Subscribe and receive Social Media CyberWatch in your inbox.

Table of Contents

Legislative Landscape

California Right to Know Act stalls after pressure from tech lobby

A California bill that would have forced online service providers to comply with individual citizens’ requests for a record of what personal information the company had stored on them has been put on hold. The law, which would also require companies to reveal other parties they provide such information to, would have been similar to existing EU legislation. The announcement of the bill’s demise came after heavy lobbying from Facebook, Google, and Microsoft, who claimed the bill was unworkable and rested on mistaken assumptions about how the Internet works. These industry criticisms earned a footnote-heavy rebuke by the bill co-sponsor, the American Civil Liberties Union (ACLU) that argued the technology industry wishes to maintain a shroud of secrecy around the types of personal information they have on citizens, as well as how they use it.

U.S. email privacy legislation advances at various levels of government

The government of Texas recently enacted a law that requires state law enforcement to obtain a warrant before it can compel electronic service providers to provide records of their users’ communications (including metadata such as recipients of communications). This is the first such law for any state in the country. Concurrently, the push for greater email privacy at the federal level continues as the U.S. Senate judiciary committee has passed amendments to the Electronic Communications and Privacy Act that would similarly require a warrant for federal law enforcement to obtain any email communications from service providers. The bill will next be debated on the general Senate floor and potentially lead to long-requested updates to the 1986 law, which does not protect emails that have been opened or those stored on servers if they are over 180 days old.

Back to top

NSA leaks highlight social media surveillance

Social media giants deny providing direct server access to NSA

While Google, Apple, and Facebook all denied that they provide the National Security Agency (NSA) with direct access to their servers, leaked documents obtained by the Washington Post and Guardian newspapers appeared to suggest the spy agency obtains that very access through their program PRISM. In a Q&A with the Guardian, Google’s general counsel David Drummond asserted: “There is no free-for-all, no direct access, no indirect access, no back door, no drop box.” Meanwhile, Apple similarly denied providing direct access and touted the strong end-to-end encryption of its iChat and FaceTime applications in a statement posted on its website, claiming that it cannot decrypt the data and only complies with legal requests in the narrowest allowable sense. Nevertheless, the statement had no mention of Apple’s law enforcement waitlist for decrypting iOS devices themselves.

Reports reveal legal justifications for NSA PRISM program

A “fact sheet” provided by James R. Clapper, director of U.S. National Intelligence, corroborated social media service providers by claiming the government does not unilaterally obtain information from companies’ servers. Clapper went on to describe PRISM as an internal government system supervised by the closed-access Foreign Intelligence Surveillance Court, meant to streamline legally authorized foreign intelligence data collection from communication services providers. Thus, the system is seemingly a way to expedite data requests that companies are legally obligated to fulfill without NSA agents directly accessing service provider servers. In response to these reports, advocacy group the Electronic Frontier Foundation (EFF) posted an article outlining the best and worst scenarios arising from the unknown details of the program, including the breadth of scope of individual Foreign Intelligence Surveillance Act (FISA) requests, the internal checks the NSA conducts to prevent abuse, and to what degree the NSA conducts illegal data collection in addition to its court-authorized activities.

Providers push for NSA-request transparency as demand grows for privacy-enhancing technologies

In response to the scandal that emerged in the wake of the leaked documents, social media providers released figures outlining the amount of government requests for user data they had obtained. However, these providers are legally unable to publish information relating to FISA orders and the means by which the NSA often requests user data. Reports reveal that Google has formally petitioned the U.S. government to allow them to publish aggregate FISA request statistics, while Microsoft, Twitter and Facebook echoed similar positions in published statements. News reports indicate that the controversy has increased demand for privacy sensitive tools, including the search engine Duck Duck Go and a variety of privacy-sensitive tools listed on the PRISM Break website. Similarly, the Mozilla Foundation has spearheaded an online campaign with over 500,000 reported signatories that demands the U.S. government reveal the full extent of its surveillance apparatus to the public.

