Transparency reports on trial: New front for free speech?

The latest high profile free speech fight isn’t over a book, a movie or even a video game. Instead, the court case is over a corporate report, and has led media companies to join Twitter in an unusual First Amendment challenge of government gag orders.

The court case highlights the growing significance of the so-called “transparency reports” that Twitter and a growing number of other companies, are using to inform users about government demands and other trends that affect the internet.

Since they began appearing five years ago, the reports have served as an important measure of free speech and privacy. But they can also be a PR tool for the companies that publish them. As a federal judge in California gets ready to hear Twitter’s case, it’s time to reflect what these reports are — and are not — all about.

Five years of reports on snooping, and Snowden

Google published the first Transparency Report in 2010. It showed how often the government came calling for information about users (such as Gmail messages), and also explained how many times copyright owners and others asked Google to remove content from the web.

Subsequent Google reports evolved to include data from other countries, and occasionally included droll details about specific government requests — like the time the Mounties demanded to know which Canadian had peed on his passport in a YouTube video (Google refused to say). More seriously, the reports show how governments are using Google as a back-door way to collect information about their citizens, and how this phenomenon is increasing.

After 2010, other tech companies came to follow Google’s example: Twitter, Yahoo, Microsoft and others have now issued several reports of their own. The reports vary in detail and sophistication, but all point to a similar drumbeat of demands by governments for information about users’ identities and personal data.

In 2013, the reports took on a new importance in the wake of Edward Snowden, the former NSA contractor who revealed how U.S. and other intelligence agencies had created a massive surveillance apparatus on the back of data gleaned from tech and phone companies. Civil libertarian groups like the Electronic Frontier Foundation also describe them as essential to pressing for surveillance reform.

“This is how we hold countries accountable for action … Governments behave better when they know they’re being watched and tracked,” said Eva Galperin of the EFF in an interview last year.

Edward Snowden in his first public speaking appearance at SXSW on March 10, 2014.

Edward Snowden in his first public speaking appearance at SXSW on March 10, 2014.

Post-Snowden, the tech industry redoubled legal challenges against government gag orders that preclude them from disclosing the very existence of the stealthy procedures (such as National Security Letters and “FISA Orders”)  that agencies like the FBI and NSA use to demand data.

This pushback includes Twitter’s legal challenge, which last week led a range of media companies — from the Guardian to NPR to BuzzFeed — to file a supporting brief.

“Twitter’s proposed transparency report is no less entitled to free speech protections than ‘literature’ or ‘movies,'” claimed the companies.

But even as the ongoing legal battle over transparency reports heats up,  the actual impact of the reports is unclear.

Public service … or public relations?

In the wake of the Snowden revelations, a crush of companies have rushed to publish transparency reports of their own, often gaining press attention for doing so. This month, for instance, Reddit’s inaugural report merited a write-up in the New York Times even though its contents suggested the government has taken only scant interest in the internet news site.

Screen Shot 2015-02-23 at 2.23.00 AM

From Pinterest’s transparency report

A list on Google’s website shows that at least three dozen other companies, ranging from Verizon to Pinterest, are publishing transparency reports of one type or another (see Pinterest graphic at right). Meanwhile, Google itself continues to publish its own semi-annual report in blog posts under headlines that suggest surveillance is on the rise.

While all of this serves to put a spotlight on government demands, it may also paradoxically serve to to dim it. That’s because the sheer volume of transparency reports, and the regular warning of government spying, could lead to public apathy on the issue.

Public indifference could also be hastened by the complexity of the legal issues (such as the distinctions between search warrants, subpoenas and security letters), and by the rivalries between companies that publish the reports.

Google and Facebook, for instance, have sniped over who deserves credit for standing up to the Justice Department through transparency reports. Meanwhile, the reports themselves don’t provide all the context to determine if surveillance really is becoming more pervasive — or if the rising number of requests is a function of more people being online.

Galperin of the EFF says she would like to see some sort of standardized reporting for transparency documents one day, but disagrees that there is fatigue with the reports themselves.

“I’m less concerned with specific companies, but with ensuring that startups create the reports from the very beginning. If you work with user data, they government will come calling for it.”

How the media should deal with data

An engineer at a major tech company who has helped to produce transparency reports told me he disagrees that the process needs to be more formalized, or that the process needs an oversight mechanism to ensure companies don’t exploit the process for public relations purposes.

“How do you deem from the outset who is the outside audience? I don’t care if someone working with a spreadsheet is a tenured prof or a high school kid good at analytics,” said the engineer, who spoke on condition of anonymity.

He added that certain data sets are more “mediagenic” than others, pointing to less-publicized items like a Google transparency report on unsafe websites, but that publicizing data typically produces change for the better.

