US Tech Giants Rush to Regain User Trust

On Monday, Google, Yahoo and Facebook all published blogs on their efforts to get greater freedom in the details they can disclose about US government requests for user data.

Facebook's motion to FISC (available here) asks for the right to disclose aggregate data regarding FISA orders and directives. General counsel Colin Stretch issued a statement yesterday, saying, "We hope and believe the action we take today will help spur the United States government to provide greater transparency about its efforts aimed at keeping the public safe, and we will continue to be aggressive advocates for greater disclosure."

Yahoo's general counsel, Ron Bell, published a similar statement: "Yahoo filed suit in the Foreign Intelligence Surveillance Court (FISC) this morning demanding the right to publicly disclose the number of user data requests that we receive from the U.S. Government under national security statutes."

Google's Richard Salgado (director, law enforcement & information security) and Pablo Chavez (director, public policy and government affairs) jointly issued similar: "Today we filed an amended petition (PDF) in the U.S. Foreign Intelligence Surveillance Court... Namely, that Google be allowed to publish detailed statistics about the types (if any) of national security requests we receive under the Foreign Intelligence Surveillance Act."

The companies' hope is that in being transparent they will be able to demonstrate that they are unwilling partners in government surveillance. The transparency itself, however, does nothing to limit that surveillance. Google, alone so far, is going further. 

"Separately," reported Reuters yesterday, "Google asked the secret court that approves spying requests for a public hearing on their quest to reveal how many orders the company complies with." It added, "The court, whose members are appointed by the U.S. Supreme Court chief justice, has never held a public session and generally hears only from the U.S. Justice Department and intelligence agency lawyers."

This follows news that Google is acting to encrypt the data flows between its various data centers. Once again, however, this will not prevent government requests for data, but will make dragnet general surveillance more difficult. Google will still have to abide by the laws of the land in which it operates; and this might be complex.

The UK, for example, has the Regulation of Investigatory Powers Act (RIPA) which allows the authorities to demand encryption keys (such as those used to encrypt Google's data flows) under certain circumstances. In this instance, it probably doesn't apply to Google. 

Nicholas Böhm, general counsel to the internet think-tank, the Foundation for Information Policy Research, explained the issue to Infosecurity: "A company incorporated in any part of the UK can be given a s49 notice if the authorities have (or may get) encrypted communications to which it has the key.  (But if a UK company has no officers or employees in the UK, which is possible, there may be nobody against whom criminal proceedings can be brought.)

"An overseas company with a UK presence is in the same position. But an overseas company with no UK presence is effectively outside UK jurisdiction."

Last month Google stated very clearly that it does not consider itself subject to UK laws. Nevertheless, although a moot point, it is clear that UK authorities could in theory attempt to force Google to hand over its encryption keys under existing law. The point is that any nation can create any law to defeat any encryption. Ultimately, the only defense against government surveillance is political rather than technological.

What’s Hot on Infosecurity Magazine?