Following disclosures from Microsoft and Facebook last Friday, Yahoo and Apple are releasing information on thousands of requests they have received for user data related to criminal and security investigations from law enforcement and the U.S. National Security Agency.
Requests for user data that investigative agencies in the U.S. made to Yahoo from Dec. 1, 2012, to May 31 numbered between 12,000 and 13,000, including both criminal requests and those under the Foreign Intelligence Surveillance Act (FISA), which is the authority the NSA uses to seek information. Yahoo said the most common requests for user data concerned fraud, homicides, kidnappings and other criminal investigations. Yahoo did not specify how many user accounts were involved in the requests.
"Democracy demands accountability," Yahoo said in a statement authored by CEO Marissa Mayer and General Counsel Ron Bell. "Recognizing the important role that Yahoo can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year. We will refresh this report with current statistics twice a year.
"As always, we will continually evaluate whether further actions can be taken to protect the privacy of our users and our ability to defend it. We appreciate -- and do not take for granted -- the trust you place in us."
Apple Data Requests
For Apple, from Dec. 1, 2012, to May 31 the company received between 4,000 and 5,000 requests from U.S. investigative agencies for data. Between 9,000 and 10,000 accounts or devices were specified in those requests, which came from federal, state and local authorities and included both criminal investigations and national security matters. Apple said the most common form of request came from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer's disease, or hoping to prevent a suicide.
"Regardless of the circumstances, our legal team conducts an evaluation of each request and, only if appropriate, we retrieve and deliver the narrowest possible set of information to the authorities," Apple said in a statement. "In fact, from time to time when we see inconsistencies or inaccuracies in a request, we will refuse to fulfill it."
Apple went on to say that it doesn't collect or maintain a mountain of personal details about its customers. In fact, the company said there were categories of information which it did not provide to law enforcement or any other group because it does not retain it.
"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them," Apple said. "Apple cannot decrypt that data. Similarly, we do not store data related to customers' location, Map searches or Siri requests in any identifiable form.
"We will continue to work hard to strike the right balance between fulfilling our legal responsibilities and protecting our customers' privacy as they expect and deserve."
Greg Sterling, principal analyst at Sterling Market Intelligence, said it's important for these companies to reassure users that they simply don't turn over user data without any showing of need or legal justification. However, he added, these company's statements don't resolve or otherwise end the questions about the ultimate legality and constitutionality of the Foreign Intelligence Surveillance Act and PRISM program.
"If these companies had remained silent it's not clear it would have impacted user behavior," Sterling told us. "However, it would have subjected them to heavy criticism and questions from the tech press. The tech companies may have established their 'non-complicity' in domestic surveillance but the scandal appears to be far from over."