Verizon comes clean about surveillance requests
Congratulations to Verizon, the first US telco to publish details of requests for customer information from federal, state and local law enforcement in the United States. Its first Transparency Report shows that in 2013 it received approximately 320,000 requests for customer information from US law enforcement agencies. It is keen to reassure its customers that it does not release information “unless authorized by law, such as a valid law enforcement demand or an appropriate request in an emergency involving the danger of death or serious physical injury”.
In total, it received requests for:
62,857 “general orders”
6,312 pen registers / “tap and trace” orders
1,496 wiretap orders
50,000 (aprox) emergency requests
That’s 321,545 legal requests for customer data, not including up to 2,000 secret FBI National Security Letters. “The vast majority of these various types of demands relate to our consumer customers; we receive relatively few demands regarding our enterprise customers” said the company. The total number was an increase on 2012 (although how much it didn’t say).
More than half of the subpoenas received sought only subscriber information, such as the name and address of a customer assigned a given phone number or IP address. Others wanted transactional information, such as phone numbers that a customer called. General Orders are similar to subpoenas, but are signed by a judge. A Pen Register Order involves real-time access to phone numbers as they are dialed, while a Trap and Trace order compels Verizon to provide law enforcement with real-time access to the phone numbers from incoming calls – neither of these involves actual content of messages, unlike a Wiretrap. Finally, Warrants mainly sought access to stored content or location information.
However, it is not permitted by law to report information about Foreign Intelligence Surveillance Act (FISA) orders.
Verizon also detailed the total number of demands for customer information made by law enforcement outside of the United States, in countries where the telco has operations (mainly to business and enterprise customers). To be clear, these are requests from national law enforcement agencies for data stored within that same country. “In 2013, we did not receive any demands from the US government for data stored in other countries”, it added.
The total number of request per country were (in order):
Germany – 2,996
France – 1,347
Belgium – 473
UK – 386
Netherlands – 65
Switzerland – 60
Australia – 29
Japan – 14
Italy – 13
Austria – 8
Taiwan – 1
“The past year saw an intense focus around the world on government demands to obtain customer data,” said Randal Milch, General Counsel and EVP for Public Policy. “While we have a legal obligation to provide customer information to law enforcement in response to lawful demands, we take seriously our duty to provide such information only when authorized by law.”
He added that the report reflects the fact that telecom providers receive more government demands than companies in any other industry, but the figures can still be misleading. While Verizon and some other companies have decided to provide data on requests from law enforcement, they still provide an incomplete picture of government action, given the vast number of telcos and internet companies around the world that are not publically reporting this information.
“The only truly comprehensive and uniform data set is in the hands of the governments themselves, and we call on all governments to make public the number of demands they make for customer data from telecommunications and Internet companies,” said Milch. “The US government should report annually on the numbers of all types of demands made by federal and state law enforcement to telecommunications and internet companies for data regarding their customers.”
However, these headlines figures don’t include the really interesting data. For example, how many customers were subject of these surveillance requests? It also doesn’t (or rather, can’t) include FISA orders issued under the Patriot Act – although we know that orders have been issued for metadata on every single customer. And what about NSA’s direct taps into the internet?
But it’s a good start. Let’s see if this opens the floodgates to greater transparency throughout the industry and government. Verizon will issue its next Transparency report in six months time, and we are due a similar report from AT&T very soon.