Apple, Facebook, others defy authorities, notify users of secret data demands
By Craig Timberg
May 1, 2014
Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for e-mail records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures. Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered.
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July.
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
“It serves to chill the unbridled, cost-free collection of data,” said Albert Gidari Jr., a partner at Perkins Coie who represents several technology companies. “And I think that’s a good thing.”
The Justice Department disagrees, saying in a statement that new industry policies threaten investigations and put potential crime victims in greater peril.
“These risks of endangering life, risking destruction of evidence, or allowing suspects to flee or intimidate witnesses are not merely hypothetical, but unfortunately routine,” department spokesman Peter Carr said, citing a case in which early disclosure put at risk a cooperative witness in a case. He declined to offer details because the case was under seal.
The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders.
The government traditionally has notified people directly affected by searches and seizures — though often not immediately — when investigators entered a home or tapped a phone line. But that practice has not survived the transition into the digital world. Cellular carriers such as AT&T and Verizon typically do not tell customers when investigators collect their call data.
Many tech companies once followed a similar model of quietly cooperating with law enforcement. Courts, meanwhile, ruled that it was sufficient for the government to notify the providers of Internet services of data requests, rather than the affected customers.
Twitter, founded in 2006, became perhaps the first major tech company to routinely notify users when investigators collected data, yet few others followed at first. When the Electronic Frontier Foundation began issuing its influential “Who Has Your Back?” report in 2011 — rating companies on their privacy and transparency policies — Twitter was the only company to get a star under the category “Tell users about data demands.” Google, the next mostly highly rated, got half a star from the civil liberties group.
The following year, four other companies got full stars. The preparation of this year’s report, due in mid-May, has prompted a new flurry of activity in the legal offices of tech companies eager to gain a coveted star.
Google already routinely notified users of government data requests but adopted an updated policy this week detailing the few situations in which notification is withheld, such as when there is imminent risk of physical harm to a potential crime victim. “We notify users about legal demands when appropriate, unless prohibited by law or court order,” the company said in a statement.
Lawyers at Apple, Facebook and Microsoft are working on their own revisions, company officials said, although the details have not been released. All are moving toward more routinely notifying users, said the companies, which had not previously disclosed these changes.
“Later this month, Apple will update its policies so that in most cases when law enforcement requests personal information about a customer, the customer will receive a notification from Apple,” company spokeswoman Kristin Huguet said.
The trend toward greater user notification gained new urgency amid the government surveillance revelations made by former NSA contractor Edward Snowden. Although the bulk data collection he disclosed was for national security purposes, not routine criminal investigations, companies grew determined to show that they prized their relationships with customers more than those with authorities — a particularly sensitive issue overseas, where the American tech industry has been lambasted as too cozy with the U.S. government.
“Post-Snowden, there is a greater desire to compete on privacy,” said Marc Zwillinger, founder of ZwillGen, a Washington-based law firm that has major tech companies as clients. “Companies have had notice policies and cared about these issues for years. It’s only now that it’s being discussed at the CEO level.”
The changing legal standards of technology companies most directly affect federal, state and local criminal investigators, who have found that companies increasingly balk at data requests once considered routine. Most now refuse to disclose the contents of e-mails or social media posts when presented with subpoenas, insisting that the government instead seek search warrants, which are issued only by judges and require the stricter legal standard of probable cause.
Subpoenas, by contrast, can be issued by a broader range of authorities and require only that the information sought be deemed “relevant” to an investigation. A 2010 ruling by the U.S. Court of Appeals for the 6th Circuit backed the industry’s contention that search warrants should be required for digital content, a standard now widely accepted.
For data other than content — such as records showing the senders and recipients of e-mails, the phone numbers registered with accounts or identifying information about the computers used to access services — companies have continued accepting subpoenas but warn investigators that users will be notified before disclosure occurs.
“That was one of the purposeful burdens that was supposed to limit government surveillance,” said Marc Rotenberg, a Georgetown University law professor and executive director of the Electronic Privacy Information Center. “As a historic matter, the intent always was that a person would be notified.”
The shifting industry practices force investigators to make difficult choices: withdraw data requests, allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification. Such choices were made even more difficult by the rising skepticism of magistrate judges, many of whom in recent years have scrutinized such requests more carefully or rejected them altogether, legal experts say.
“It’s sort of a double whammy that makes law enforcement’s job harder,” said Jason M. Weinstein, former deputy assistant attorney general of the Justice Department’s criminal division, now a partner at Steptoe & Johnson. “It has the potential to significantly impair investigations.”
Ronald T. Hosko, a former FBI special agent who until his recent retirement oversaw the criminal division at the Washington field office, said the development of cases has been hurt by the threat of user notification, especially during early phases when investigators try to work discreetly, before a suspect potentially can destroy evidence. He said the shift among tech companies has been driven mainly by concern about their public images, at the expense of public safety — an issue he said was particularly acute when it came to cases involving child predators or terrorists.
“My fear is that we will be less secure in our country, in our houses, because of political decisions, because of the politics of the day, rather than what will keep us safe,” Hosko said. “I’m concerned that that gets people killed, that that gets people hurt.”
Companies that have policies to notify users of government data collection say they make exceptions for cases of imminent danger to potential victims, especially if the safety of a child is at risk. In the vast majority of situations, however, users deserve to know who is collecting their data and why, the companies say. The exceptions, they say, should be decided by a judge — not by a company lawyer, and not by an investigator.
“The intent is to make sure it’s not a rubber stamp,” said Dane Jasper, chief executive of Sonic.net, an Internet and phone provider in California whose notification policy has won a star from EFF. “That way we’re not releasing customer information without due process.”
Ann E. Marimow contributed to this report.