Verizon’s Storefront

As I noted yesterday, Verizon conveniently released its own transparency report 5 days before the government approved new transparency guidelines (according to one report, the deal was substantially completed earlier in the month, but had to wait on some tweaks to follow Obama’s speech).

Had Verizon released a transparency report yesterday, it would have added at least the following two details:

Non-Content FISA orders:

4 orders affecting 107,700,000 customers

Content FISA orders:

? orders affecting ? selectors (probably measuring the number of search terms — maybe something like “250” — Verizon searches for off its upstream collection affecting millions of people)

It would have painted a very different picture.

It turns out they did have time scheduled to write transparency claims yesterday. They released this statement attempting to reassure customers that Verizon doesn’t comply with any US government orders for data stored overseas. (h/t Chris Soghoian) Here’s an excerpt:

Over the past year there has been extensive discussion around the world about government demands for data.  Last week, Verizon released a Transparency Report outlining the number of law enforcement requests for customer information that we received in 2013.  In the report we noted that in 2013 we did not receive any demands from the United States government for data stored in other countries.

Although we would not expect to receive any such demands, there are persistent myths and questions about the U.S. government’s ability to access customer data stored in cloud servers outside the U.S.  Now is a good time to dispel these inaccuracies and address the questions, which have been exacerbated by the stream of news reports since last June about national intelligence activities in the U.S. and elsewhere.

Our view on the matter is simple: the U.S. government cannot compel us to produce our customers’ data stored in data centers outside the U.S., and if it attempts to do so, we would challenge that attempt in court.

Here’s why.

The section of the national security laws often cited as granting the U.S. government authority to access data stored abroad is Section 215 of the Patriot Act.

While Section 215 allows a court to issue an order requiring a company operating in the U.S. to produce certain business records, it does not give the U.S. government the power to act outside the U.S.  More importantly, Section 215 does not grant the U.S. government access to customer data stored in the cloud; it only applies to business records of the cloud provider itself.  So the U.S. government cannot use Section 215 to compel a company to produce customer data stored in data centers outside the U.S.


Finally, Section 702 of the Patriot Act also is not an option for the U.S. government to compel a U.S. company to turn over customer data stored in a data center outside the U.S. because the U.S. company does not have possession, custody or control of that data.


customer data stored in data centers outside the U.S.


data stored outside the U.S.


data stored in the cloud outside the U.S.


there should be no concern about the U.S. government compelling Verizon to disclose data our customers store in Verizon data centers outside the U.S. [my emphasis]

So having dodged by 5 days the obligation to report on all the data stored in the US it hands over to the government, it now wants to make claims about Verizon customer data stored overseas.

Stored, stored, stored, stored, stored, stored, stored, stored, stored, stored, store.

It chose not to say anything about data in transit, either here or in the US. In the US it is now permitted to talk about the data it collects in transit off its cables for the government in response to FISA Section 702 orders (though the deal only permits reports every 6 months; I guess it’s hoping we’ll forget about this soon).

To say nothing of the data it provides the government it collects as it transits overseas, perhaps in response to a polite request?

I’m actually most interested in Verizon’s claim it could not be required to turn over data stored overseas under Section 702.

Wouldn’t it primarily be served such a request under Section 703, which requires a warrant for electronic surveillance or access to stored communications of Americans overseas? Actually, I don’t know the answer to that — no one seems to, and I’ve been asking a lot of lawyer types.

But if Verizon says it can’t be served with an order for data stored overseas (in truth, many 703 orders must relate to searches conducted here on people who are physically overseas, but still), then the government isn’t using 703 in all the cases it is required to.

Whatever: the message to all you Europeans seems clear. Verizon would never let the government touch data it had in its own servers. Nosirree!

As far as data transiting its cables? All bets are off.

3 replies
  1. Phil (Bustednuckles) says:

    In essence, the government doesn’t need to ask Verizon for what it has stored anywhere because it intercepts the data on it’s way and stores it its self.

    Nice bit of selective deniability there Verizon.

  2. Mindrayge says:

    Systems, such as XKEYSCORE cannot function without cooperation of the telecommunications companies. As the slides attest (particularly the ones O Globo Fantastico has shown) many of the SSO sites that operate have partners in the private business world. We know that they have interception (really it is likely traffic mirroring) at the interconnection points between telecommunications companies and likely on major internet backbone interconnections and long haul and back haul communications lines.

    Now, one could argue that the NSA could do Man-In-The-Middle re-routing of traffic by inserting bogus Autonomous System servers pretending to be ATT or Verizon servers, example, to re-route via the Border Gateway Protocol (BGP) exploits. But this would require those companies to either simply not care (they don’t monitor ASNs) or have some sort of arrangement with the NSA.

    Some real route hijacking examples of how this works can be seen in this article

    But the reality of the situation, just in terms of XKEYSCORE, is that you simply cannot collect all internet traffic unless you have access to all the major nodes in the routing system that drives the internet.

    It would be nice to know which telecommunications companies provide the lines and routes between Google data centers worldwide or Yahoo data centers worldwide – the volume of traffic each would have likely travels over dedicated lines. Then perhaps, Verizon or other telecommunications companies, can explain their involvement with MUSCULAR.

    More so, perhaps Verizon could explain whether or not they provide SMS messages to DISHFIRE – since SMS messages travel within the telephone networks. Or their participation in Cell Phone Geolocation collection via FASCHIA.

    Now it is possible that Verizon would have no idea about such things but I doubt it.

    I would like to see how a company like Akamai Technologies fits into all of this. You can check them out via Wikipedia or elsewhere on the internet. They could (I am not saying they are) effectively be a Man-In-The-Middle conduit for the NSA.

  3. rg says:

    I can’t wait to see where this leads. Verizon asserts that a company cannot be compelled to turn over customer data stored outside the US; they say this, BECAUSE the company lacks possession, custody and control of the data. Yet can retrieve it for the customer on demand.

Comments are closed.