2013 06 11 FRB Google’s War On Government Secrecy – Forbes
Google’s War On Government Secrecy
The report reveals the number of times the government asks for information about users, but has not included the classified requests that have been the subject of debate due to an NSA leak
Google’s Larry Page and Facebook’s Mark Zuckerberg made adamant announcements on Friday that the government doesn’t have back doors to their servers. The announcements were remarkably similar except Page was able to include this line: “Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. We post this information on our Transparency Report whenever possible.” Zuckerberg could not include a line like that because Facebook doesn’t have a “Transparency Report,” a public recounting of the number of times his company has been asked to turn over information to the government in a given year. A concept first introduced by Google in 2009, it is becoming increasingly popular among tech companies; Twitter and Microsoft are among the handful that now release similar reports.
Given that history, it’s not surprising that Google is the first of the Silicon Valley companies ensnared in the NSA controversy to make an official push for the government to allow it to disclose information about the secret legal requests that have come under scrutiny in the last week thanks to a leak by IT worker Edward Snowden. Google’s chief legal officer David Drummond sent a letter Tuesday to Attorney General Eric Holder and FBI Director Robert Mueller asking for permission to publish “aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope.” Google, along with Yahoo, Apple, Facebook, AOL and the suddenly-in-the-limelight PalTalk, is in the awkward position of not being able to respond to disclosures about handover of information to the NSA because the first rule of being part of the NSA Club is that you’re not allowed to talk about the NSA Club.
“Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made,” writes Drummond in full privacy-damage-control mode. “Google has nothing to hide.”
If the government should grant Google the right to shed light on the Foreign Intelligence Surveillance Act (FISA) requests it receives, those numbers would join the Transparency Report package that currently reveals yearly (non-secret) requests from government agencies and courts for information about Google product users around the world and from copyright owners and governments for Google to spike material.
When Google first started providing that data, it was a radical move. The discussion about drawing the curtain back on the degree to which information was changing hands between Google GOOG -1.37% and governments around the world started in late 2009, according to Dorothy Chou, a stylish 27-year-old policy manager who spends 50 percent of her time on the Transparency Report, and Matt Brathwaite, 38, an articulate, long-time Googler who is the Report’s lead engineer.
Chou says the directive to disclose information about how often Google was being asked to turn info over to governments came directly from the executive team. Google’s chief lawyer, David Drummond, wanted “people to understand how government behavior affects the Internet,” recounts Chou. In April 2010, Google published its first “government requests tool,” as it was called at the time, which showed how often governments had asked Google to remove content from their services and to hand over private user data from Gmail, YouTube, and the company’s many other products.
“Search engines and ISPs have for years refused to tell the public how many times the cops and feds have forced them to turn over information on users,” wrote Ryan Singel in Wired at the time. “Google broke that unwritten code of silence Tuesday.”
In that first report –which broke the requests down by country — Brazil and the U.S. led the pack, with over 3,000 data requests each, which reflected the popularity of Google products in those countries and their resulting usefulness in investigations. Policy manager Dorothy Chou said Google wasn’t concerned about the scrutiny it might get for being the only company showing what was happening behind the scenes at its legal department, but did wonder if releasing the number of requests would lead governments to ask for more. “If they did, we would just be more transparent about it,” she says.
“The first map was super thin,” says Matt Braithwaite. “The data was collected by legal assistants and the website was put together by a volunteer webmaster. It was a good idea in the wilderness.”
Like Pinocchio becoming a “real boy,” once the information found a home in the form of a website, it began to grow. When Chou was based in Google’s D.C. office, she often fielded calls from reporters asking if Google products were down in particular countries so they could report, for example, whether a particular government had blocked access to YouTube. “There was no way to tell,” Chou says. “No one was looking at traffic by country because there was no need to,” adds Braithwaite.
Chou mentioned the problem to then-engineering head, now-privacy director Lawrence You who got an engineer in New York to tackle it. The Google executive team didn’t want the information available in real time but were willing to release an archive of past shutdowns. A request to develop it further was sent to Google’s “20% list” — aimed at Google employees looking for a way to fill the 20% of their time that’s allotted for personal projects — and Braithwaite volunteered.
Initially, execs were uncomfortable with the idea of Google releasing traffic information to the public (and to its competitors) so it provided only historical reports, but during the Arab Spring in 2011, Google made the tool real-time, per the request of those same executives. Now the tool is “like an EKG reading for the Internet,” says Braithwaite. Google annotates the outages with the suspected reasons for them based on news reports at the time. Most are government disruptions but not all; in 2011, for example, a Georgian woman scavenging for copper took down Internet service for all of Armenia.
“There was a philosophical similarity between government requests for information and blockages of services that didn’t involve courts,” he says. “We realized we could combine the two.”
Among the discarded suggestions for the title of the combined report was “Google Lantern.” Chou and Braithwaite laugh now at the overt reference to Google ‘shining the light’ on this information. Google instead settled on “Transparency Report.”
“There’s a certain studied neutrality in the language,” says Braithwaite. “It’s interesting that other companies have adopted the same language.”
A number of other companies have now started issuing their own data reports, including Twitter (starting in January 2012), Microsoft (in March of this year), and Dropbox. Facebook, Yahoo, and Apple — other companies revealed to be part of the NSA’s data collection program PRISM — have not jumped on the Transparency bandwagon, nor have any telecoms or Internet Service Providers, with the exception of the tiny, but privacy-conscious, Sonic.net. Google’s four-year history of releasing this information gives more insight into the upward trend in the government turning to Internet companies for evidence during investigations:
The self-reported numbers come from these companies’ transparency reports. It’s worth noting that a single request can affect multiple users. In 2012, Google said the requests affected over 31,000 users/accounts; for Microsoft, that number was over 24,500.
The numbers pale in comparison to the volume of requests being sent to telecoms. Verizon, AT&T, and Sprint don’t have transparency reports, but we got a peek at the volume last year when Sen. Ed Markey asked those companies to tell him how often they were responding to government requests for information. The combined response was staggering: 1.3 million times in 2011. That’s a large number, but it would be much higher if it took into account the classified requests coming in from the NSA.
In recent months, Google has waged legal campaigns to avoid turning over user data in response to National Security Letters (which come with gag orders), arguing that the secret, warrantless requests are illegal. In March, in a small act of rebellion — but with the approval of the government — it added to its reports NSL requests for user data, though in a very generic form. “It took two years of negotiation with the FBI and the Department of Justice; this was the compromise,” said Braithwaite.
“The FBI has the authority to prohibit companies from talking about these requests,” wrote Google lawyer Richard Salgado at the time. “But we’ve been trying to find a way to provide more information about the NSLs we get—particularly as people have voiced concerns about the increase in their use since 9/11.”
In his letter to the DoJ and the FBI on Tuesday, chief legal officer David Drummond cited the NSL letter disclosure as a reason why the government should allow it to provide transparency around FISA and NSA requests.
“Google appreciates that you authorized the recent disclosure of general numbers for national security letters. There have been no adverse consequences arising from their publication,” he writes. “Transparency here will likewise serve the public interest without harming national security.”
As with Transparency Reports, other companies are following Google’s lead. Twitter and Microsoft have echoed its calls for transparency in public statements. Facebook did as well, in a statement again worded very similarly to Google’s, that ended by saying that Facebook may join the Transparency crowd. Facebook lawyer Ted Ullyot writes that the social network “urge(s) the United States government [to allow] companies to include information about the size and scope of national security requests we receive, and look(s) forward to publishing a report that includes that information.”