Throughout the ongoing NSA/PRISM scandal, one of the most incendiary accusations has been Glenn Greenwald’s initial assertion that major tech companies such as Facebook, Apple, Google, and Microsoft were givng the US Government direct, unfiltered access to their servers. This access would allow the government to spy on people seemingly at will, and find out anything they want to know, rule of law be damned.
Greenwald is now trying to walk his accusations back, but nothing doing. He said it. Repeatedly. And he should own it.
As soon as Greenwald’s original story was published, outraged blogs and Tweets popped up, wondering if we really were living in an Orwellian nightmare. Pundits took to the airwaves to bemoan Obama administration overreach, and outrage ensued.
Just as quickly, every major company named by Glenn Greenwald issued swift denials of his claims, calling them patently false and misleading. As it turns out, their denials are not just PR. The scope of any law enforcement and national security requests being made appears to be very narrow.
First, let’s start with Microsoft. John Frank, their Vice President and Deputy General Counsel, posted this statement last night:
Unlike the Greenwald assertion of the government having unrestricted access to user data and user accounts, the actual requests are much smaller:
Earlier this week, along with others in the industry, we called for greater transparency about the volume and scope of the national security orders, including FISA orders, which require the disclosure of some customer content. We believe this would help the community understand and debate these important issues. Since then, we have worked with the FBI and U.S. Department of Justice to try and secure permission to do this.
This afternoon, the FBI and DOJ have given us permission to publish some additional data, and we are publishing it straight away. However, we continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues.
Here is what the data shows: For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal). This only impacts a tiny fraction of Microsoft’s global customer base.
Let that sink in for a moment. Microsoft got between 6-7,000 requests IN TOTAL for the last half of 2012 affecting between 31-32,000 accounts. Compare that tiny number with the millions of people who use Microsoft’s services. It’s a small fraction of 1% of their entire user base.
Fine, you say. Microsoft’s numbers are small. But what about a behemoth like Facebook? Surely the government is spying on us there, taking all the information they want whenever they want it. Well, fear not, dear reader. Your Candy Crush Saga high score is safe. Facebook’s numbers aren’t that different from Microsoft.
Ted Ullyot, Facebook General Counsel released his own statement yesterday:
For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000. These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.
With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months.
Over 1 billion Facebook accounts and they only got between 9-10,000 law enforcement and security requests affecting only 18-19,000 accounts? You’d almost think the NSA and law enforcement had really narrow scopes to work with or something.
Both statements from Microsoft and Facebook put the lie to the Greenwald accusation that the government is running wild taking everyone’s data to use any which way they want. With as many users as both companies have, the fact that the combined numbers for both are smaller than some colleges and universities in this country suggests that there are guidelines for what can and cannot be requested.
Also, it should be noted that these numbers are only for requests RECEIVED, not for requests that were carried out. Those numbers could well be smaller, since there’s no mention from either Facebook or Microsoft that they automatically granted every request that came across their desks.
Facebook’s Ullyot also takes a thinly veiled shot at Greenwald, The Guardian, and the entire hysteria that has unfolded in the last few days:
We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive.
I wouldn’t count on it, Mr. Ullyot. Once an idea takes root in the blogosphere and on Twitter, it’s real hard for actual facts to get in the way. Still, it’s nice to get some clarification on just how often user data and user information is requested, and on what scale.