On Tuesday, yet another one of the nine companies originally implicated in the PRISM program released its first transparency report. Apple joins the ranks of Google, Yahoo, and Facebook, among others that have issued reports that detail the number of requests the companies receive from governments for user data.
EFF has long called on corporations to be transparent about what they do with the data that users entrust to them. Transparency reports have become the industry standard, and we are delighted to be able to award Apple another star in the 2014 edition of our annual Who Has Your Back campaign, where we assess major Internet companies' commitment to standing by the rights of users in the face of government requests for personal information about their customers.
This is Apple's first transparency report, and it only looks at the first half of 2013. The report includes information about which countries have asked for user data, the number of requests received and granted, the number of times Apple has objected to information requests, as well as the number of information requests where Apple has not disclosed data.
The U.S. is reported to have made the most requests. After the U.S., the top three countries requesting user information are the United Kingdom (127), Spain (102), and Germany (93).
In the report, Apple makes an important distinction between government requests for “data” and government requests for “content”. Apple defines data as “personal identifiers”, such as Apple IDs, email addresses, and telephone and credit card numbers. When Apple hands over user content, however, the company provides governments with more detailed information like iCloud emails, contacts, photos, and calendars.
Transparency reports are a voluntary tool used by companies to provide the public with information about government requests for user data. Despite their importance, the U.S. government makes it difficult for corporations to be as transparent as they might prefer to be about how their customers’ data is shared. With a mix of gag orders and other burdensome restrictions, companies are only allowed to disclose in very broad ranges the number of national security orders and the number of accounts affected. Apple notably opposes these gag orders and points out in its report that the company has and will continue to strongly advocate for these restrictions to be lifted.
We agree with Apple. In March of this year, months before the NSA spying revelations flooded the press, a federal judge ruled in favor of our client, an unnamed telecommunications company that challenged the FBI's ability to issue National Security Letters and gag companies from disclosing the fact that they are legally obligated to share their customers' data with the government. The judge found those gag orders and related restrictions to be in violation of the First Amendment.
Take a quick glance at Apple’s report and it becomes obvious just how stifling gag orders are. Apple lists that they received between 1000-2000 account information requests from the United States. As Apple explains, the U.S. government only allows companies to report a “consolidated range in increments of 1000” and further requires reporting on government requests to combine law enforcement and national security order requests. Apple graphs the 33 countries that have solicited their users' data; the U.S. is listed as having issued between 1000-2000 requests. Countries that have a poor track record of protecting human rights, including Russia, China, and the United Arab Emirates, have likewise made information requests that have been honored by Apple.
Except for the U.S., Apple lists exact numbers for all of the 33 other countries that have requested user data from the company. For example, the United Kingdom made 127 requests in the first six months of 2013. Providing this exact number allows users to more accurately grasp the scope of government surveillance.
Perhaps the most interesting part of the transparency report are the last two sentences: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”
Apple’s statement is an implementation of the so-called “warrant canary.” Canaries are used to signal that, as of the date published, there have been no law enforcement requests of a particular type received. In Apple's case, the canary is limited to a signal that no secret Section 215 orders have been served on the company. If the canary is removed in the next transparency report, it is safe for users to assume that a Section 215 data request and the accompanying gag order has been issued. We appreciate Apple’s implementation in particular, including its six-month delay, because if its use is ever challenged in court, the ample time will allow a judge to coolly and calmly review the constitutionality of any government attempt to compel Apple to lie. We fear that if the first challenge to a warrant canary comes before a court in a more rushed context, a rushed judge could make bad law.
We applaud Apple's decision to release a transparency report, and hope that the company will continue to publish reports regularly. Every company that issues a transparency report brings us critical insight into how governments around the world use (and abuse) legal processes to collect our private data.