How Governments Request Your Data From Service Providers
A recently-released Surfshark report looked into global inquiries into the activities of specific accounts made by governments to service providers. The report found the United States “requests the most user data from big tech companies.”
While the company characterizes government requests as “surveillance,” I prefer the term “inquiry.” The Surfshark review included 177 countries from 2012-2020 which saw requests pertaining to more than five million accounts. Not surprisingly, the two areas of the world with the most transparency, the EU and the United States, are the same areas that charted the most requests, which occurred when “digital evidence is needed in legal processes.”
In addition, the data set is limited to four of companies that publish transparency reports: Apple, Google, Facebook (Meta) and Microsoft. Missing were the many available transparency reports available.
Transparency Reporting is Growing
Access Now has compiled a list of 88 companies who followed Google’s lead when they published the first report 11 years ago and now release transparency reports. The inclusion of a more comprehensive look at available data may have provided an illuminating dynamic in the SurfShark report that is obfuscated by only having the four U.S.-headquartered social networks included in the mix.
Interestingly, of the countries where there is demonstrative engagement by the government to silence dissent, including online dissent, China, (64), Russia (65) and Saudi Arabia (106) all were rather far down Surfshark list of “surveillance” states.
Transparency Reports Not Included in the Surfshark Analysis
For example, Amazon, in their January-June 2022 report, fielded 26,972 requests (not including AWS – there were 954 requests to AWS). Broken down by country, Germany skewed the EU metrics by a large margin, comprising 48% of the 26,972 requests.
Similarly, Cloudflare found itself front and center in the public conversation about entities doing business in Russia following Russia’s invasion of Ukraine and the very public request from the Ukraine government to Cloudflare to stop doing business in Russia. Cloudflare’s transparency report for 2021 explained how they fielded lawful requests. Their first half of 2021 (the latest report) shows they fielded 183 requests and responded to 152, which affected 332 accounts and 4402 domains. The company went on to break down the requests into buckets: U.S. administrative subpoenas, civil subpoenas, court orders; mutual legal assistance treaty (MLAT) support, Pen register/trap and trace (PRTT) orders, emergency requests, national security process, search warrants and wiretap orders. The category which contained the largest number of requests, interestingly, fell within the civil subpoenas bucket.
LinkedIn, arguably the largest “professional” social network, also issued a Government Requests Report. Their most recent covered the period from July to December 2021 and showed that there were 552 requests for information from LinkedIn broken down as 302 by U.S. entities and 250 by non-U.S. entities. The breakdown of non-U.S. entities showed Germany and India leading the requests.
China
In September 2021, the Center for Strategic International Studies (CSIS) posted a blog, “Transparency with Chinese Characteristics: Xiaomi’s First Report” which detailed the company Xiomi and its first transparency report. The CSIS concluded, “the report has significant shortcomings that make it hard to determine whether this represents a genuine effort at transparency or is just a superficial public relations bid; nevertheless, the report is still valuable in providing insights into Xiaomi’s overall approach to managing government requests for user data and its view of how to build trust with both officialdom and consumers.” A positive indicator that this Chinese company sees the value in transparency.
Russia
VK, aka Vkontakte, began releasing a type of transparency report which specifically excluded information related to requests from law enforcement agencies. Thus the data is skewed and incomplete. Why exclude the law enforcement requests? Russian law prohibits the revelation of such data.
What You Should Do
The bottom line is that every company should have in place a law enforcement data request guideline and then follow it when lawful requests arrive. Creating a policy on the fly is never in the company’s interest and leaves the door open for criticism of being inconsistent or biased. Your guidelines should include a point of contact, be it centralized or decentralized by country, and include what your company expects to receive from the requesting entity.
