LOS ANGELES — One of the indirect casualties of the National Security Agency’s surveillance activities has been the reputations of several of the world’s largest Internet companies, including Google Inc., Facebook Inc., Microsoft Corp., and Yahoo Inc.
Based on the disclosures of NSA whistleblower Edward Snowden, the Guardian and Washington Post reported last year that the companies had provided the personal information of non-U.S. subscribers to the NSA as part of the agency’s top-secret PRISM program.
The tech giants’ denials that they had given the NSA direct access to their servers couldn’t prevent them from taking a public relations hit, particularly outside the United States. According to the Guardian, U.S. technology businesses fear they could lose between $21.5 billion and $35 billion in cloud computing contracts worldwide over the next three years as a result of the fallout from the NSA revelations.
Now, a trio of cases pending before a federal appeals court present the tech companies with an opportunity to regain consumer confidence. In court papers that were unsealed last month, Google, Facebook, Microsoft and Yahoo say they have a First Amendment right to disclose the number of national security requests for information they receive.
A controversial “gag order” provision of the 1986 Electronic Communications Privacy Act authorizes the FBI to prohibit the recipient of a national security letter from disclosing that “the Federal Bureau of Investigation has sought or obtained access to information or records” by means of a national security letter.
“The nondisclosure provisions impermissibly suppress the speech of those who might be best positioned to offer an informed perspective on the government’s position,” the four companies argue in a brief urging the Ninth U.S. Circuit Court of Appeals to find the provisions unconstitutional. “The First Amendment does not permit the government to silence a key participant [in] a debate about the government’s activities.”
The companies have sided with three unidentified recipients of national security letters who sued the Obama administration.
“Without knowing how often the government is using [national security requests], we can’t have an informed debate,” said Nate Cardozo, a staff attorney with the digital rights group Electronic Frontier Foundation who is representing recipients.
“If we don’t know what the government is using to get data, how we can evaluate [NSA] reform proposals?” he asked in an interview with MintPress News.
According to President Obama’s Review Group on Intelligence and Communications Technologies, the FBI attaches gag orders to 97 percent of all the national security letters it issues.
The government, in large part, defeated a similar challenge to the law in 2008. “[T]here is no First Amendment right to disclose information learned through participation in a secret government investigation,” U.S. Department of Justice attorneys said in court papers.
But privacy activists, First Amendment groups and several members of Congress are also hoping the gag order provision will be struck down.
The gag orders “violate the free expression rights of communications service providers that want to be more transparent and forthright with their users, Congress, and the public,” the members of Congress told the Ninth Circuit.
“Ripe for abuse”
The National Security Agency documents that Snowden, a former NSA contractor, provided to the Guardian and Washington Post in 2013 detailed the cooperation between Silicon Valley and intelligence agencies over the previous three years. Among other things, the Guardian reported, Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal.
In July 2012, nine months after Microsoft bought Skype, the NSA boasted that a new capability had tripled the amount of Skype video calls being collected through the PRISM program, the Guardian said.
Microsoft and the other companies listed as information providers in the NSA documents have denied all knowledge of the PRISM program and insisted that the intelligence agencies do not have back doors into their systems.
They have also sought to demonstrate their commitment to free speech and transparency by attacking the gag orders that accompany national security letters.
“[W]e are committed to notifying business and government customers if we receive legal orders related to their data,” Microsoft General Counsel Brad Smith announced in December. “Where a gag order attempts to prohibit us from doing this, we will challenge it in court. We’ve done this successfully in the past, and we will continue to do so in the future to preserve our ability to alert customers when governments seek to obtain their data.”
Under the Electronic Communications Privacy Act, the FBI can issue national security letters directly, without any judicial review. The gag order provision says the director of the FBI can prohibit disclosure whenever he finds that “there may result a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.”
After the USA PATRIOT Act, which lowered the legal standard for issuing a national security letter, was passed in 2001, FBI requests for letters increased from about 8,500 in 2000 to more than 48,100 in 2006.
“No other form of legal process leaves so much discretion to the Executive branch, which makes it uniquely ripe for abuse,” the members of Congress said in their amicus brief to the Ninth Circuit.
The Department of Justice Office of the Inspector General has found the FBI misused national security letters by, among other things, issuing them after its authority to conduct an underlying investigation had ended and gathering subscriber information beyond what the letter had requested.
Prior restraint
In 2013, several major communications service providers began reporting aggregate numbers of national security letters they receive, but the Justice Department allowed them to do so only in broad number ranges such as 0-999. They recently negotiated with the Obama administration for the right to publicly disclose data in greater detail and also filed a lawsuit with the Foreign Intelligence Surveillance Court.
As part of a settlement of that case, the government agreed that providers could publish the number of national security letters and Foreign Intelligence Surveillance Act requests they receive in a range of 0-250. If they wanted to break those categories down separately, they could do so in a range of 0-1,000.
Providers have followed those restrictions in recent transparency reports. But the Electronic Frontier Foundation’s Cardozo believes the agreement did not go far enough.
“The big thing is the lack of [specificity] about what [statutes] the government is actually using to get data and how often” it is using them, he told MintPress. Providers, Cardozo said, should be allowed to disclose not only exactly how many national security demands they receive but how many subscribers were covered in those demands.
In their brief to the Ninth Circuit, Google, Facebook, Microsoft and Yahoo are seeking the right to “publish more detailed aggregate statistics about the volume, scope, and type” of national security letters they receive.
“[W]henever the government purports to act in the interests of national security to limit protected speech, it should do so only in compliance with the strict requirements of the First Amendment,” says the brief, which describes the gag order provision as a “prior restraint” requiring the highest level of judicial scrutiny.
The Justice Department has cited case law that bars government employees or contractors who have been given access to classified information from revealing that information. But the tech companies note that recipients of national security letters “have not asked to be sent NSLs.”
“[I]t is one thing to say that a party seeking access to confidential information can be prohibited from disclosing that information, but it is quite another to say that the government may impose a gag order on a party simply because it has also demanded that the party assist in an investigation,” the companies’ brief argues.
Bipartisan bills now pending in the U.S. House and Senate would provide Internet service providers with some of the transparency they are seeking through the courts by allowing them to disclose an estimate of the national security demands they receive from the government, as well as estimates of the number of users or accounts affected by those demands, in numbers rounded to the nearest 100.
“Companies should have the freedom to divulge statistics about the number of national security demands they get from the government,” the members of Congress said in their appellate brief.
For tech companies, though, relief may not come soon enough. More than one-third of U.S. cloud computing businesses surveyed by the Cloud Security Alliance said the NSA leaks had “made it more difficult” for them to do business outside the U.S.
“[I]t’s apparent that government, business, and civil society leaders around the world are continuing to follow closely these issues in the United States,” Microsoft’s Smith said in a recent blog post. “I often meet people in other countries who ask whether the courts in the United States will play a strong and independent role on government surveillance issues.”