Last week we saw Uber publicly release its first Transparency Report (https://transparencyreport.uber.com/) and they've committed to release one every 6 months. This has actually been happening for a few years. Google began this trend for major tech companies in 2010, followed by Twitter in 2012 and now we have a number of other companies doing the same:
- Google: https://www.google.com/transparencyreport/
- Yahoo: https://transparency.yahoo.com/
- Facebook: https://govtrequests.facebook.com/
- Twitter: https://transparency.twitter.com/
- Apple: http://www.apple.com/privacy/transparency-reports/
- Microsoft: https://www.microsoft.com/about/csr/transparencyhub/
A transparency report is a public statement issued by a company, on some sort of regular basis, that discloses aggregated data (not individual instance data) about requests for user information or content. These requests are made by governmental or regulatory bodies, as well as law enforcement agencies. Transparency reports are focused on a specific period of time and typically include how frequently these agencies request data and the types of responses provided. They also include under which authority the requests were made such as subpoena, search warrants, court order or emergencies. Disclosing a transparency report helps the general public understand the scope and authority by which regulatory bodies are permitted to access personal information that we would typically consider private.
In the last 6 months of 2015, Uber reports that it handled 415 requests for private data from various law enforcement agencies. It provided at least a portion of the data requested in approximately 85% of cases. Out of those requests 368 came from state run agencies, while 47 were from federal agencies. As a result of these requests, 408 riders and 205 drivers were impacted. As part of its report, Uber states that it makes it a policy to protect passenger privacy and requires valid and sufficient legal process from official government agencies before disclosing any information about its customers. It typically attempts to narrow the scope of data requests, which it is successful doing in some cases.
I find the release of transparency reports significant! It means we now have major tech companies, who request and use our personal information every day, releasing information to the public that clearly describe how they handle requests for that private data. This helps to put pressure on those technology companies retrieving our data to securely store and protect that data, and it shows that they are making attempts to do just that. This also allows us as consumers of online services to understand the scope of government requests and to watch the trends - to see if these requests are increasing. Finally, it sheds a light on a practice that would otherwise be kept secret, and it encourages us to put pressure on our governments and law enforcement agencies to handle our personal data with the sensitivity and care it deserves.
Consider a very simple scenario where a law enforcement agency requests data from an online service about an illegal activity related to a person named 'John Smith'. What if your name is also 'John Smith' and you happen to use the same service? Your personal data may get lumped in with the data provided. You want law enforcement to be able to do its job of course. However, you would also like to think that the data provided is under some sort of legal retention policy so after a specific amount of time, once the legal case is closed, your data is permanently deleted and you're no longer inadvertently associated with the case. Unfortunately, many organizations take the stance of keeping data around forever, just in case. You would like to think that the agency is taking appropriate steps to control access to that data, and storing it securely so it cannot be inappropriately exposed while in their hands. However, agencies may not necessarily have (or follow) policies that define how personal data should be handled and secured. You would also like to think a law enforcement agency will not disclose your data to other government agencies, but we have no guarantee of that.
Last week we also had Microsoft announce that they are suing the US Justice Department for its frequent use of gag orders preventing it from telling people when the government obtains a warrant to read their emails. Microsoft states that the gag order statute in the Electronic Communications Privacy Act of 1986, as employed today by the courts, is unconstitutional. According to Microsoft, the practice violates the Fourth Amendment right of its customers to know if the government searches or seizes their property, and it breaches the company’s First Amendment right to speak to its customers. Although the case could be in the courts for months or years, Microsoft is trying to start a public debate about the frequent use of secrecy orders in government investigations. Microsoft reminds us that they do not own the data within their service - that the customers own their data and Microsoft is simply the custodian of that data. Their position here very much is in line with that statement.
My personal information in many ways is my identity and I want to make sure my government does everything it can to protect it. I for one, as a security-minded person, applaud Uber, Google, Yahoo, Facebook, Twitter, Apple, Microsoft and others for these efforts towards transparency! The transparency report is an excellent practice which allows us to get an initial view into how personal data is accessed by our governments, regulatory bodies and law enforcement agencies. We can begin to debate how much personal information governments should be allowed to access and what they must do with it. Finally we can start to work with these organizations to ensure that they put in place appropriate security policies and privacy controls to better protect our personal information and identities.