If the transparency reports do produce results, this could strengthen Twitter’s court challenge that gag orders directed at them amount to an illegal prior restraint on speech, and that companies have the right to put out so-called “warrant canaries.”

Meanwhile, the media companies’ decision to file briefs in the case appears to validate the engineer’s opinion that the prime duty of those who publish transparent reports is to put out data, not deconstruct it.

“The value of transparency reports is measured by diligent and astute media — those who roll up their sleeves and engage with it and find what it ultimately means, rather than just spitting out facts.”

U.S. sued over planes that suck up cell phone data

A civil liberties group has filed a lawsuit against the U.S. Marshals Service, demanding more information about a controversial surveillance tactic involving airplanes that fly over urban areas in order to sweep up cell phone signals.

The Electronic Frontier Foundation’s lawsuit, filed in Washington, claims that the group demanded documents about the plane program under freedom-of-information laws last November, but that the federal government has so far failed to turn them over as required.

The plane program in question came to light last after the Wall Street Journal revealed how the Justice Department straps small devices known as “dirtboxes” to Cessna planes in order to lock on to cell signals. The devices, which measure two feet square, are reportedly capable of recording location, phone data and even conversations.

The device-equipped planes also allegedly locks on to the phones of suspects and innocent people alike, but then discards data gathered from the non-suspects.

A spokesperson from the Justice Department on Tuesday declined to comment about the plane program or the FOIA lawsuit.

The lawsuit itself asks a judge to order the government to comply with the freedom-of-information law demands, which the EFF says it originally sent to the Justice Department, the FBI and the Marshals Service. These included requests for records about the plane program, about related criminal cases, and information about which state and federal agencies are using the devices.

If the lawsuit gains traction, it could bring new attention to the government’s use of stingrays, which is the name commonly used to describe devices that mimc cell phone towers in order to trick cell phones into connecting to them. The plane program appears to be just an airborne extension of that practice.

Meanwhile, the federal government’s surveillance policies are also under scrutiny in light of the recent disclosure of a cross-agency license-plate program that is amassing driver data at record rates.

How net neutrality rules can fix Verizon’s supercookie problem

The FCC is on the cusp of proposing new rules for the internet, and it may have a chance to kill two birds with one stone: along with preserving so-called “net neutrality,” the rules could serve to stop the use of “supercookies” that phone carriers like Verizon are using to track their wireless subscribers.

In case you’re unfamiliar, supercookies are akin to regular internet cookies, which advertisers use to create a record of users’ browser activities. The difference is that the supercookies are tied to a users’ mobile device at a network level, and create a permanent customer profile that can’t be deleted. The profiling process not only tracks web browsing, but also app activities, and it can’t be thwarted by using a browser’s “private” or “incognito” mode.

Carriers like Verizon use the supercookies to assemble marketing segments such as “low-income Spanish-speaking moms in the Bronx” (for instance), and offer them to advertisers. While this profiling feature can be a boon to marketers, it has also alarmed privacy advocates, who say supercookies are invasive and point out they are being abused by outside ad companies.

After an outcry, phone giant AT&T said in November that it would stop using supercookies. Its rival Verizon, however, has so far rebuffed calls to cease using the tool, known in the industry as unique ID headers, to tag and track users.

Verizon, which declined to comment for this story, has presumably calculated that the value of the marketing data from supercookies outweighs whatever privacy headaches they create. Most consumers, meanwhile, don’t know or care about cookies in the first place, so it’s unlikely that Verizon will suffer any sort of customer exodus.

Enter Title II

Verizon’s support for supercookies could one day lead to class-action lawsuits, as some have suggested. But in the meantime, the FCC may soon be in position to address the privacy implications of what the company is doing.

The opportunity comes about as a result of the current net neutrality debate, which is widely expected to result in the FCC reclassifying internet providers as so-called “Title II” companies.

The Title II designation is the only legal avenue the agency can use to stop broadband companies from favoring some websites over others, but it also contains important authority for the FCC to protect privacy.

“The critical provision is Section 222, which concerns customers’ proprietary network information,” said Harold Feld, a lawyer and telecom expert with the group, Public Knowledge, in a recent phone interview.

Section 222 is one of a list of rules that Title II imposes on phone companies and other “common carriers,” and serves to restrict companies from using customer communications data for marketing purposes.

According to Feld, however, it’s not certain that the FCC would include Section 222 as part of any reclassification process. Chairman Tom Wheeler has suggested that any action under Title II would include so-called forbearance measures, which could excuse the companies from many of the new obligations.

Feld suggested that if the FCC does choose to implement Title II without Section 222, it could fall back on the more general provision known as Section 201, which requires carriers among other things to act in the “public interest.”

The outcome of the final net neutrality debate, slated for a likely FCC vote on February 26, is far from certain. But the emergence of the supercookie issue could provide another argument for net neutrality supporters to urge the FCC to go-ahead with reclassification.