Slashdot Mirror
Apple Issues First Transparency Report
Trailrunner7 writes "In a new report (PDF) detailing the number and kind of requests for user information it's gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATRIOT Act and would likely fight one if it ever came. The company also disclosed that it has received between 1,000 and 2,000 requests for user data from the United States government since January, but it's not clear how many of those requests it complied with because of the restrictions the U.S. government places on how companies can report this data. Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000. So Apple's report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000. Apple, along with a number of other companies, including Google and Microsoft, have asked the government in recent months for permission to disclose more specific numbers of requests, including specific numbers of National Security Letters."
Great job with that transparency, Apple.
I have complied with between -549 and 451 requests.
With a built-in backdoor there's no need to send request notices.
Try actually reading the summary. Legally, they can only report the number in increments of 1000. So 0-1000 means "somewhere between 0 and 1000 but we can't legally tell you how many".
They know down to the decimal, guaranteed (they bill for the requests at the very least).
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Try actually reading the summary.
You're setting a pretty high bar there...
#DeleteChrome
It's surprising to me that Apple didn't provide more detail. Others do. Yes, companies are currently not allowed to provide precise data on National Security Letter requests, but for all other sorts of government requests, including warrants and subpoenas, there are no legal restrictions. Google publishes the precise number of requests and the precise number of affected user accounts for those requests, falling back on giving ranges only for the NSLs (it's worth pointing out that it's thank to Google's efforts that anyone can publish any information on NSLs; they're the ones who negotiated the permission to publish ranges). Other companies also publish precise statistics for everything except NSLs.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
>I buy that as much as I buy Apple products.
I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
It would be rather useful if all organizations for which this was true would make such a statement. Then we could work out who did get the mandatory anal probe.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:
NSA: "Hey, we won't bother you all the time with requests if you'll just give us a copy of your private key."
Apple: "Well, that would save us a bunch of time, effort and expense...but if the users ever discovered..."
NSA: "No worries. Just hand it over whenever you get a new one."
Apple: "Yeah, I guess we could point out we never give out the current one, only old keys we no longer use."
NSA: " Well, just deny it, saying you did not give out the current keys. You can leave out that little detail about the old keys."
I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.
(This is not my field of study, so if I have this wrong, I'd appreciate a correction.)
Place nail here >+
If a company wanted to provide this information without actually explicitly stating it, couldn't they release a more detailed report of their finances, including business expenses incurred as a part of dealing with these requests. If they accounted for each request as a flat rate, it would be possible to glean the information without breaking any laws about publishing how many requests they received.
Similarly, they could be taking an interesting approach with regards to Section 215 requests. Legally they're not allowed to even state that they've received any, so the claim that they've given could be a lie. However, if it isn't, if any future reports omit any mention of the number of Section 215 requests, it would be safe to assume that they have received one.
They're already all really good at finding tax loopholes and dodging around other legal requirements, so I would imagine that even if the government wants to keep this information under wraps that some of these companies will find a way to get that information out.
Section 215 includes the lovely clause that you are not allow to mention that you have received one. The fact that Apple is saying they haven't in interesting because if they stop saying there is a very clear inference that can be drawn. Think of it as a canary - when you see that line dropped in subsequent reports you can assume Apple has received one, even though they won't be able to say so.
according to wiki, the patriot act includes a gag order. http://en.wikipedia.org/wiki/National_security_letter
I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
Even more, the executives of shareholder-owned companies have rather strong legal requirements to be honest in statements to shareholders, which public statements are. Public falsehoods can send execs to prison. Barring some element of the law that can allow the US government to authorize (or require) them to lie, they legally can't. And, AFAIK, there is no such law. The government can gag them, but not force them to lie.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Did you even read the summary? Here - let me make it easy for you:
Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000.
Did you get that? They didn't provide more detail because they are legally not allowed to beyond a range of 1000. If they could provide more detail, they would.
In fact, they are filing an amicus brief in the efforts of gaining permission to disclose numbers in greater detail.
http://appleinsider.com/articles/13/11/05/apple-court-filing-asks-for-transparency-on-government-user-information-requests
Oh, and the list of companies fighting for permission to provide greater detail? Google, Microsoft, Yahoo!, Facebook and LinkedIn. Notice Google, who you claim publishes the precise number of NSL requests, is on that list.
Let's have a look at Google's transparency report for the US:
http://www.google.com/transparencyreport/userdatarequests/US/
Oh. Look at that - Google does not provide precise numbers of NSL, as you claim.
It's simple - the US makes it illegal for companies to disclose in any detail greater than units of 1000 how many requests for information they receive. Thus the numbers for the US are, shockingly, in units of 1000. For Apple and Google.
It depends how you count. One NSL/~court document/letter could cover an entire group, brand, faith or generation of people.
Not a legally valid NSL, per my understanding (which comes from Google's legal counsel -- I'm not sure how much detail I can provide, so I won't give any). And the ranges provided by most of the companies -- including Google -- cover not just number of requests but number of accounts impacts. For example, the most recent report from Google says that in 2012 Google received 0-999 requests which affected 1000-1999 user accounts.
That's NSL's only. For other requests (subpoenas, warrants, etc.), in 2012 Google received 16,407 requests affecting 31,072 accounts, and produced at least some data in response to 89% of them.
This is US only, but the data for other countries is like the non-NSL data from the US; very precise, and with specification of numbers of accounts affected. So your theory about this approach to masking broad access doesn't hold water, unless you assume that the numbers are either fabrications or not complete.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Yeah, but as we have seen with the way the telcos are treated, the NSA can simpy include the whole customer base of a few hundred million people in a single request, so it is all quite meaningless.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Not maybe. That has already been done with the telcos (and even the little Lavabit) and Apple is just another telco, so it is safe to assume that they will also receive a single request for everything.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Keep an eye on that part of the report.
Best Slashdot Co
It's surprising to me that Apple didn't provide more detail. Others do.
Here's what Apple does:
...
Australia: Exact numbers.
Brazil: Exact numbers.
China: Exact numbers.
UK: Exact numbers.
USA: Sorry, we can only say "Between 0 and 1000"
That's all the information that you need to know as a citizen about what's going on. The richest company in the world is not allowed to tell you exact numbers. What else is there to know?
Except, as the poster you replied to says, once these been upheld by courts ... well, they're now the law too.
Increasingly, the Constitution and Bill of Rights are more or less being bypassed -- by allowing a 'border' stop within 100 miles of a border, warrantless wiretapping, 'free speech zones' and all sorts of stuff.
What you say is good in principle, but in practice, those documents seem to be getting over-ruled in the name of security and expediency. And as long as the courts keep upholding the laws which violate the Constitution, you pretty much have to conclude it's no longer the supreme law of the land.
Which is very depressing.
Lost at C:>. Found at C.