Facebook, Microsoft disclose FISA requests, sort of

Both Facebook and Microsoft asked for and received permission to disclose FISA and other government requests

Both Facebook and Microsoft said late Friday that they had been given permission from the U.S. government to disclose how many times the two companies had been asked to turn over user information to the Feds as part of a national security order.

However, the data comes with so many caveats that little information can be gleaned from it. For their part, Google and Twitter opted out of similar disclosures, precisely for those reasons.

For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities, the company said in a blog post. For its part, Facebook said that it had received 9,000 requests of the same nature during the same period.

Both Facebook and Microsoft have been named in reports by The Guardian and the Washington Post alleging that many of the Web's top companies have actively participated in a program, dubbed Prism, that supplied information on Web searches, emails, and other user communications whenever the government requested. AOL, Facebook, Microsoft, Google, and the other companies named in the report denied the allegations, with both Facebook and Google doing so vociferously. Edward Snowden, a former employee of the National Security Agency, later outed himself as the source of the information.

Director of National Intelligence James R. Clapper then claimed that the Prism program would only collect information under court order, with an eye toward gathering foreign intelligence under the Foreign Intelligence Surveillance Act, or FISA.

In response, Facebook and Microsoft asked the government to disclose national security requests in its existing disclosures of data.

"For the first time, we are permitted to include the total volume of national security orders, which may include FISA orders, in this reporting," Microsoft said Friday evening. "We are still not permitted to confirm whether we have received any FISA orders, but if we were to have received any they would now be included in our aggregate volumes."

Microsoft and Facebook both said that they operated under a number of constraints imposed upon them by the federal government: Both were permitted to report FISA orders, but only if aggreagated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies for a six-month period. Both companies were also asked to report their requests as a range of numbers. Microsoft, which has several Web services that could be subject to FISA and other requests, was also required to report all of the requests it received for all of its services, in aggregate.

If all that sounds so vague to be almost useless, well, Google felt the same way. Google told the  Verge:

"We have always believed that it's important to differentiate between different types of government requests," Google said. "We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately."

Twitter agreed.

We agree with @Google: It's important to be able to publish numbers of national security requests--including FISA disclosures--separately.

Both Microsoft and Facebook said that the requests were miniscule, compared to their user base, with Facebook claiming that it represented less than a tiny fraction of one percent of their user accounts.

"We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive," Facebook said.

Join the CSO newsletter!

Error: Please check your email address.

Tags GoogleMicrosoftsecuritytwitterprivacyFacebook

More about AOLFacebookGoogleMicrosoftNational Security AgencyPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Hachman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts