First:
Thank you Snowden for introducing Privacy as a Banner issue which makes things like competing on providing greater privacy a "Business Differentiator".
Before the disclosures there was only a murmur of privacy violations that too only amongst the tech literate. Yesterday the old guy manning the register at a store said "Now they can't track you when you pay by cash" to the customer in-front of me.
Second:
What a lazy-ass way to dragnet everybody and get stuck with huge irrelevant data!
If you really suspected some one, the govt. should be able to convince a judge to get a "tap&gag".
Sorry for the tangent here, but I'm curious; how were they previously tracking customers paying with cash? Was it some form of membership with the store that would need to be provided on checkout?
...allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification
Yes, whine-away, when law enforcement is required to get an adult in the room before they go all Rambo, "obviously the terrorists have won".
"The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders."
But also:
"The shifting industry practices force investigators to make difficult choices: withdraw data requests, allow notification to happen or go to magistrate judges to seek either gag orders or search warrants, which typically are issued under seal for a fixed period of time, delaying notification."
I hope that the public don't misunderstand these two things.
So in the most recent time period reported, there were ~12,000 requests for data, and between 0 and 1000 of them for NSL/FISA requests. Meaning these policies theoretically affect over 90% of the requests.
Providing this perspective in contrast to the "this changes nothing" sentiment.
So nothing has really changed then. Its more marketing than substance in the hope that fluffy minimal changes to their policy will restore confidence while the same thing is continuing to happen.
No, this is different. In the past, tech companies might comply with requests from prosecutors to not inform customers that their data has been requested. This story claims that tech companies now require a gag order from a judge (FISC or otherwise).
I have a lot of issues with FISA, but it sounds as though FISA requests are a far rarer than prosecutors requesting records. To restore balance we really do need to get back to requiring judges to weigh each request for data individually.
Meanwhile, all emails older than 180 days are still considered "legally abandoned" and any government agency can look at them with a simple statement saying they are relevant to an investigation.
Does anyone know if user notifications are being sent when those emails are accessed too?
TBH, the default at all tech companies once they reach a certain size is to make a page that notifies users every time they are included in any query and the purpose of that query.
I should be able to go to Facebook, Google or any other large company and see every single query where I was included in the results. Every query run should include a 1-4 sentence blurb explaining the purpose of the query run and an ID that can identify the employee/entity/user that ran the query. A large hash table could be used to anonymize the counterparty. Users, when seeing a suspicious query, could then petition the companies to divulge more information about the query in question, possibly even resorting to the courts if they can make a reasonable appeal for the information.
I would love to see the EU to push for this as the default. If this was the default, then public policies researchers could gather data from volunteers to get a better picture of how companies are using personal data.
Pressure your government to demand "we won't spy on your citizens" pledges from each of their allies. If the US declines, ask how it can seriously call itself an ally.
I think people in the US don't understand effectively how afraid US allies are about criticising it. No one ever wants to stick it's head above the parapet and risk damaging relations - even when the US does bad stuff like torture in Gitmo. Especially if your from a small country. Even a big country like Germany is more afraid about damaging relations than standing up for the rights of its own citizens.
True, but the constitution does make deliberate distinction between 'people' rights and 'citizen' rights. Due process is among those that affect more than just citizens.
Today I noticed my French insurance contract for my company explicitly forbid me from storing data in the US. It's certainly not related to privacy, but I'm happy they push that way.
"... companies grew determined to show that they prized their relationships with customers more than those with authorities"
I've noticed that the words 'customer' and 'user' are starting to draw my conscious attention when I see them used (and misused) in mainstream journalism.
Consider: For most of the companies listed in this article, the customer is exactly that -- someone who pays the company for something, e.g. a cable or internet subscriber.
But for Google, Facebook, et al, the customer isn't the user; the customer is the advertiser. The user is the product. Google's customers could care less about privacy and user notification, except insofar as it spooks the users away from the service.
The distinction is worth keeping in mind when trying to gauge just how far companies might take this newfound willingness to resist.
I'm not really sure about this customer/product distinction. Both the people who view the ads and the people who buy the ad placement give Google something they want in exchange for something they have.
That is, Google has products and services that it gives to customers in exchange for their eyeballs. Then, Google is able to convert some of those eyeballs into clicks, which they sell to advertisers in exchange for money.
The transfer of goods in exchange for value is not only possible when money exchanges hands.
If Google was unable to create products that convinced one of its classes of customers to sell their eyeballs, they would not be able to resell the eyeballs for cash.
