A year and a half after the Snowden revelations, more technology companies and telcos are publishing transparency reports on government requests for user information and content removals. Rather than wait for legislative changes, the firms are jockeying for user trust and responding to public demands for privacy. Several companies published transparency reports for the first time in early 2015, including Daum Kakao, Reddit, Medium, and Cheezburger. These are innovative companies — and they came up with novel approaches to presenting their data and policies.
Daum Kakao, the company behind KakaoTalk, a South Korea-based messaging app known for its bold pushback against law enforcement demands, published its first ever transparency report. Covering 2012 through 2014, the company’s bilingual report in Korean and English stands out with its meticulous attention to detail. For example, the report separately categorizes requests for user information from different government agencies. This provides helpful insight “beyond the numbers.” In addition, Daum Kakao’s Personal Information Lifecycle infographic provides users with a clear understanding of the processes involved in the companies’ collection and deletion of personal data.
Cheezburger, Reddit, and Medium also published their first transparency reports. The social humor platform Cheezburger brings a unique approach to transparency reporting by blogging about how reports can be used creatively in order to establish brand identity via interesting content. The company actually included karaoke songs performed by staff at its holiday party in its first-ever transparency report. Rock on!
In Reddit’s report, the giant community site says that it boldly goes out of its way to scrutinize government requests, many of which “contain demands to withhold notice from users that carry no legal weight. We actively disregard these non-binding demands.” The Electronic Frontier Foundation praised Reddit’s report because it “adopted industry best practices.” Examples include the timing of the publication, because the report was published within 30 days of the reporting period, and for its rejection of content requests that alleged defamation.
The inclusion of a warrant canary in Reddit’s report means the company did not receive any secret National Security Letters or Foreign Intelligence Surveillance Act (FISA) requests from the U.S. government. A warrant canary is a statement that a company makes to partially circumvent the “gag” orders that come with certain forms of legal process. The term refers to a “canary in a coal mine,” a bird used to detect poisonous gases whose death would warn miners to evacuate; in this case, if the company no longer makes the statement, we can assume they have received a request.
Medium’s report also included a warrant canary, as well as criticism of Justice Department regulations that only allow reporting of aggregated statistics about national security demands. In fact, the company appears to violate those regulations by reporting zero national security requests, rather than a range (such as 0-249). Medium argues that this move is lawful in its report, stating that “the constitution fundamentally protects our right to tell the truth.” Likewise, Medium reports zero law enforcement demands for user information.
Providing Notice to Users
Dropbox has a cool statistical category called “Notice Provided.” Under each type of request — subpoenas, search warrants, and court orders — Dropbox states the number of times it notified users of the requests. For example, of the 137 search warrants it received, Dropbox provided notice in 39 cases. (Dropbox does not do so for national security requests.)
Explaining its approach, Dropbox writes, “Governments continue to request that we not notify users of requests for their data, even when there is no legal basis for the requests. We received 71 such requests between July and December 2014 and responded by informing the requesting agency of our policy to always provide notice unless prohibited by a valid court order (or equivalent).”
We salute this effort by Dropbox to provide notice to individuals impacted by requests for data, and to notify the general public about the many obstacles governments put in place to transparency around surveillance.
Reporting major events
TeliaSonera, a Swedish-Finnish telco, continues to lead transparency reporting on major incidents impacting freedom of expression. According to the company, these include “mass surveillance initiated by national security authorities, shutting-down of networks or blocking or restricting of access to telecom services or networks.” (Their focus on these issues is timely, since network disruptions abound, such as in the Democratic Republic of Congo in 2015.) TeliaSonera logged some 20 “major event” requests in total for 2014, including the ongoing website blocking by Internet Service Providers in Tajikistan. In addition, TeliaSonera has made public statements about major issues related to freedom of expression in Latvia, Lithuania, Kazakhstan, and Sweden.
But TeliaSonera did not disclose major requests from rights-abusing governments like Azerbaijan and Uzbekistan. Why? Perhaps they didn’t receive any from those governments. But we don’t know for sure: due to legal and regulatory barriers, the company says, “only in a few of these cases have we been allowed to disclose the requests or demands.”
TeliaSonera also released a list of laws that provide governments with access to historical data, or even direct real-time access to its networks — and users — while advocating clearly “that governments should not have direct access to a company’s networks and systems.” Such laws do exist in some of the markets where TeliaSonera operates.
Our new Transparency Reporting Index
A friendly reminder: Access launched our Transparency Reporting Index to display information on tech and telecom disclosures. We update it regularly when new reports are released. We hope the next round of reports will be as thorough, and creative, as the latest contributions.