Tuesday, February 4, 2014

BBC: Yahoo leads NSA-FBI account content data demands

4 February 2014 Last updated at 08:32 ET

By Leo KelionTechnology reporter  BBC

US officials are able to request hidden photos published on Flickr as part of their Fisa orders

Fresh disclosures about national security requests indicate that Yahoo was ordered to hand over content from more accounts than other tech firms during the first six months of 2013.
Yahoo said it was told to release content from between 30,000 and 30,999 accounts over the period under the Foreign Intelligence Surveillance Act (Fisa).

Microsoft, Facebook, LinkedIn and Google have also published new figures.

Reporting rules were relaxed last week.

New reporting rules

After coming under pressure to allow the companies to disclose more information following the Snowden leaks, President Obama announced the firms could do one of two things:

Either break down details to disclose the number of Fisa demands for account content; Fisa demands for non-content data; and National Security Letters (NSLs) received.

If this option is picked the firms can reveal both the total number of requests and the total number of accounts affected, each in bands of 1,000.

Alternatively they can give a total figure for all national security-related requests received, grouping together Fisa court orders and NSLs.

If this option is picked the firms can reveal the total number of requests and the total number of accounts affected in smaller batches of 250.

Yahoo, Microsoft, Facebook and Google all opted for the former, while LinkedIn and Apple - which reported its figures last week - both chose the latter.

Yahoo said the types of content that might be requested included words in an email or instant message, photos posted online via its Flickr website, Yahoo Address book entries, and appointments entered into its Calendar product.

The firm has also published a transparency report for its Tumblr blogging platform that states the unit had never received a Fisa order or NSL.

One campaigner suggested such information had limited use.

"Transparency reports for a long time were really insightful tools for us to see what governments were asking the tech companies," Privacy International's Mike Rispoli told the BBC.

"Now we know that the game has changed.

"Governments do not need to go to companies to get user data - they can directly intercept it. They do not need to go through the front door anymore, they have kicked down the back door."

Content requests

The latest figures build on an updated report published by Apple last week.

It is now known that the number of US national security orders for content made between 1 January and 30 June 2013 was as follows:
  • Yahoo - between 30,000 and 30,999 accounts
  • Microsoft - between 15,000 and 15,999 accounts
  • Google - between 9,000 and 9,999 accounts
  • Facebook - between 5,000 and 5,999 accounts
  • Apple - between 0 and 249 accounts
  • LinkedIn - between 0 and 249 accounts
The number of accounts does not necessarily equate to the number of users since one person might own several.

The tallies also include requests for accounts that proved to be non-existent.

More transparency

Although the tech firms hope that the figures offer some reassurance about the scope of their co-operation with the US intelligence agencies, several of the companies took the opportunity to stress that they wanted reporting rules relaxed further.

Microsoft's Brad Smith has called on the authorities to pledge not to hack its equipment

"We still believe more transparency is needed so everyone can better understand how surveillance laws work and decide whether or not they serve the public interest," wrote Google's legal director Richard Salgado.

"Specifically, we want to disclose the precise numbers and types of requests we receive, as well as the number of users they affect in a timely way."

At present, any disclosure involving Fisa orders is subject to a six-month reporting delay.

National security orders explained

Fisa orders for disclosure of content:

Requests for the content of one or more users' accounts made by the NSA, FBI and other intelligence agencies that have been approved by a Washington-based panel of seven judges.

Officials do not have to identify each individual target or detail the specific types of communications they intended to monitor so long as they convince the court their purpose is to gather "foreign intelligence information".

Fisa orders for disclosure of non-content data:

This includes metadata - information about a communication rather than details of what was actually said or written.

This might include who the "to" and "from" are in an email, or the location it was sent from.

In addition the requests can include alternative email addresses registered by a user, their name and internet address.

National Security Letters:

These are requests made by the FBI that have not been approved by a court, but compel an organisation to hand over "the name, address, length of service" and other records linked to one or more of their subscribers as part of a national security investigation.

They cannot be used to request content.

By contrast the NSLs are not subject to a time restriction. As a result, Yahoo, Facebook, Microsoft and Google have now all given figures for the number of such letters they received from the FBI between 1 July and 31 December.

Hacking frustration

By their nature, the figures do not address data taken from the firms without their knowledge.

According to leaked documents published by the Washington Post, the NSA and GCHQ have broken into communication links connecting Google and Yahoo's data centres to copy records under a programme codenamed Muscular.

In addition, leaks reported by the Guardian, suggest that GCHQ has copied data from fibre-optic cables used by the internet, and shared the information with the NSA as part of an operation called Tempora.

The tech companies are now encrypting more of their data to tackle this, but Microsoft's general counsel has demanded a response from the authorities.

"Despite the president's reform efforts and our ability to publish more information, there has not yet been any public commitment by either the US or other governments to renounce the attempted hacking of internet companies," Brad Smith wrote on the firm's blog.

"We believe the Constitution requires that our government seek information from American companies within the rule of law. We'll therefore continue to press for more on this point in collaboration with others across our industry."

No comments:

Post a Comment