"... companies grew determined to show that they prized
their relationship with their product more than their
relationships with paying customers, such as advertisers,
as well as other non-paying, but similarly coercive
entities, such as law enforcement organizations"
Yeah... I'm not sure how I feel about that version... It kind of makes me want to crawl in a hole and die.
They will not ignore a legal gag order (court order or national security letter).
They will only ignore non-legally-binding requests to keep quiet, which they previously complied with, but which they were never under any obligation to comply with.
They won't even refuse to provide data to law enforcement. Today's announcement only concerns whether the person whose data it is gets notified or not.
Yeah it's illegal, but what the government does is also illegal apparently. So what if a company ignored the gag order, what would REALISTICALLY happen. Will the CEO be jailed or will they not be able to put anybody into prison. Will they have have to pay a $5M fine, will they have to pay a $500M fine? Or will the companies be able to supersede the government.
Every push notification ever sent and the data it holds. Text messages, location data, credit cards, addresses and even backups. Apple's data mines are virtually endless.
Are you sure? I think it's definitely a significant enough amount to be mentioned with the others either way.
Not to mention the fact that a users interaction with Facebook is completely different from their interaction with Apple. Most people keep especially private data off of Facebook, but practically no I-phone user stops to think if a photo might be incriminating/embarrassing in the future before they take it. And that's just Photostream.
People backing up their devices to iCloud stand to lose even more.
Enough to be mentioned. To be used as the primary example and including Google as others?! Sounds more like an author that is getting paid for every Apple mention in an article title.
This should be qualified with: since they already have it via credit card companies. You give your social security number when getting a credit card for a /lot/ of reasons. And these tend to be a good reasons.
1) It actually tells you why in the article and
2) She's asking why a particular question isn't answered in a FREQUENTLY ASKED questions section but is under the settings. That's kind of the point of an FAQ - to only answer frequently asked questions.
that is why I pointed to this article, but the reason I asked this question was to let everyone know (who didn't already know) because I think it is important.
Obama hasn't done his job of bringing change. Quite what the word "hope" means to him is anyone's guess. What we've got instead is a system of government so ridiculous and bizarre that it's not worth following at all.
What are the legal consequences to these large tech companies tipping off users? Are these companies just calling the bluff of enforcement agencies who are not willing to risk the bad PR? I'd love to hear from someone who has a better idea on why this issue is as gray as it seems.
> Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority
To my knowledge people are allowed to say they were questioned by the police.
I think this is mainly a "we don't feel like helping you guys out anymore" move (as well as a "hey our customers would probably trust us a bit more" move and being generally the Right Thing™
I hope there's some discretion used here based on the nature of the request. Child Sextortion (send me naked photos or record these sex acts with your sibling or I'll send this devastating photo to all of your friends on Facebook) is a very real and frequent problem. If mom & dad show the sextortion messages to their local police detective and s/he fills out a Facebook records request to see if the suspect is victimizing other minors, will Facebook notify the suspect?
The average local investigator is low-tech, has good intentions to help a victim, and has nothing to do with FISA or national security issues. I'd much rather see a tech company say, "Hey, we're not just going to give you everything on this user. In fact, we'll notify the user unless you provide more justification or background on the reason for your request," than notify the suspect without warning. At least then the investigator can provide more info for consideration, or go back to a judge.
"Hey, we're not just going to give you everything on this user. In fact, we'll notify the user unless you provide more justification or background on the reason for your request,"
It seems like it isn't necessarily a good idea to let companies decide whether an individual request is justified. Suspects are innocent until proven guilty in a court of law. It's up to our society to remember that they are indeed innocent unless proven otherwise, and there's no way at that point for the investigator to prove anything.
Imagine that an investigator comes to Facebook and asks them for information regarding one of Facebook's employees. Facebook asks why, and the investigator responds that they suspect they're involved in something like what you've mentioned. At that point there's a chance FB might become extremely uncomfortable retaining the services of that employee, even though nothing has actually been proven yet. Accusations like that can ruin lives.
You make some good points, and it might be good to have more open communication between law enforcement and companies. It just seems a little dangerous. There are some unexpected ways that it could turn out to be a bad thing.
You make some good points as well, and I admit there's not a clear answer here. However, Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.
"More open communication between law enforcement and companies" as you said is the key, especially at the state and local level.
Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.
The thing is, at that point we'll have to concede that it's normal and proper for companies to be examining private communications. It's equivalent to a phone company keeping a log of all phone conversations transmitted on their network, then listening to them on a case-by-case basis. It strikes me as odd that it's illegal to do that for voice conversations but not illegal to do that for text conversations.
Facebook can very quickly look at the suspect's messages to the victim for example and see clearly if the s/he is a real threat before notifying anyone.
