Apple Issues First Transparency Report

Trailrunner7 writes "In a new report (PDF) detailing the number and kind of requests for user information it's gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATRIOT Act and would likely fight one if it ever came. The company also disclosed that it has received between 1,000 and 2,000 requests for user data from the United States government since January, but it's not clear how many of those requests it complied with because of the restrictions the U.S. government places on how companies can report this data. Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000. So Apple's report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000. Apple, along with a number of other companies, including Google and Microsoft, have asked the government in recent months for permission to disclose more specific numbers of requests, including specific numbers of National Security Letters."

Inference

[BradleyUffner]

I have complied with between -549 and 451 requests.

Mere formality for low level incidents

With a built-in backdoor there's no need to send request notices.

Re:Clear as mud

[Kalriath]

Try actually reading the summary. Legally, they can only report the number in increments of 1000. So 0-1000 means "somewhere between 0 and 1000 but we can't legally tell you how many".

They know down to the decimal, guaranteed (they bill for the requests at the very least).

Re:Clear as mud

[93+Escort+Wagon]

Try actually reading the summary.

You're setting a pretty high bar there...

Odd, why the range for law enforcement requests?

[swillden]

It's surprising to me that Apple didn't provide more detail. Others do. Yes, companies are currently not allowed to provide precise data on National Security Letter requests, but for all other sorts of government requests, including warrants and subpoenas, there are no legal restrictions. Google publishes the precise number of requests and the precise number of affected user accounts for those requests, falling back on giving ranges only for the NSLs (it's worth pointing out that it's thank to Google's efforts that anyone can publish any information on NSLs; they're the ones who negotiated the permission to publish ranges). Other companies also publish precise statistics for everything except NSLs.

Re:NEVER received a Patriot act request?

[TechyImmigrant]

>I buy that as much as I buy Apple products.

I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
It would be rather useful if all organizations for which this was true would make such a statement. Then we could work out who did get the mandatory anal probe.

Re:Clear as mud

[alvinrod]

If a company wanted to provide this information without actually explicitly stating it, couldn't they release a more detailed report of their finances, including business expenses incurred as a part of dealing with these requests. If they accounted for each request as a flat rate, it would be possible to glean the information without breaking any laws about publishing how many requests they received.

Similarly, they could be taking an interesting approach with regards to Section 215 requests. Legally they're not allowed to even state that they've received any, so the claim that they've given could be a lie. However, if it isn't, if any future reports omit any mention of the number of Section 215 requests, it would be safe to assume that they have received one.

They're already all really good at finding tax loopholes and dodging around other legal requirements, so I would imagine that even if the government wants to keep this information under wraps that some of these companies will find a way to get that information out.

Re:Number complied with 0

[faffod]

Section 215 includes the lovely clause that you are not allow to mention that you have received one. The fact that Apple is saying they haven't in interesting because if they stop saying there is a very clear inference that can be drawn. Think of it as a canary - when you see that line dropped in subsequent reports you can assume Apple has received one, even though they won't be able to say so.

Re:NEVER received a Patriot act request?

[swillden]

I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.

Even more, the executives of shareholder-owned companies have rather strong legal requirements to be honest in statements to shareholders, which public statements are. Public falsehoods can send execs to prison. Barring some element of the law that can allow the US government to authorize (or require) them to lie, they legally can't. And, AFAIK, there is no such law. The government can gag them, but not force them to lie.

Re:Odd, why the range for law enforcement requests

[swillden]

It depends how you count. One NSL/~court document/letter could cover an entire group, brand, faith or generation of people.

Not a legally valid NSL, per my understanding (which comes from Google's legal counsel -- I'm not sure how much detail I can provide, so I won't give any). And the ranges provided by most of the companies -- including Google -- cover not just number of requests but number of accounts impacts. For example, the most recent report from Google says that in 2012 Google received 0-999 requests which affected 1000-1999 user accounts.

That's NSL's only. For other requests (subpoenas, warrants, etc.), in 2012 Google received 16,407 requests affecting 31,072 accounts, and produced at least some data in response to 89% of them.

This is US only, but the data for other countries is like the non-NSL data from the US; very precise, and with specification of numbers of accounts affected. So your theory about this approach to masking broad access doesn't hold water, unless you assume that the numbers are either fabrications or not complete.