Why Google's Plea for More Transparency Matters
In an attempt to clarify Google's role in the NSA surveillance scandal, the company's head lawyer, David Drummond, took the podium to clear the air.
Since the scandal broke late last week, Google has maintained that it does not let the NSA have open access to its users' data. Google will, however, work with the government when Foreign Intelligence Surveillance Act requests are delivered to the company. And the company seems willing to be transparent about when it receives these requests--just as it is transparent about other government requests for user data.
The only problem is that right now, its hands are tied. According to FBI law, Google can't release those FISA requests due to nondisclosure obligations. In other words, what Drummond is saying is that Google isn't complicit in spying--it only looks like it is, because it is not allowed to talk about it.
As Drummond wrote yesterday:
Google has worked tremendously hard over the past fifteen years to earn our users' trust. For example, we offer encryption across our services; we have hired some of the best security engineers in the world; and we have consistently pushed back on overly broad government requests for our users' data.
We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures--in terms of both the number we receive and their scope. Google's numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.
Whether you choose to believe Google...well, that's another discussion. And frankly, the more pessimistic PRISM-ites would probably allege that Drummond's post is just a distraction--and that this request is just a sideshow meant to confuse the situation and throw PRISM investigators off the trail.
So far, no one really knows. Google continues to deny that the NSA had direct access to its severs, and Snowden's supposed proof hasn't yet fully been investigated. Mike Arrington, the TechCrunch founder, weighs in with his own smart theory:
My guess is that Google and the others have agreed to receive FISA requests in an automated way, process them in an automated way, and fire off the data in an automated way. That whole process could take a very small amount of time. Milliseconds for small sets of data, easy. Anything beyond that is from any human intervention at Google to read the order and decide whether to accept it. From what I've seen, it's extremely rare for companies to push back on orders, since the secret FISA court always, without exception, tells them to settle down and get that data over to the NSA, pronto.
So Google complies, and the whole thing has been handled "in accordance with the law."
Regardless, it does bring up an important question that companies will be grappling with from now into the future. As more sensitive data inevitably moves to the cloud, and that data is managed by private entities (think: Dropbox, Box, etc.), tech companies must begin thinking about how to approach transparency in an era of FISA and other government-related surveillance requests.
It's not just tech companies that should be concerned, either. As Robert McMillan of WIRED pointed out yesterday, one company has already put a project to move e-mails into the cloud on hold.
"They are simply concerned about their data being accessed by a third party without their knowledge or consent," the company's lawyer told McMillan. "They have all kinds of things that they're working on, and they don't want that information used unless they understand who's using it."
The FBI and Department of Justice will likely not respond to Google's request. If they do, they'll probably just say no, and the argument will be that releasing FISA requests to the public could compromise national security. And that may, in some sense, be true. But for tech companies to retain any semblance of trust with their customers, they'll need to figure out new ways in which they can be both transparent and compliant with the law.
"We want to be able to be more transparent about what we do do, which is occasionally comply with national security orders, as we're required to do," David Drummond told PBS last night. "What we would like the government to do is to allow us to say more."