This is a Pandora's Box that I can pretty much guarantee Facebook does not want to open unless legislation is passed against their ever having civil or legal liability for doing so. Just speculate to the next school shooting where a parent/politician/newsperson asks "Why didn't Facebook tell us what was in their messages?"
You haven't provided any reasoning for why these requests need to be secret. People have the right to face their accusers, and by the time dumps of their online accounts are happening (akin to a search of their home), they should be able to exercise that right.
Are you suggesting all law enforcement agencies should notify a person or group prior to commencing an investigation? How amusing would it be if a detective turned up at your door and said "Oh hai! We'll be parked across the street in an unmarked vehicle for a few days while we observe your suspected illegal activities."
People have the right to Habeas corpus, they shouldn't necessarily have the right to know they are under investigation. In my opinion.
Passive surveillance is a far cry from having your home and belongings secretly searched. Standard procedure is not and should not be no-knock warrants to covertly sneak in while suspects are not home.
Just a nitpick but when mom&dad know about the sextorsion it is over - every kid should hear "Calm down, it's not your fault". The dangerous situation is when the kid comply because it is afraid/ashamed to go to mom/dad.
Also I am very skeptical about using "protect the children" as a policy justification.
If there is policy of not notifying the child abuse suspects then every request from the prosecution office made will also have - probably the person is also an online predator.
What is wrong with the concept of giving affirmative oath in front of the judge and make him sign warrant and if he deems necessary to sign also the temporary gag order.
I don't have stats, no, but Facebook openly acknowledges the problem at child safety conferences. Google "Facebook Child Sextortion" and you'll find your share of articles. I recognize "take my word for it" doesn't go very far!
The Four Horsemen of the Infocalypse is a term for internet criminals, or the imagery of internet criminals.
A play on Four Horsemen of the Apocalypse, it refers to types of criminals who use the internet to facilitate crime and consequently jeopardize the rights of honest internet users. There does not appear to be an exact definition for who the Horsemen are, but they are usually described as terrorists, drug dealers, pedophiles, and organized crime. Other sources use slightly different descriptions but generally refer to the same types of criminals. The term was coined by Timothy C. May in 1988, who referred to them as "child pornographers, terrorists, drug dealers, etc."[1] when discussing the reasons for limited civilian use of cryptography tools. Among the most famous of these is in the Cypherpunk FAQ,[2] which states:
As I understand it, things go like this.
Detective: "give me all this users data and don't tell them you did."
Facebook: "Without a court issued gag order we will tell the user."
Detective: "Ok, I'll get a court issued gag order and get back to you." (LEO have this part down pat)
So where is the problem exactly?
In that case it behooves the detective to obtain a proper warrant with or without a gag order, as necessary, before contacting them.
Investigative procedure is not a new concept and we have a pretty well working system. There's really no need to give law enforcement fascist powers to do whatever they want without oversight under the excuse of "think of the children!"
From my understanding, at this point if the detective still wanted the data (without a warrant), he'd get the data, but the user would be notified. However, if he gets a court order and come back to google, he will get the data without the user being notified. Basically it forces LE to go through a judge to get a warrant. This is a good thing imo.
> If mom & dad show the sextortion messages to their local police detective and s/he fills out a Facebook records request to see if the suspect is victimizing other minors, will Facebook notify the suspect?
Does it matter? You'll have already caught him and have the evidence.
Why call out "sextortion" specifically? You could just say that $CRIME is a very real and frequent problem, and if people show the $CRIME messages to their local police detective, will Facebook notify the suspect?
Hi Mike. I call it out specifically because crimes against children are a particular category of crime that deserves special attention from the community. Sextorting a business man with a picture of him having an affair and other $CRIMES 'should' be handled differently than the predator who drives a young teen to suicide or gets them to take pictures of their younger siblings, or face humiliation on a social network.
In the former (businessman example), a social network has a 'right' to refuse law enforcement and notify the user. In the latter example, it's my belief (which I understand isn't popular here!) that the network has a civic 'duty' not to inform the user and to assist how they can - as many of them do right now. My question has more to do with asking if social networks will examine the background of the $CRIME before notifying the user.
Phone companies recognize this distinction and, for example, will provide an emergency ping location when a child is in danger before any paper work is submitted, requiring in good faith that it will follow within 24 hours. If the following paperwork is not in order, they lose the ability to do that again.
It's a wonderful thing that the average HN reader doesn't have to deal with these issues, and disappointing honestly that real questions from someone who does are heavily downvoted. But hey, it's fine not to agree with my view.
Second: What a lazy-ass way to dragnet everybody and get stuck with huge irrelevant data! If you really suspected some one, the govt. should be able to convince a judge to get a "tap&gag".