Details of social media companies’ NSA data sharing methods emerge

A report from The New York Times described how Yahoo initially resisted the US government’s requests for aid in warrantless spying on foreign users, but was compelled in a secret ruling by the Foreign Intelligence Surveillance Court to become part of the PRISM program. Indeed, another Times article reports that the NSA and social media service providers held discussions around technical methods to streamline the companies’ compliance with FISA orders, such as secure portals for the transmission of classified information. For example, Facebook is reported to have built a secure drop box for such data transmissions, while Twitter refused outright to make it easier for the government to obtain data. Additional reports reveal that Google uses the widespread SFTP technology to send data to the U.S. government, and in some cases delivers information in person. Nevertheless, while companies may not provide so-called direct access to servers, Holmes Wilson of advocacy group Fight for the Future argues that the ease by which the government can request granular and/or broad data, coupled by companies’ procedures for expediting these requests, results in a “complex legal and technological mechanism that amounts to the same thing (as direct access).”

Canadian Internet metadata surveillance outlined

Days after news broke of the NSA’s PRISM program, The Globe and Mail newspaper obtained documents describing a surveillance program operated by the Communications Security Establishment Canada (CSEC) that targets metadata associated with international telephone calls and Internet activity routed through Canada. While the program is operated in the name of national security, the newspaper reports that the program’s processes “incidentally” collect metadata about the communications of Canadians (of which warrantless surveillance is illegal), and is claimed to subsequently filter results to focus only on foreign communications.

In response to these revelations, law professor and digital rights advocate Michael Geist argues in a blog post that Canadians need to know how exactly the government compels telecommunications companies to provide communications data, whether Canadians and U.S. authorities share such information with one another, and whether Canadians are targeted by U.S. programs. Relating to the potential of U.S. monitoring of Canadian Internet activities, Citizen Lab Director Ron Deibert notes in a CNN editorial that while a physical border separates Canada from the United States, the Internet infrastructure has no such border. Indeed, when Canadians access social media sites like Facebook and Twitter, their data is transferred to the United States, where it is subject to all applicable laws, presumably including those which legitimize the PRISM program.

Skype found scanning instant messages

Leaked NSA documents specifically mention a “User’s Guide for PRISM Skype Collection” that describes capabilities for NSA agents to listen in on Skype sessions conducted through any combination of audio, video, chat, and file transfers. The revelation casts doubt that any Skype communications are safe from the NSA’s reach. Indeed, The New York Times reports that Microsoft executives will no longer affirm statements made years ago by Skype’s leadership (prior to its acquisition by Microsoft), that calls made using the software cannot be wiretapped.

Prior to the PRISM leaks, Skype had been found to scan the content of instant messages sent using the service. Specifically, when certain URLs are found in a message, Skype sends a query to a Microsoft-operated server. The server then issues a request to the URL in question and presumably stores a record of the server’s response. The practice is authorized by Skype’s data use policy and justified by Microsoft as a tool to combat phishing attacks.

Back to top

Ups and downs on the Facebook privacy seesaw

Facebook ‘shadow profile’ data made available in breach

Facebook’s “Download your information” tool, which allows users to obtain an archive of all their posts, photos, list of friends, and other media uploaded to the service, was found to contain personal information about a user’s friends that those individuals had never knowingly shared with the social network, nor made public. This data breach was reported through Facebook’s white hat security program, and identified as a bug that was promptly fixed. The data included email addresses and phone numbers, normally housed in what many are calling Facebook’s “shadow profiles” – the company’s internal additional information about users collected indirectly and used to make friend suggestions and, presumably, tailor advertisements. Such information is often obtained when others use Facebook’s contact importing tool – a common feature that social sites use to grow the number of their users’ contacts.

Facebook joins Global Network Initiative

After a 12-month period as an official observer, Facebook has become a full member of the Global Network Initiative (GNI), an NGO focused on helping technology companies advance freedom of expression and privacy. The company joins existing member ICT companies Google, Yahoo, and Microsoft. In a statement, Facebook said that advancing human rights would help its mission to make the world more open and connected. Facebook’s membership in the GNI means that it will now be subject to periodic standard assessments of its human rights practices. However, while membership comes with a pledge to highlight overbroad government requests for user data, Facebook has declined to commit to releasing transparency reports highlighting such activities – reports that fellow GNI members Google and Microsoft periodically release. Nevertheless, the company has recently published basic figures on the topic in response to the PRISM controversy.

Back to top