Since the first revelations by Edward Snowden were disclosed to the public, several of these companies have petitioned the U.S. government to let them reveal how many of "special" government requests for information they receive each year. But even though it is obviously in the interest of the U.S. intelligence agencies that these companies retain as many as customers as possible, they still aren't ready to let them provide that particular bit of information.
Instead, Facebook, Microsoft and Apple have been allowed to share how many national security-related requests (FISA, National Security Letters, and other) they receive only in a range, and only if the number is aggregated to that of other types of law enforcement requests.
"For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000," Facebook shared on Friday.
"These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts."
Microsoft has stated that from July 1, 2012 to December 31, 2012, they received "between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal)."
"We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together," they pointed out, adding that they "have not received any national security orders of the type that Verizon was reported to have received that required Verizon to provide business records about U.S. customers."
Finally, on Monday, Apple chimed in to say that "from December 1, 2012 to May 31, 2013, Apple received between 4,000 and 5,000 requests from U.S. law enforcement for customer data," and that "between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters."
They also made it a point to say that some categories of information can't never be shared with authorities because they do not store it (customers’ location, Map searches, Siri requests), and/or because they can't be provided (for example, conversations over iMessage and FaceTime that are encrypted from end to end.
Google is still negotiating with the government over what they can disclose, but said that they believed that it was "important to differentiate between different types of government requests."
Yahoo, who has unsuccessfully battled the NSA in court over PRISM participation in 2008, has not yet commented on the revelations.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.