Washington State Attorney General Rob McKenna and Facebook General Counsel Ted Ullyot, in this file photo.
Facebook and Microsoft today became the first Internet companies to disclose the total number of legal orders they receive for user data, including ones from the National Security Agency and from state, local, and federal police performing criminal investigations.
The total for Facebook: About 18,000 accounts over a six month period, or one-thousandth of one percent of user accounts.
Microsoft's total was about 31,000 accounts over the same six month period ending December 31, 2012. A Google spokesman told CNET this evening that the search company is working on disclosing the same type of statistics, and plans to be more detailed than Microsoft and Facebook.
Ted Ullyot, Facebook's general counsel, disclosed the figures today in an effort to lay to rest privacy concerns after a pair of articles last week incorrectly reported that a program called "PRISM" provided the NSA with "direct access" to Internet companies' servers.
That caused near-panic among the more privacy sensitive users of Web-based e-mail and social networks, and led to speculation about whether the NSA was secretly vacuuming billions of user profiles. Even after the two newspapers, the Washington Post and the Guardian backed away from their incendiary initial claims, and even after Facebook CEO Mark Zuckerberg and Google CEO Larry Page offered blanket denials, the companies asked the government if they could clear their name about the number of requests they receive under the Foreign Intelligence Surveillance Act, or FISA.
This evening's disclosures from Facebook and Microsoft are the result. Ullyot wrote in a blog post that:
We're pleased that as a result of our discussions, we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters) - which until now no company has been permitted to do. As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range. This is progress, but we're continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) - was between 9,000 and 10,000. These requests run the gamut - from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.Microsoft's blog post from John Frank, vice president and deputy general counsel, says:
With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months. We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive.
For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal). This only impacts a tiny fraction of Microsoft's global customer base.A Google spokesman provided CNET with a statemement this evening saying it wants to be even more transparent: "We have always believed that it's important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."
We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together.