Ever since leaked NSA documents first started popping up this summer, the battle against NSA surveillance has proceeded on multiple fronts: legislators pushing for new laws, journalists pushing for new stories, and tech companies fighting to regain users’ trust. Yesterday, one of the major fronts closed down. Since July, tech companies had been putting pressure on the Department of Justice, fighting for the right to say more about their interactions with law enforcement. Yesterday they made peace, reaching a settlement and withdrawing a class action suit that had drawn in some of the most powerful companies in America. On this front at least, reformers have likely gotten all they’re going to get.
The deal was "understood to resolve the question of transparency"
From the outside, it looked like a simple response to the president's recent NSA order, but according to the Wall Street Journal's reporting, it was the result of intricate backroom negotiations between tech companies and the administration, the end of a conversation that's been going on for months. As soon as the order was announced, the companies quietly dropped their motion against the FISA court, declining to comment beyond a short prepared statement:
We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive. We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.
As one Obama aide told Politico more simply, the deal was "understood to resolve the question of transparency around national security." As far as the courts were concerned, the tech companies had won.
It's the kind of compromise President Obama loves
So what did they win, exactly? On the transparency side, companies get to add two new columns to their transparency reports, announcing the general number of national security letters and FISA warrants alongside traditional warrants and wiretaps. The numbers still aren’t exact, lumped into bands of 250 or 1,000, but users can now have a general idea of the volume of requests companies are receiving through those channels. In exchange for that, the government gets a two-year window in which new methods can’t be disclosed. So if Microsoft were to launch an all-new chat platform tomorrow, the government will have at least two years between the first data request and the first transparency report, supposedly lulling gullible terrorists into a false sense of security. It also applies to entirely new kinds of warrant, so if terrorists start sending self-destructing messages through Snapchat, the same two-year lag time will apply.
It's the kind of compromise President Obama loves, locking both sides into a limited version of what they want. There's some chilling effect, since users of smaller services will never know whether a given service is in the two-year window or not — but in the long term, two years is just a snippet, hardly enough time for society to spiral into a surveillance dystopia. As long as all the programs are disclosed within two years, then the public will be generally informed about the government's surveillance programs, and the gears of democracy can take it from there.
The disclosure rules only apply to "customer selectors"
If that were the whole story, privacy advocates would be declaring victory right now — but they're not. That's because the order also leaves a number of loopholes that seem to be designed to let programs like PRISM slip by unnoticed. ACLU chief technologist Chris Soghoian has already raised concerns that the disclosure rules only apply to "customer selectors" targeting individual users. That would mean a FISA warrant for a specific person or email address would be included in the numbers, but it might not include broader queries that brought up anyone who emailed the word "terrorist" or started accessing their account from Yemen. The order only addresses bulk collection programs in a footnote, offering vague assurances at best. Where does that leave PRISM, or the network-tapping efforts that allowed the NSA to pull wholesale data from Google and Yahoo networks? Those programs are still closed off, effectively unreportable.
Tech companies have been looking for something simpler: trust
That's a big concern for the ACLU, but for Google and others, it may be beside the point. While NSA reformers have been crusading for fundamental changes in US surveillance, tech companies have been looking for something simpler: trust. All the web's most successful products are built on trust, from Gmail and Facebook on down. If web users stop trusting the service, they’ll simply leave so that trust must be protected at all costs. Disclosure isn't just a public service; it's a business imperative. So when Google wrote an open letter to the FBI director this summer, it opened with the simple statement, "Google has worked tremendously hard over the past 15 years to earn our users’ trust." In a joint letter to President Obama, signed by eight of the largest companies in tech, Apple, Microsoft and others asked the president to consider "users’ reasonable privacy interests and the impact on trust in the internet." As the CEO of CloudFlare told me back in October, "we are fundamentally in the business of trust."
"Google has worked tremendously hard over the past 15 years to earn our users' trust."
Yesterday's deal protects that trust, but it doesn't go further. It's a move back to the pre-Snowden state, with fights over targeted surveillance obscuring more secretive programs that suck up data in bulk and escape accountability entirely. Those programs, with PRISM chief among them, are at the core of the NSA’s surveillance efforts, but they’ve been increasingly ignored by the president’s reform efforts. In last week’s speech, he laid out plans to reform the phone-records program and the FISA courts, but the programs targeting the open web went largely unmentioned. Unless someone forces the issue, it’s likely to stay that way.
If you care about web freedom, that’s a scary thought. Programs like PRISM strike at the nature of the internet itself, establishing a breed of totalizing surveillance on a scale that would be unthinkable elsewhere. The free flow of data, once a tool of freedom, becomes something much darker. Any true reform will have to grapple with that fact. The president has made progress, but those crucial reforms are still missing, and each new empty gesture makes it less likely they’ll appear. After the transparency deal, we’re left with an even scarier thought: the companies with the biggest stake in the web may not be interested in defending it.