Internet Companies Must Restore User Trust
By Meg Roggensack
For internet companies, user trust is critical. As former Secretary of State Clinton observed in her landmark 2010 speech on internet freedom, this trust is an integral part of America’s internet brand. Users’ confidence in the privacy of their online communications has been badly shaken by recent news of the sweeping internet surveillance measures that the U.S. government has been secretly implementing pursuant to the Foreign Intelligence Surveillance Act (FISA). These revelations have also tarnished companies’ reputations as entities committed to protecting their users’ right to privacy.
Last week, in an open letter, we called on the companies named in the leaked PRISM documents to take steps to address their users’ privacy concerns. The right to privacy means that users should know who has access to their data. Google, Yahoo, Microsoft, and Facebook, as members of the Global Network Initiative (GNI), have committed to minimize the privacy impact of government requests, and to be as transparent as possible with users about their efforts to do so.
GNI members Google and Microsoft have shown commendable initiative by publishing periodic transparency reports including data about government requests for user data, which we now know our government has limited, exempting FISA related requests. Yahoo has now committed to release transparency reports as well, beginning late this summer; Facebook has indicated that it may do so as well. This transparency reporting is an important step in the right direction.
These companies have in the past weeks pressed the government to permit them to disclose information about the number and scope of FISA requests they have received. The government’s response thus far—to permit companies to disclose this information only if combined with information about all other government requests for user data, such as law enforcement requests — is disappointing. As Google stated last Friday, “[l]umping…categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.”
Google, and the other companies involved in PRISM, should continue to press the government to allow them to publish FISA requests separately from state and local governmental requests, and those made as part of criminal investigations. And there is more that they should do.
Companies should also explain their own efforts to safeguard users’ data and right to privacy. While non-disclosure restrictions in the name of national security may inhibit companies from discussing responses to specific government programs and specific requests, we urge companies to provide the public with general information about their policies aimed at understanding and minimizing the risks that national security initiatives pose to their users’ privacy rights, and to provide as much information as possible about how they handle governmental requests for data.
In the past two weeks, companies have disclosed valuable, relevant information by saying what they have not allowed—direct government access to their servers. We call on them to determine all that they can legally disclose, and to share this information with the public. Users deserve to know more about the policies that guide companies’ responses to national security related government requests for their data.
We urge companies to keep the public conversation about national security and privacy alive, and to push back against laws and policies that unduly infringe upon peoples’ fundamental rights. They should advocate, vociferously, for interpretations of the law that favor privacy over maximum surveillance, and for more robust oversight mechanisms.
Companies must do all in their power to restore user trust in them, and America’s reputation as a country committed to building a free, open, and secure internet.