Verizon report bolsters calls to reform metadata protections

Following through on its promise late last year to issue a transparency report, this week Verizon became the first multinational telco to release a Transparency Report on law enforcement requests. Verizon reported that in 2013 it received around 320,000 requests for customer information from federal, state, and local law enforcement in the United States.

For its first report, the company got many things right. It noted the pressure around the world for transparency on government demands for user data, and the importance of making data sets accessible to users through Transparency Reports, updated semi-annually.

At the same time, Verizon’s report lacks statistics on how often the company actually complied with law enforcement requests. Compliance rates are a standard category of information seen in the transparency reports released by Google, Microsoft, Twitter, and others. Verizon has stated that it does not track compliance rates, but promises to begin doing so, and will include the data in upcoming reports.

One big takeaway for user privacy comes from the high number of subpoenas for subscriber data, or “communications metadata.” At around 164,000 requests, subscriber data — which includes a user’s name, billing address, and records of who they’ve communicated with and for how long calls lasted — is by far the most sought-after information by law enforcement. Verizon writes, “The vast majority of the demands we receive are not for user content; in fact, demands for any user content – such as stored content (like text messages or emails) and content in real-time (wiretaps) – accounted for only about five percent of the total demands we received in 2013.”

Is this because authorities have the ability to intercept the content of calls or texts, and only need to verify who’s making them through subscriber records? Perhaps, but a more likely answer is that the records of communications contain much more sensitive, personal data than previously thought, mapping a user’s contacts, travels, and routines. This has been recognized in the International Principles on the Application of Human Rights to Communications Surveillance, which were cited by the President’s Review Group on Intelligence and Communications Technologies’ report when making the point that, “In a world of ever more complex technology, it is increasingly unclear whether the distinction between “meta-data” and other information carries much weight.” (p. 120).

Moreover, subscriber data has few legal protections in the US. A prosecutor or law enforcement official may issue an administrative subpoena to get subscriber records merely by claiming the information sought is “relevant” to the investigation of a possible crime. No need for a judge to be involved. Compare this to content data, which the FBI cannot even get through a National Security Letter, and it is clear that subscriber data — including the type of data acquired in bulk by the NSA under the infamous Section 215 of the PATRIOT Act — requires more protection under law.

‘Pushback’ through words and numbers

On the national security side, Verizon got between 1000 and 1999 National Security Letters (NSLs), but says it cannot report orders from the Foreign Intelligence Surveillance Court (FISC). That said, a FISC order compelling Verizon to turn over the communications metadata of all of its customers on an “ongoing, daily basis” was one of the first documents leaked by Edward Snowden.

In its report, Verizon pushes the US government, and President Obama specifically, to follow through on promises of allowing greater transparency. Companies should be free to report the precise numbers of NSLs they receive, the categories of information the orders seek, the number of users and accounts affected, and the specific law under which the orders are issued. Many internet firms are jointly suing the government to allow similar disclosures of FISC orders they receive. Verizon and other telcos should join the internet platforms in challenging the gag order on disclosure of FISC orders.

For its part, the President’s Review Group had three good suggestions to increase transparency around all types of national security orders: 1) gag orders must only be issued when a judge finds reasonable grounds, under specific parameters; 2) gag orders should only last up to 180 days without re-approval; and 3) recipients of gag orders should be allowed to seek legal counsel to challenge the orders. In his speech last week, the President took none up of these suggestions, announcing only that “secrecy will not be indefinite” around NSLs.

If instituted, these recommendations would help increase the public’s trust in telco operations. Access believes US telcos should jointly advocate in favor of these sensible limits on gag orders, which accompany government requests that the companies likely receive every day.

International requests for data and website blocking

Verizon does not offer retail services to subscribers abroad, but extends services to its enterprise and business customers, and lists offices in about 10 locations globally.

Interestingly, the company said it does not answer direct requests from governments for data stored in a different country. Instead, it directs those governments to use diplomatic channels like the Mutual Legal Assistance Treaty (MLAT) process, which Access has recently explored in depth with an eye toward reform.

Some countries do not allow disclosure, including Australia and India, the report notes. Australia limits disclosure of the number of warrants received for interception or stored communications. India precludes any discussion of requests for user data or blocking. It would be helpful if Verizon listed the actual laws prohibiting disclosure, as Vodafone recently promised to do, but even these limited revelations are useful for user rights advocates in those countries.

Website blocking was requested by 5 countries. Colombia’s government required blocking of around 1,200 websites, claiming it containted child pornography. Greece requested blocking of 424 online gambling sites. Belgium (37) and Portugal (2) requested blocking for gambling or copyright issues, while India’s requests are not disclosable per its laws. These data help build a picture of laws and policies on free expression online across the world, and raise questions on best practices. For instance, the fact that Colombia relies on Verizon to block alleged child pornography sites calls into question that government’s strategy and priorities. Instead of blocking access to websites, the government should focus on punishing the creators and viewers of the unlawful material, and help to form a strong international coalition and improve national legal infrastructure to actually remove these unlawful sites.

Room to grow

Access supports Verizon’s strong call for government transparency to complement corporate disclosures on compliance with law enforcement requests. We also agree with Verizon’s assessment that there’s room to grow, both for Verizon’s Transparency Report, and for companies worldwide to push back against government secrecy around surveillance data. All telcos should issue transparency reports regularly, including on national security requests, and, where they are prohibited from disclosures, should publicly name the laws or regulations at issue. At the same time, minimizing the amount of user data they retain, and the length of time data is held, would go far to relieving the pressure on telcos to hand private user information over to governments.

Access looks forward to more telcos issuing data like Credo and Verizon have offered, giving users an easy way to judge how their privacy is respected in the real world.