Government requests for data continues to grow, despite infrequent use of search warrants

On the eve of Data Privacy Day, two of the largest online service providers offered more insight about government requests for users’ data by releasing updated versions of their Transparency Reports.

Government requests for the digital information of citizens around the world are growing exponentially. Google and Twitter revealed that a rising number of countries are using this mechanism to conduct investigations. Requests to Twitter jumped by 20% in the second quarter of 2012. Google also observed a jump of more than 70% of requests since 2009, totaling 21,389 requests for information about 33,634 users in the last six months of 2012.

The U.S. government accounted for an overwhelming number of the requests user data, about 80% of the data requested by 30 countries from around the world. The United States hosts a vast majority of ISPs, which partly explains why so many requests come from the U.S. government. Many requests are ostensibly also made by U.S. investigators on behalf of other governments pursuant to mutual legal assistance treaties (MLATs) and other diplomatic mechanisms.

The reports revealed that an overwhelming number of requests are performed through subpoenas, instead of search warrants, which by way of contrast require a demonstration of probable cause. Twitter’s second quarter report show that only 19% of requests were conducted through search warrants. Similarly, Google reported that 22% of this type of requests were made in the United States.

It is quite alarming that search warrants are only issued in few cases when requesting electronic information. Subpoenas are requests for the production of documents. In contrast to search warrants, they do not need to go through judicial review and do not need to demonstrate that there is probable cause.

The reports also demonstrate that these ISPs comply with these requests a majority of the time (Google complied with approximately 70% of the requests while Twitter complied with 57% of overall requests and 69% of requests originating from the United States). This trend signals that while Transparency Reports are essential to casting a light among users about their digital privacy, private sector initiatives must be accompanied by public policies and standards that hold governments accountable for making requests that respect domestic and international human rights law.

These Companies are Taking Steps to Protect their Customers

Twitter said it did not comply with requests that failed to identify a user, when the user challenged the request, or when the request was overly broad. The ISP also stated that it notified affected users of government requests for their account information unless they were prohibited by law.

Similar to Twitter’s policy, Google did not accept requests unless they were made in writing, signed by an authorized official of the requesting agency, and issued by appropriate law. Google’s analysis on how data requests largely mirrors the conclusions drawn from the Twitter report.

The reports’ release signal a step in the right direction to provide internet users with an understanding into what is happening to their data, and the extent that governments have access to it. The companies agree that there is vast interference with their clients’ privacy. Twitter said it released this report to “raise awareness about these invasive requests.” Likewise Google expressed the need for laws that protect against overly broad requests for personal information.

Protecting the Rule of Law in the Digital Sphere

As data collection, retention and sharing becomes more prevalent, advances in protections for fair judicial procedures have lagged behind. Indeed, with the lack of legal clarity or best practices on how to process requests for user data combined with the growing number of electronic surveillance conducted both by governments and the private sector, there has never been a greater need or demand for standards and action around access to user data.

Access is encouraged by the initiatives taken by Twitter and Google. We have recently launched a digital due process initiative, encouraging governments, legal professionals, investors, and the private sector to protect internet users’ fundamental right to privacy.

In contrast to the majority of requests submitted to Google and Twitter, Access believes that governments requesting user data should have to get a warrant issued by an independent, competent legal authority.

We are also encouraged by the ISPs’ refusal to hand over information when a user has objected to the search. Like any judicial process, Access believes that an individual has the right to challenge any interference with his or her right to privacy.

To date, only a handful of companies have published transparency reports. Given the increasing rise in data requests, companies should make this a standard practice. International telecom companies, for instance, have yet to voluntarily publish this type of data. However, the major U.S. mobile carriers reported more than 1.3 million requests by U.S. law enforcement for user data in 2011. AT&T, Verizon, and others released the statistics in response to an inquiry by Rep. Edward Markey, who called the volume of requests “startling.” Access encourages more ISPs and telcos to release transparency reports in order to align with their obligation to respect human rights and remedy violations.