Once you start looking at which countries are requesting data from US companies, the next obvious (and critical) question is: how do companies respond to those requests? This is largely a matter of company discretion because the Electronic Communications Privacy Act does not apply to requests for user data from foreign governments. Without laws governing this important issue, foreign users are reliant on due diligence and good will by individual companies. This ad hoc approach means that different companies can have quite different compliance rates for the same countries.
What policies do companies have on paper?
The big US internet companies have committed to five principles for global government surveillance and access to their information. Principle 5 notes that “there should be a robust, principled, and transparent framework to govern lawful requests for data across jurisdictions” but does not provide any detail about how this should be achieved or what companies are doing in the meantime.
Some individual companies have published principles or policies on how they handle government requests for user data. While these are a welcome move, they lack the detail, consistency or enforceability. Yahoo! has stated principles, which provide general assurances about endeavouring to protect privacy, minimise disclosure, and be accountable and transparent. Dropbox actually acknowledges that the law differentiates based on users’ location, notes that this is undesirable and undertakes to work to improve this. Microsoft, Google, and Twitter give information on their general approach to foreign government requests in their law enforcement guidelines and user FAQs. Presumably companies have more detailed internal policies and procedures on how to handle international requests but, at the moment, there is no meaningful way to compare companies in order to reward the leaders or hold the laggards accountable.
What does it look like in practice?
Differences in company policies play out quite differently in practice, as can be seen in this chart of companies’ compliance rates. The chart shows a cross-section of countries that made a significant number of data requests to US internet companies and had very different success rates. Countries such as Argentina and Singapore really highlight how different the response from different companies can be. While there may not be a clear pattern between the companies, the data points for Microsoft fairly consistently hover towards the top of the chart (indicating a high compliance rate), while Twitter’s skim along the bottom. The other companies seem to shuffle around in the middle.
Are there legitimate explanations for these differences?
Maybe. A country’s request may be rejected for many reasons, including if the request:
- does not provide all the necessary information
- is overly broad
- asks for material that does not exist or the company no longer holds
- goes beyond what is permissible under law (eg seeking access to user content without a search warrant)
- raises policy reasons for denying the request (eg there is no dual criminality with the US or it raises concerns about freedom of speech).
When you consider the differences between Microsoft and Twitter, you can hypothesise that some of the relevant factors in their different compliance rate may include:
- the quality of the requests – when a country is familiar with a company’s product and requirements for accessing user data, they may have a higher success rate. Here, it is worth noting that Microsoft is a long-standing company and has had a significant program for educating foreign law enforcement officers.
- Whether the company has a physical presence in a country – Microsoft has long had officers located abroad. This means that it is harder to hold a strong line because there are employees who can be targeted by local governments if head office refuses to hand over data.
- Company values and priorities – Twitter has long championed user rights and a robust approach to freedom of speech as part of their business branding.
- Scale – as a company grows in size and shareholders, stronger pressure to comply with law enforcement requests may come to bear.
Is this necessarily a Bad Thing?
It’s important to remember that providing user data to foreign law enforcement is not necessarily a Bad Thing. I know it’s not popular to say, but deciding whether or not to hand over data is not a clear case of upholding human rights versus giving in to the demands of bad governments. Effective criminal investigations and prosecutions improve fundamental rights such as the right to life or the right to property. Of course, inappropriate handling of user data can infringe the right to privacy, freedom of expression or religion, or other important rights.
At the moment, there is no efficient, effective, formal way for foreign governments to access user data from US internet companies. This means that governments increasingly go directly to the companies, and it is up to those company officers as to how they respond. Without laws or detailed public policies, it is impossible to judge whether these decisions are being made responsibly.
[cross-posted on http://cyberlaw.stanford.edu/blog%5D