Major U.S. technology companies have largely ended the
practice of quietly complying with investigators’ demands for e-mail records
and other online data, saying that users have a right to know in advance when
their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of
the tens of thousands of Americans whose Internet data gets swept into criminal
investigations each year the opportunity to fight in court to prevent
disclosures. Prosecutors, however, warn that tech companies may undermine cases
by tipping off criminals, giving them time to destroy vital electronic evidence
before it can be gathered.
Fueling the shift is the industry’s eagerness to distance
itself from the government after last year’s disclosures about National Security Agency
surveillance of online services. Apple, Microsoft, Facebook and Google
all are updating their policies to expand routine notification of users about
government data seizures, unless specifically gagged by a judge or other legal
authority, officials at all four companies said. Yahoo announced similar
changes in July.
As this position becomes uniform across the industry, U.S.
tech companies will ignore the instructions stamped on the fronts of subpoenas
urging them not to alert subjects about data requests, industry lawyers say.
Companies that already routinely notify users have found that investigators
often drop data demands to avoid having suspects learn of inquiries.
“It serves to chill the unbridled, cost-free collection of
data,” said Albert Gidari Jr., a partner at Perkins Coie who represents several
technology companies. “And I think that’s a good thing.”
The Justice Department disagrees, saying in a statement that
new industry policies threaten investigations and put potential crime victims
in greater peril.
“These risks of endangering life, risking destruction of
evidence, or allowing suspects to flee or intimidate witnesses are not merely
hypothetical, but unfortunately routine,” department spokesman Peter Carr said,
citing a case in which early disclosure put at risk a cooperative witness in a
case. He declined to offer details because the case was under seal.
The changing tech company policies do not affect data
requests approved by the Foreign Intelligence Surveillance Court, which are
automatically kept secret by law. National security letters, which are
administrative subpoenas issued by the FBI for national security investigations,
also carry binding gag orders.
The government traditionally has notified people directly
affected by searches and seizures — though often not immediately — when
investigators entered a home or tapped a phone line. But that practice has not
survived the transition into the digital world. Cellular carriers such as
AT&T and Verizon typically do not tell customers when investigators collect
their call data.
Many tech companies once followed a similar model of quietly
cooperating with law enforcement. Courts, meanwhile, ruled that it was
sufficient for the government to notify the providers of Internet services of
data requests, rather than the affected customers.
Twitter, founded in 2006, became perhaps the first major
tech company to routinely notify users when investigators collected data, yet
few others followed at first. When the Electronic Frontier Foundation began
issuing its influential “Who Has Your Back?” report
in 2011 — rating companies on their privacy and transparency policies — Twitter
was the only company to get a star under the category “Tell users about data
demands.” Google, the next mostly highly rated, got half a star from the civil
liberties group.
The following
year, four other companies got full stars. The preparation of this year’s
report, due in mid-May, has prompted a new flurry of activity in the legal
offices of tech companies eager to gain a coveted star.
Google already routinely notified users of government data
requests but adopted an updated policy this week detailing the few situations
in which notification is withheld, such as when there is imminent risk of
physical harm to a potential crime victim. “We notify users about legal demands
when appropriate, unless prohibited by law or court order,” the company said in
a statement.
Lawyers at Apple, Facebook and Microsoft are working on
their own revisions, company officials said, although the details have not been
released. All are moving toward more routinely notifying users, said the
companies, which had not previously disclosed these changes.
“Later this month, Apple will update its policies so that in
most cases when law enforcement requests personal information about a customer,
the customer will receive a notification from Apple,” company spokeswoman
Kristin Huguet said.
The trend toward greater user notification gained new
urgency amid the government surveillance revelations made by former NSA
contractor Edward Snowden. Although the bulk data collection he disclosed was
for national security purposes, not routine criminal investigations, companies
grew determined to show that they prized their relationships with customers
more than those with authorities — a particularly sensitive issue overseas,
where the American tech industry has been lambasted as too cozy with the U.S.
government.
“Post-Snowden, there is a greater desire to compete on
privacy,” said Marc Zwillinger, founder of ZwillGen, a Washington-based law firm
that has major tech companies as clients. “Companies have had notice policies
and cared about these issues for years. It’s only now that it’s being discussed
at the CEO level.”
The changing legal standards of technology companies most
directly affect federal, state and local criminal investigators, who have found
that companies increasingly balk at data requests once considered routine. Most
now refuse to disclose the contents of e-mails or social media posts when
presented with subpoenas, insisting that the government instead seek search
warrants, which are issued only by judges and require the stricter legal
standard of probable cause.
Subpoenas, by contrast, can be issued by a broader range of
authorities and require only that the information sought be deemed “relevant”
to an investigation. A 2010 ruling by the U.S. Court of Appeals for the 6th
Circuit backed the industry’s contention that search warrants should be
required for digital content, a standard now widely accepted.
For data other than content — such as records showing the
senders and recipients of e-mails, the phone numbers registered with accounts
or identifying information about the computers used to access services —
companies have continued accepting subpoenas but warn investigators that users
will be notified before disclosure occurs.
“That was one of the purposeful burdens that was supposed to
limit government surveillance,” said Marc Rotenberg, a Georgetown University
law professor and executive director of the Electronic Privacy Information
Center. “As a historic matter, the intent always was that a person would be
notified.”
The shifting industry practices force investigators to make
difficult choices: withdraw data requests, allow notification to happen or go
to magistrate judges to seek either gag orders or search warrants, which typically
are issued under seal for a fixed period of time, delaying notification. Such
choices were made even more difficult by the rising
skepticism of magistrate judges, many of whom in recent years have
scrutinized such requests more carefully or rejected them altogether, legal
experts say.
“It’s sort of a double whammy that makes law enforcement’s
job harder,” said Jason M. Weinstein, former deputy assistant attorney general
of the Justice Department’s criminal division, now a partner at Steptoe &
Johnson. “It has the potential to significantly impair investigations.”
Ronald T. Hosko, a former FBI special agent who until his
recent retirement oversaw the criminal division at the Washington field office,
said the development of cases has been hurt by the threat of user notification,
especially during early phases when investigators try to work discreetly,
before a suspect potentially can destroy evidence. He said the shift among tech
companies has been driven mainly by concern about their public images, at the
expense of public safety — an issue he said was particularly acute when it came
to cases involving child predators or terrorists.
“My fear is that we will be less secure in our country, in
our houses, because of political decisions, because of the politics of the day,
rather than what will keep us safe,” Hosko said. “I’m concerned that that gets
people killed, that that gets people hurt.”
Companies that have policies to notify users of government
data collection say they make exceptions for cases of imminent danger to
potential victims, especially if the safety of a child is at risk. In the vast
majority of situations, however, users deserve to know who is collecting their
data and why, the companies say. The exceptions, they say, should be decided by
a judge — not by a company lawyer, and not by an investigator.
“The intent is to make sure it’s not a rubber stamp,” said
Dane Jasper, chief executive of Sonic.net, an Internet and phone provider in
California whose notification policy has won a star from EFF. “That way we’re
not releasing customer information without due process.”
No comments:
Post a Comment