws the government is using to seize our data, or give us anything more than a vague numeric range to quantify those demands," Electronic Frontier Foundation Staff Attorney Nate Cardozo told CNET. "True transparency -- as well as the First Amendment -- requires that companies be allowed to map the scope of the United States government's surveillance apparatus. There is no national security justification for requiring that only vague numeric ranges, rather than exact numbers, be disclosed."