Edward Snowden’s leaked documents first surfaced in The Guardian and The Washington Post in June 2013, exposing National Security Agency (NSA) efforts to gather the telephone records and digital data of millions of Americans. Through its PRISM program, the NSA was able to directly collect information from the internet servers of companies like Microsoft and Yahoo. The NSA was also able to engage in bulk collection of user data through targeted data collection protected by the Foreign Intelligence Surveillance Act (FISA). The Snowden revelations have had a significant impact on public perception of the United States government. However, perhaps the most interesting consequences of these revelations have been on US-based technology companies, which have been pressured into being more transparent about the ways in which they handle user data and law enforcement requests.
Prior to the Snowden revelations, several organizations had already filed suits against the NSA for spying and other alleged breaches of user privacy. For example, in Jewel v. NSA, The Electronic Frontier Foundation (EFF) sued the NSA and other government agencies on behalf of AT&T customers for alleged illegal dragnet surveillance of their communications and communications records based on documents provided by whistleblower Mark Klein. However, the Snowden revelations triggered heightened scrutiny of technology companies, like Google, Microsoft, and Yahoo, because they revealed the extent to which the NSA’s PRISM program could compel these companies to release user data.
In the wake of the Snowden revelations, US-based technology companies have experienced a negative impact to their reputations both domestically and abroad. A report from The Information Technology & Innovation Foundation projects that the US cloud computing industry could lose between $21.5 and $35 billion over the next three years as a result of the reputational damage caused by the revelations.
In an attempt to salvage their reputations and restore customer trust, technology companies have responded by publishing detailed transparency reports and law enforcement guidelines that explain how they handle government requests for user data. In general, transparency reports detail the number of requests for user information that a company has received from the government and the amount of information produced from those requests. Law enforcement guidelines detail what a company requires in order to release user information and whether it will notify users if their information is requested.
Since 2011, The EFF has published a report called “Who Has Your Back,” which uses a star-based system to recognize technology companies that have made a commitment to user privacy. The EFF rates companies across six categories, including requiring a warrant for content, telling users about government data request, publishing transparency reports, publishing law enforcement guidelines, and advocating for users either in court or in congress. Comparing companies on a year-to-year basis shows the dramatic impact of the NSA revelations. The 2013 report saw only two companies receiving stars in all six categories, whereas the 2014 report saw nine companies (including Apple, Microsoft, Google, and Yahoo) achieve that commendation.
However, while these reports are an important step forward towards greater transparency within the technology sector, they are not without their limits. Despite the fact that many technology companies are releasing transparency reports, the US government still has the ability to regulate the content within the reports. For example, the government has prohibited technology companies from disclosing exactly how many National Security Letters or FISA court orders it has received, and can only publish that information in broad ranges of numbers like “0-999.”
These limitations on the specificity and amount of information that transparency reports can reveal have inspired technology companies to speak out against the government and, in some cases, sue the government. On December 9, 2013 AOL, Apple, Dropbox, Facebook, Google, Linkedin, Microsoft, Twitter, and Yahoo wrote an open letter as part of their Reform Government Surveillance initiative, urging the government to allow companies to release more information to their users. Google’s Chief Legal Officer David Drummond wrote a blog post in 2013, directed at Attorney General Eric Holder and FBI Director Robert Mueller, in which he asked for permission to include aggregate numbers of government requests to prove that his company has “nothing to hide.” This October, Twitter sued the federal government for allegedly violating their First Amendment rights by prohibiting the company from disclosing information about government requests in its transparency reports.
Although these efforts are a positive step towards greater transparency in the technology sector, there are greater strides still for these companies to take. For instance, although the companies’ transparency reports describe government efforts to collect user information, they do not say much (or anything) about the companies’ own internal data policies. In this current era where big data reigns supreme, user privacy concerns are not only influenced by government practices but also by the ways in which their data is stored and used by individual technology companies. Furthermore, although a few organizations like the Digital Due Process Coalition have banded technology companies together to form a unified voice in Congress, little information has been released about how these companies are actually working to actually affect change. Ideally, these cross-industry coalitions could work together to propose a policy or legal framework to ensure greater user privacy. However, for now it appears as though membership in the group serves as a way for companies to signal their commitment to the issue, but the group itself has not made any definitive actions itself.
Although the Snowden revelations have had widespread implications for US policymakers, it is clear that technology companies have had to push for greater transparency in order to maintain their users’ trust. Only time will tell if these efforts will be successful.