The New Transparency Guidelines

DOJ and the tech companies just came to a deal on new transparency reporting. (h/t Mike Scarcella) It is a big improvement over what the government offered last year which was:

Option One: Provide total number of requests (criminal NSL, FISA) and total number of accounts targeted, broken out by 1000s

Option Two: Provide exact number of criminal requests and accounts affected, and number of NSLs received and accounts affected, broken out by 1000s, without providing any numbers on FISC service

This approach basically permitted the government to hide the FISC surveillance, by ensuring it only ever appeared lumped into the larger universe of criminal requests, along with other bulk requests. In addition, it didn’t let providers say whether they were mostly handing over metadata (NSLs would be limited to metadata, though FISC requests might include both metadata and content) or content in a national security context.

The new solution is:

Option One: Biannual production, with a 6-month delay on FISC reporting

  1. Criminal process, subject to no restrictions
  2. NSLs and the number of customer accounts affected by NSLs, reported in bands of 1000, starting at 0-999
  3. FISA orders for content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999
  4. FISA orders for non-content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999*

This option subjects a two-year delay on new (internally developed or purchased) platforms, products, or services. So for example, if Google started to get Nest orders today, Google couldn’t include it in their reporting until 2 years from now.

Option Two:

  1. Criminal process, subject to no restrictions
  2. Total national security process, including NSLs and FISA lumped together, reported in bands of 250, starting at 0-250
  3. Total customer selectors targeted under all national security requests, reported in bands of 250, starting at 0-250

* The order has a footnote basically saying the government hasn’t ceded the issue of reporting on the phone dragnet yet (though only tech companies were parties to this, and their only telecom production would be VOIP).

So my thoughts:

First, you can sort of see what the government really wants to hide with these schemes. They don’t want you to know if they submit a single NSL or 215 order affecting 1000 customers, which it’s possible might appear without the bands.They don’t want you to see if there’s a provider getting almost no requests (which would be hidden by the initial bands).

And obviously, they don’t want you to know when they bring new capabilities online, in the way they didn’t want users to know they had broken Skype. Though at this point, what kind of half-assed terrorist wouldn’t just assume the NSA has everything?

I think the biggest shell game might arise from the distinction between account (say, my entire Google identity) and selector (my various GMail email addresses, Blogger ID, etc). By permitting reporting on selectors, not users, this could obscure whether a report affects 30 identities of one customer or the accounts of 30 customers. Further, there’s a lot we still don’t know about what FISC might consider a selector (they have, in the past, considered entire telecom switches to be).

But it will begin to give us an outline of how often they’re using NatSec process as opposed to criminal process, which providers are getting primarily NSL orders and which are getting potentially more exotic FISC orders. Further, it will tell us more about what the government gets through the PRISM program, particularly with regard to metadata versus content.

Update: Apple’s right out of the gate with their report of fewer than 250 orders affecting fewer than 250 “accounts,” which doesn’t seem how they’re supposed to report using that option.

Update: Remember, Verizon issued a transparency report itself, just 5 days ago. Reporting under these new guidelines wouldn’t help them much as the government has bracketed whether it could release phone dragnet information. Moreover, Verizon is almost certainly one of the telecoms that provide upstream content; that would likely show up as just one selector, but it’s not clear how it gets reported.

Tweet about this on Twitter18Share on Reddit0Share on Facebook3Google+3Email to someone

One Response to The New Transparency Guidelines

Emptywheel Twitterverse
bmaz My question at the outset was why GM concealment was not bankruptcy fraud; now that will be litigated. Good. http://t.co/CCL3wm2HYE
5hreplyretweetfavorite
bmaz @trevortimm Be terrified. Very terrified. Cause what you saw is, I think, all you get.
5hreplyretweetfavorite
bmaz @johnson_carrie According to my wife, "impossible jerk" characterizes lawyers in many locales @npratc
5hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT The constitutional framing is amazingly resilient, but resets are slow.
6hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I represent far too many of the former and lament the latter. Things change though
6hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Frankly, US can exert such influence, will not be effective foreign prosec either
6hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT Yes, in these considerations, that is exactly right. Not happening.
6hreplyretweetfavorite
bmaz @HoltenMark @mucha_carlos @ColMorrisDavis @KenDilanianLAT I wasn't being a smart ass, just honest as to situation.
6hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Safe enough bet; no administration will want to open that can of worms.
7hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark ...ought to give pause in above regards too. If DOJ ever cared about these crimes.
7hreplyretweetfavorite
bmaz @mucha_carlos @ColMorrisDavis @KenDilanianLAT @HoltenMark Well, yes, and the wild expansion of extraterritorial jurisdiction in other cases
7hreplyretweetfavorite
bmaz @ColMorrisDavis @KenDilanianLAT @HoltenMark Granted, what Im saying applies to execution of US nationals as opposed to foreign nationals.
7hreplyretweetfavorite