The New Transparency Guidelines

DOJ and the tech companies just came to a deal on new transparency reporting. (h/t Mike Scarcella) It is a big improvement over what the government offered last year which was:

Option One: Provide total number of requests (criminal NSL, FISA) and total number of accounts targeted, broken out by 1000s

Option Two: Provide exact number of criminal requests and accounts affected, and number of NSLs received and accounts affected, broken out by 1000s, without providing any numbers on FISC service

This approach basically permitted the government to hide the FISC surveillance, by ensuring it only ever appeared lumped into the larger universe of criminal requests, along with other bulk requests. In addition, it didn’t let providers say whether they were mostly handing over metadata (NSLs would be limited to metadata, though FISC requests might include both metadata and content) or content in a national security context.

The new solution is:

Option One: Biannual production, with a 6-month delay on FISC reporting

  1. Criminal process, subject to no restrictions
  2. NSLs and the number of customer accounts affected by NSLs, reported in bands of 1000, starting at 0-999
  3. FISA orders for content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999
  4. FISA orders for non-content and the number of customer selectors targeted, both reported in bands of 1000, starting at 0-999*

This option subjects a two-year delay on new (internally developed or purchased) platforms, products, or services. So for example, if Google started to get Nest orders today, Google couldn’t include it in their reporting until 2 years from now.

Option Two:

  1. Criminal process, subject to no restrictions
  2. Total national security process, including NSLs and FISA lumped together, reported in bands of 250, starting at 0-250
  3. Total customer selectors targeted under all national security requests, reported in bands of 250, starting at 0-250

* The order has a footnote basically saying the government hasn’t ceded the issue of reporting on the phone dragnet yet (though only tech companies were parties to this, and their only telecom production would be VOIP).

So my thoughts:

First, you can sort of see what the government really wants to hide with these schemes. They don’t want you to know if they submit a single NSL or 215 order affecting 1000 customers, which it’s possible might appear without the bands.They don’t want you to see if there’s a provider getting almost no requests (which would be hidden by the initial bands).

And obviously, they don’t want you to know when they bring new capabilities online, in the way they didn’t want users to know they had broken Skype. Though at this point, what kind of half-assed terrorist wouldn’t just assume the NSA has everything?

I think the biggest shell game might arise from the distinction between account (say, my entire Google identity) and selector (my various GMail email addresses, Blogger ID, etc). By permitting reporting on selectors, not users, this could obscure whether a report affects 30 identities of one customer or the accounts of 30 customers. Further, there’s a lot we still don’t know about what FISC might consider a selector (they have, in the past, considered entire telecom switches to be).

But it will begin to give us an outline of how often they’re using NatSec process as opposed to criminal process, which providers are getting primarily NSL orders and which are getting potentially more exotic FISC orders. Further, it will tell us more about what the government gets through the PRISM program, particularly with regard to metadata versus content.

Update: Apple’s right out of the gate with their report of fewer than 250 orders affecting fewer than 250 “accounts,” which doesn’t seem how they’re supposed to report using that option.

Update: Remember, Verizon issued a transparency report itself, just 5 days ago. Reporting under these new guidelines wouldn’t help them much as the government has bracketed whether it could release phone dragnet information. Moreover, Verizon is almost certainly one of the telecoms that provide upstream content; that would likely show up as just one selector, but it’s not clear how it gets reported.

Twitter18Reddit0Facebook3Google+3Email

One Response to The New Transparency Guidelines

Emptywheel Twitterverse
emptywheel @adambonin Wait. David Brooks? Can I get my tuition back? @NateSilver538 @AmherstCollege
1hreplyretweetfavorite
emptywheel @adambonin Wait what?!?! I'd say got to Brunos but I understand ... sadly ... @NateSilver538 @AmherstCollege
1hreplyretweetfavorite
emptywheel Fat Evil Parallel Gore RT @twolf10: Snow sticking to ground in mid April, 2 days after almost hit 80. I blame evil parallel universe Al Gore
2hreplyretweetfavorite
bmaz That said Olivia Wilde was one light year closer to Suzy Miller than Chris Hemsworth was to the real James Hunt who I actually knew a little
2hreplyretweetfavorite
bmaz I was fortunate enough to meet Suzy Miller back in the day, and Olivia Wilde looks nothing at all like her.
2hreplyretweetfavorite
emptywheel @adamgoldmanwp Lots of reasons to imagine why it might remain suppressed, most innocuous of which is investigation in key stage.
2hreplyretweetfavorite
emptywheel @adamgoldmanwp It may not be in there--but it is in HHSAC report. Prosecutors won't let Dhokhar's team see it either.
2hreplyretweetfavorite
emptywheel RT @gregorydjohnsen: That last tweet was in jest - the only reason this unit was closed was the work of @adamgoldmanwp and @mattapuzzo - ht…
2hreplyretweetfavorite
emptywheel @adamgoldmanwp The language on that in the IG report--assuming it exists--is all classified.
2hreplyretweetfavorite
emptywheel @SarahKnuckey Or did someone give them bad intel .... again?
2hreplyretweetfavorite
JimWhiteGNV RT @jaraparilla: Saudi Arabia sacks intelligence chief Prince Bandar bin Sultan http://t.co/xG2W1PT0Hn #AboutTime #Interesting
2hreplyretweetfavorite
emptywheel @ilovaussiesheps Waiting for the fine print, which may have to do w/who gets to loot DIA. But ... looks like it.
2hreplyretweetfavorite