Opportunity amidst PRISM fallout
By Meg Roggensack
Last week, we urged companies to treat the PRISM disclosures as an opportunity for greater transparency. The ability to proactively share details on government data requests has been limited, but Mr. Snowden’s leak changes these possibilities. At play now is a test of corporate fidelity to user trust and user privacy. In fact Google, today, has taken the lead and asked the Foreign Intelligence Surveillance Act (FISA) court to lift their gag order on its data requests.
In March, Google announced that it pushed back against the government and won the ability to include ranges for the number of National Security Letters and user accounts affected in its transparency reports. Microsoft, which released its first transparency report this year, is now sharing aggregated ranges for the number of national security-related and law enforcement requests received. And Yahoo and Facebook have recently shared similar disclosures, with statements indicating fuller transparency reports are on the horizon.
Despite these disclosures, though, we still need more substance. We know that the companies “scrutinize” every data request and ensure their response accords with the law and their own policies. It would be helpful to know what these policies are.
As members of the Global Network Initiative, Google, Microsoft, Yahoo, and Facebook have made express commitments to proactively protect the privacy rights of their users, supporting the position that a right to privacy implies a right to know who has your information. Two weeks ago, these companies could say very little. But now, we’re in conversation, and the expectations are changing. President Obama has already called upon his oversight board to convene. And companies are in a position to get greater latitude.
What would be helpful, beyond numbers and percentages on data requests, are better explanations of the policies these companies hold in relation to national security—and the protocols they use to implement such policies. The issue here is broader than PRISM (or Programs “2015” and “702”). What we need to see is how, specifically, companies have been managing the privacy risks their users face in light of a global environment where national security has been front and center.