New DOJ rules do not solve privacy issues in government data grab

Tech companies must now report government information requests, but progress still needs to be made, say experts


Despite the relaxing of restrictions on Internet companies receiving government requests for data, the Obama administration and Congress need to go much further in aligning spying operations with privacy rights, advocates say.

[Obama proposes changes to NSA surveillance]

The Justice Department introduced Monday new rules that tech companies must follow in reporting the number and type of information requests received by the government. While the rules give companies more leeway in so-called transparency reporting, they are not a replacement for a much-needed comprehensive policy for collecting, storing and mining data related to national security, privacy advocates said.

"I think transparency reports are necessary, but not sufficient," Nate Cardozo, staff attorney for the Electronic Frontier Foundation, said. "We cannot rely on transparent reports alone to map the scope of government access to our data."

The government's easing of data disclosure rules was used in settling privacy suits filed by five Internet companies, Facebook, Google, LinkedIn, Microsoft and Yahoo. Advocates praised the companies for making the government more open, but said further transparency is needed to prevent abuse by government spy agencies, such as the U.S. National Security Agency.

"Congress should require the government to publish basic information about the full extent of its surveillance, including the significant amount of spying that happens without the tech companies involvement," Alex Abdo, staff attorney with the American Civil Liberties Union's National Security Project, said in a statement.

Technically, the new rules only apply to the five companies as part of the settlement of their lawsuits, Cardozo said. While the Justice Department has said the rules will apply to all companies, they do not have the same force as law and have not been issued by a court.

"Yesterday's agreement represents the DOJ's position, but it doesn't represent the law," Cardozo said.

Privacy advocates favor passage of the USA Freedom Act, introduced in the Senate by Judiciary Chairman Patrick Leahy (D-Vt.). The act would raise the standards for collecting all forms of data, including phone records, email and Internet activity.

The tech companies sued for the right to release more information on government data requests, after feeling the pressure from customers concerned over whether the privacy of their data could be ensured. Much of the pressure came from overseas companies.

Revelations of NSA gathering of massive amounts of data on people in and outside the U.S. stemmed from documents released last year by former NSA contractor Edward Snowden.

Under previous rules, the tech companies could only report on the number of administrative subpoenas, called national security letters (NSLs), in increments of 1,000. They couldn't report on the number of court-approved requests received under the Foreign Intelligence Surveillance Act, called FISA orders.

[Obama's NSA surveillance reforms get mixed reviews]

Under the new rules, companies can report on the number of NSLs and FISA orders separately in increments of 1,000 or in a lump sum in increments of 250.

The companies also will be able to provide the number of "selectors" the government seeks information on. A selector is the government term for information, such as usernames, emails and Internet addresses.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)