New DOJ rules do not solve privacy issues in government data grab

Despite the relaxing of restrictions on Internet companies receiving government requests for data, the Obama administration and Congress need to go much further in aligning spying operations with privacy rights, advocates say.

The Justice Department introduced Monday new rules that tech companies must follow in reporting the number and type of information requests received by the government. While the rules give companies more leeway in so-called transparency reporting, they are not a replacement for a much-needed comprehensive policy for collecting, storing and mining data related to national security, privacy advocates said.

"I think transparency reports are necessary, but not sufficient," Nate Cardozo, staff attorney for the Electronic Frontier Foundation, said. "We cannot rely on transparent reports alone to map the scope of government access to our data."

The government's easing of data disclosure rules was used in settling privacy suits filed by five Internet companies, Facebook, Google, LinkedIn, Microsoft and Yahoo. Advocates praised the companies for making the government more open, but said further transparency is needed to prevent abuse by government spy agencies, such as the U.S. National Security Agency.

"Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies involvement," Alex Abdo, staff attorney with the American Civil Liberties Union's National Security Project, said in a statement.

Technically, the new rules only apply to the five companies as part of the settlement of their lawsuits, Cardozo said. While the Justice Department has said the rules will apply to all companies, they do not have the same force as law and have not been issued by a court.

"Yesterday's agreement represents the DOJ's position, but it doesn't represent the law," Cardozo said.

Privacy advocates favor passage of the USA Freedom Act, introduced in the Senate by Judiciary Chairman Patrick Leahy (D-Vt.). The act would raise the standards for collecting all forms of data, including phone records, email and Internet activity.

The tech companies sued for the right to release more information on government data requests, after feeling the pressure from customers concerned over whether the privacy of their data could be ensured. Much of the pressure came from overseas companies.

Revelations of NSA gathering of massive amounts of data on people in and outside the U.S. stemmed from documents released last year by former NSA contractor Edward Snowden.

Under previous rules, the tech companies could only report on the number of administrative subpoenas, called national security letters (NSLs), in increments of 1,000. They couldn't report on the number of court-approved requests received under the Foreign Intelligence Surveillance Act, called FISA orders.

Under the new rules, companies can report on the number of NSLs and FISA orders separately in increments of 1,000 or in a lump sum in increments of 250.

The companies also will be able to provide the number of "selectors" the government seeks information on. A selector is the government term for information, such as usernames, emails and Internet addresses.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about DOJElectronic Frontier FoundationFacebookGoogleMicrosoftNational Security AgencyNSAYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place