Transparency – but what are we seeing?

Now that Microsoft has come to the party and is publishing a regular transparency report, there is a meaningful amount of publicly-available data about government requests for online records.  Looking at the data from Google, Twitter, Dropbox and Microsoft side-by-side raises some interesting questions.

The trend towards publishing transparency reports is a welcome one.  It raises awareness and encourages users to think about what protections they’re entitled to and how private their online activities really are.  There are still some very noticeable gaps in the information available.  Facebook and Yahoo! store large amounts of personal data but are noticeably silent on the issue of transparency reports.  Perhaps they will follow in Microsoft’s footsteps and finally succumb to the pressure for transparency.

Consumer and privacy advocacy groups are alarmed at the increased volume of government data requests.  Back in January, EFF reported on the ‘troubling trend’ of the rise in government surveillance because there had been a 70% increase in requests for data since Google started releasing numbers in 2010.  Forums are awash with comments about government snooping and conspiracy theories.  Meanwhile, at last week’s Committee on the Judiciary Hearing, Richard Littlehale from the Tennessee Bureau of Investigation argued for calm in considering the increase in government requests.  He analysed the statistics as demonstrating that ‘just a tiny fraction of one percent of Google’s accounts were affected by government demands’.

Comparing the transparency reports of the different companies shows that Microsoft/Skype and Google are inundated with requests for data.  As you would expect, relative newcomers Dropbox and Twitter receive far fewer requests.  In 2012, there were 122,015 requests relating to Microsoft accounts, 15,409 requests relating to Skype accounts, 68,249 Google accounts, 2,614 Twitter accounts and 164 Dropbox accounts. Each of these statistics relates to the number of accounts affected.  As each user could have multiple accounts, this does not directly equate to the number of individuals affected but nonetheless gives a sense of the scale of the issue.

These are some pretty impressive numbers and they’re on the rise.  The volume of requests to Google has grown significantly even during the short 3 years that they have been publishing their transparency report.  Although the data is not available, it seems reasonable to assume that the other companies are also experiencing significant increases.  Just what do these statistics mean?  Is it time to sound the Orwellian alarm bells?

Of course, more users have been sending, posting and storing information online.  This comes not only from more users engaging with online products, but also through the expanded type of products being offered.  The growth in cloud computing and cloud product offerings such as Google Drive mean that there is more information being held by third parties.  Higher penetration of online products not only means more cute cats and emails home to Mom, but also more use by criminal elements.  This naturally piques the interest of law enforcement officers.

As law enforcement becomes more familiar with the use of online records as evidence, more officers appreciate its value and employ it as one of their investigative tools.  The process has also been simplified and demystified.  Only a few years ago, it was an impenetrable maze to try to work out how to request online records for most of the providers.  Now, many of the companies have publicly accessible guides for law enforcement.  This means that it’s not just the high-tech crime units that are aware of the ability and value in accessing online records, but also the local county sheriffs.

Upward trends in law enforcement requests for records from particular online products can also reveal that some applications are particularly attractive to criminal elements.  For example, in the past, certain messaging applications became havens for child pornography rings to the extent that the product was discontinued.  Criminals will always look for weaknesses in the system and loopholes where they feel that they can communicate with impunity.  Police will naturally want to follow these trends and pursue criminals by accessing these records.  At the same time, innocent users have a valid expectation of privacy over their communications.

This all means that more users are putting more information online and it’s being accessed by a wider range of law enforcement officers.  I don’t think this is necessarily alarming in itself – we are no longer in a society where people (innocent or criminal) handwrite their private documents and store them under lock and key in their filing cabinet and investigative techniques have to adjust accordingly.  However, it does mean that it is increasingly important to ensure that there are adequate systems in place for the way in which this information is stored, accessed and used.

The discussion of this issue is hardly in its infancy; reform of ECPA has been on and off the cards for years (culminating in the last-minute failure to pursue the legislative amendments at the end of last year).  At last week’s committee hearing, there was a new level of consensus that access to users’ content should only be through showing of probable cause.  However, underneath this veneer of agreement, each of the witnesses revealed important differences of opinion.  The Department of Justice advocated substantial carve-outs from the probable cause standard should be afforded for civil litigation.  The law enforcement representative had a wish list including access to SMS messages and mandatory time limits on compliance with government requests.  Questioning by committee members revealed that there was confusion about the difference between traffic data and content and a troubling lack of understanding about how services such as targeted advertising on Gmail accounts affects privacy.  As with most legislative reform, the devil is in the detail and there is a lot of work ahead before there can be agreement on a Bill.

Access to online records needs to be addressed now.  The uncertainties between different jurisdictions and the growing agreement that aspects of ECPA infringe the fourth amendment of the Constitution are unacceptable both from a user’s perspective and also from the commercial perspective of companies that have to navigate this legal minefield on a daily basis.  The law is certainly in need of reform and the problem is only going to get worse.  However, the statistics do not necessarily mean that we are in the grip of a government conspiracy.  While we are no longer in the 1986 world of the original ECPA, we are also a long way from George Orwell’s 1984.