Compliance Management, Network Security, Privacy

Transparency reports useful, but more info needed on ‘digital searches’

When the police knock on a crime suspect's door at 3 a.m. with a search warrant, they're typically let inside. They'll search the place, focusing on the relevant areas, then leave. The suspect knows the search is happening and what authorities are seeking. 

Not so in the digital space, where the government might present a search warrant, or court-sanctioned request, to a suspect's email provider or social network, asking for personal account information. No pounding on the door or boots on the ground, literally or metaphorically, serve as an alert that a search is underway.

“It used to be expensive to get a physical search warrant and search a house,” said Nate Cardozo, staff attorney at the Electronic Frontier Foundation (EFF) in an interview with SCMagazine.com. However, with the creation of digital accounts, searches are now, "free, and the results are much more fruitful.” 

The transition from physical to digital requests in what Cardozo calls "The Golden Age of Surveillance," has raised the hackles of privacy advocates. The EFF and American Civil Liberties Union (ACLU), as well as users and providers, all have demanded openness around the methodology of these requests and insight into their reasoning.

In response came transparency reports, which are supposed to answer questions about the number of requests governments are issuing, the amount of information they're asking for, and the percentage of cases in which information is handed over.

In an email correspondence with SCMagazine.com, a Yahoo spokesperson said its reports are "driven by our commitment to and concern for our users' privacy, security and freedom of expression." And Facebook claims on its transparency report page that it wants, “to make sure that the people who use our service understand the nature and extent of the requests we receive and the strict policies and processes we have in place to handle them.”

While the reports are undoubtedly designed to shed light on government actions, especially after Edward Snowden's revelations that surveillance is more widespread than once believed and aimed at private citizens, experts noted that companies might use them as a marketing tactic to earn users' trust and demonstrate that they don't capitulate to voluminous government requests.

“User trust is critical to their business, particularly in an area where people are concerned about government overreaching,” said Katharine Kendrick, policy associate at the NYU Stern Center for Business and Human Rights, in an interview with SCMagazine.com

Some companies might even file these reports because others are doing so, said Ryan Budish, fellow at the Berkman Center for Internet and Society at Harvard University, in an interview with SCMagazine.com. And, not doing so, might raise suspicions that a company has something to hide.

Even government entities have begun releasing their own reports.

Regardless of motive, experts and the companies that issue the reports see them as an encouraging step toward full government and company accountability, albeit one that could be improved.

“I certainly think it's been a positive trend in an area where we'll hopefully see more healthy competition and innovation among companies,” said Kendrick.

However, experts do see the current practice of presenting numbers as confusing to readers and, in some cases, counterproductive. For instance, the number of user requests received are typically presented without benefit of context, making it difficult for readers to decipher.

“Often times just giving a bunch of numbers to people can lead to the wrong story being published in a newspaper, or an end-user just feeling confused, or even worse, helpless,” said Budish.

To better understand the reports, experts suggested multiple ways to make sense of the data.

More than just looking at the numbers, Budish said, readers should concentrate on the narrative provided by the company to contextualize the data.

“Trying to understand the story that companies are telling through the transparency report is the better approach,” he said. “It's told through the kinds of information that companies are sharing through their report.”

For instance, in Dropbox's most recent transparency report, the company explained that although it received more requests, the trend remained steady, or proportional to its growing user base.

The type of information provided within the report can also help users make informed decisions about how trustworthy their chosen providers are.

“A vague report says something more about the company and their commitment to openness than a company who is being very specific and offering a lot of detail for its users,” Budish said.

Various privacy advocates, for example, spoke out against the Office of the Director of National Intelligence's first transparency report, released last June, for defining a “target” of intelligence collection as either, “an individual person, a group, or an organization composed of multiple individuals or a foreign power.” In this case, the number of impacted accounts wasn't tallied. Instead, the data provided was an estimated number of targets covered under a particular request. In other words, those numbers can be deceiving.

Actions taken beyond issuing reports, such as encrypting emails, can also be indicative of a company's priorities. Google, one of the transparency report pioneers, recently exposed providers that lack email encryption. Alarmingly, less than one percent of worldwide emails from Gmail to Comcast.net were encrypted, which could imply that providers that don't encrypt have less regard for user data privacy.

To really get to the meat of reports, both Cardozo and Kendrick scrutinize a company's responses to government data requests. The number of requests in which information is provided can demonstrate whether a government is respecting their data and country's laws, Cardozo said. 

“It's a decent proxy into how good that government is doing, in terms of sending appropriate or inappropriate requests,” he said.

Kendrick echoed that sentiment, saying that this stat, “really says something about how the government and company are interacting."

Although much of the information in the reports is useful, they can fall short of the stated goal to keep governments honest, in part because, companies must operate within the certain legal constraints. 

One of the most controversial limitations is the reporting of national security requests, which includes FISA orders and national security letters (NSLs). The U.S. government only recently began allowing companies to more concretely report these numbers. There is a catch, however.

Companies can only report NSLs and FISA order requests in ranges of 1,000, if the requests are revealed separately. If combined under the general national security request term, they can only be reported in increments of 250.

Companies might have won a small victory when they got permission to start reporting these numbers. However, their large span doesn't really illuminate what's going on behind the scenes, Cardozo said.

“We don't know if there's been a 25 percent increase (or what),” he said. “That matters and is important to our democracy.”

Beyond the expanded reporting of national security requests, companies, privacy advocates and experts want more clarity in the reports.

The next generation of transparency reports should be standardized, Budish contended. Every company would “speak the same language” and account for requests in the same way. For example, he cited a person with multiple accounts with the same provider. If the provider knows this, he asked, does that count as a single request? Right now, that's left up to companies to decide with no standard for reporting.

“It's hard to get a real sense of what's happening more broadly because we can't get a sense of what's happening across reports,” he said.

Better yet, Budish said, getting companies to release multiple reports that cater to different audiences would be the ultimate success.

Similarly, Kendrick would want companies to divulge more of the process behind the reports.

"There's been a great focus on improving the numbers and the quantitative aspect of transparency reporting," she said. "What I'd like to see more of, though, is not only honing the number of requests but also more information on how the requests are made through the government."

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds