Katherine Maher contributed to this post.
The Dutch hosting provider Leaseweb, has released its first transparency report, joining the growing ranks of internet companies engaged in proactive disclosure of their human rights impacts. The company, headquartered in Amsterdam, is a large infrastructure-as-a-service provider, whose clients account for 3-4% of total internet traffic by its own estimates. As the first of its kind released by a hosting company, the Leaseweb report provides insight into both the type of requests faced by hosting companies and provides a model for hosting companies seeking to undertake similar disclosure efforts.
A company representative told Access that they have begun releasing transparency reports “in order to contribute to a good balance of rights between fighting digital crime and maintaining an open internet.” Leaseweb intends to release these reports twice per year.
Origin of requests
In 2012, Leaseweb complied with 501 requests from the Netherlands, Germany, and the United States. According to the report, the company only honors requests from the three countries it maintains a physical presence in and based on its ability to validate the lawfulness of such requests. The company further clarifies that it is ‘content agnostic,’ responding only to content requests based on the legal status of the content in question.
Leaseweb states that it refuses requests from ‘foreign authorities,’ however, it “normally… advise[s] requesting authorities on how they can obtain the data,” including directing the authorities to “file a Mutual Legal Assistance Treaty (MLAT) request with the competent authority in the [relevant] jurisdiction.”
Of the 501 requests made in 2012, the German government submitted 252, or more than half. The Dutch government nearly made up for most of the remaining half, with 230 requests. The United States made only 18 requests, however, Leaseweb specifically notes the use of an MLAT request by the U.S. government to the Dutch government that resulted in the seizure of 60 servers owned by a Leaseweb client.
Category and distribution of requests
Leaseweb offers a variety of services, and the company is careful to note that the 501 requests it received were limited to its ‘dedicated hosting and cloud offerings,’ while the ‘shared webhosting, domain name, and IP transit offerings’ were not subject to any requests. The company then further breaks down these requests into categorization of customer information, forensic images, content removal, and removal of child abuse material. The company does not provide further insight into how these categories–such as ‘forensic images’–are defined, leaving questions about the nature of both the request and the response.
There is no consistency to the geography and volume of request type Leaseweb honors. Of the 501 requests, 58%, or 291 requests, were for customer information. A further 189, or 38%, were for removal of child abuse materials. The remainder included 19 requests, or 3.8% of total, for forensic images, and two requests, or 0.3% of total, for content removal. However, when broken down by country, Germany was responsible for 80% of customer information requests, while the Netherlands accounted for 93% of child abuse material requests.
As was Skype’s practice through 2012, Leaseweb has historically not recorded information about data requests it rejects, though it does state that requests have been rejected when they are “invalid, incomprehensible, or otherwise have no basis.” The company notes that it has changed its practices in order to record and report future request rejections.
As a matter of best practice, it is important for companies to disclose the number of rejected law enforcement requests, in order to provide greater context about the volume of requests, the proportionate number of valid requests, and insight into the application of due process in turning over user information or removing content.
National Security Letters
The Leaseweb report does not provide any information about requests from the U.S. Federal Bureau of Investigation using National Security Letters (NSLs), data that both Google and Microsoft have recently begun to disclose. As a company with operations in the United States, Leaseweb may be subject to NSLs. The company may not have reported the number of NSLs received because it did not receive any, but without further information we cannot know whether these possibly unconstitutional tools have been used to secretly collect Leaseweb user data in the past year.
Filling in the law enforcement request picture
The contribution of the Leaseweb transparency report to the overall law enforcement disclosure landscape is significant. While Leaseweb’s portrait of several hundred data requests does not provide the same broad scope as other reports on global law enforcement requests, we commend Leaseweb for this smaller data set. By limiting disclosure to only those countries and circumstances where it is legally obligated, the company has likely defended its users against gratuitous requests.
In issuing data on law enforcement requests, Leaseweb has become the first internet hosting provider to disclose such data. As far as Access is able to determine, Leaseweb is also the first independent company headquartered in Europe to issue such a report. Furthermore, although Leaseweb’s operations are significant, with more than 50,000 servers under management, the company is significantly smaller than established players such as Google or Microsoft. Its recent report demonstrates the viability of transparency reporting for companies of all sizes. Access commends Leaseweb’s efforts, and the norm-setting instance it provides.