seeing more, believing less

This shows how much user info the government requests from tech companies: 2013 vs 2015

You’re being watched online and tracked through your phone. You already knew that. But did you know how much?

In 2010, Google was the first tech company to start regularly telling users how often authorities were requesting data about their users. Since then, other leading tech companies, including Apple, Facebook, and Yahoo, also started releasing transparency reports detailing how much user information they give over to local and federal authorities when it’s requested for investigations.

The requests vary from actual messages sent by and to the user (which typically require a warrant, a higher legal bar) to “non-content,” meaning an e-mail address, name, location, IP address, login details, billing information, and other transactional information.

Transparency reports typically cover two time periods: January to June and July to December. In 2013, Fusion’s Kashmir Hill, then at Forbes, placed the data from tech companies’ transparency reports for the first half of 2013 side-by-side. We decided to revisit the report, comparing the most recent period for which all companies have reported—the second half of 2015—for six major companies.

Here’s how these companies compare to each other, and how surveillance has changed since 2013:

web_transparency_graph_userdata-1Fusion/Erendira Mancias

Some companies reported increases, while others reported decreases. Rather than an overall increase or decrease in government surveillance, it seems authorities shift with user bases, asking for more information as certain platforms become more popular and vice versa. Here are the total number of people whose information was pulled by the government in those 6-month periods:

web_transparency_graph_people-user-1Fusion/Erendira Mancias

Yahoo is a strange case as requests for user data dropped enormously from 2013 to 2015. It’s especially surprising given a recent Reuters report that Yahoo scanned millions of user emails for the government. A reason for this may be that requests for information came in the form of National Security Letters (NSLs). These are subject to gag orders and Yahoo legally can’t reveal specific data on how many NSLs they receive. Instead of an exact number, Yahoo offers a range of 0-499 NSL requests for this time period.

web_transparency_graph_dataproduced_2aFusion/Erendira Mancias

Of course, companies can refuse to comply with government requests if they think they’re over-reaching. Apple famously rejected the FBI’s request to unlock the phones of the San Bernardino shooters. Interestingly, Apple is the one company that didn’t reveal how often it complied with government requests in 2013, saying, “The U.S. government has given us permission to share only a limited amount of information about these orders.”

Ironically, transparency reports aren’t entirely transparent. While the most recent reports reveal increases in both surveillance requests and compliance, we still don’t have a complete picture of just how much we’re being surveilled technologically.

First, authorities don’t always have to ask companies for information. Public data is fair game. Officers routinely track suspects on social media, even offering specialized training in how to follow online postings and build profiles of targets. Former NYPD police commissioner, Bill Bratton, told press in September that, for many suspects, “their postings on social media … forms the foundation of our criminal cases against them.” There’s no need to file a request to view publicly available data, so it doesn’t appear in transparency reports.

Second, sophisticated surveillance services amass public data at an incredible rate. The ACLU released a report on Geofeedia, a surveillance service that sourced public posts to provide police officers with real-time updates on the locations and identities of social media users in a target area. Because police officers accessed this data via a third party and didn’t request it from Facebook or Twitter themselves, it’s not reflected in the reports as a government request.

Finally, the government has, on more than one occasion, accessed user information using technology we don’t know about. Case in point: stingrays. Stingrays are devices that simulate cellphone towers, collecting identity and location data (and even messages and calls) when phones unknowingly attempt connection with one. There’s no interface with phone companies themselves, so this wouldn’t appear in any transparency report.

Essentially, a transparency report answers the question, “How much user information are technology companies giving to the government?” as opposed to, “How much user information does the government have access to?” These reports, and what isn’t reflected in them, reveal that the answer to both questions is, “more than ever.”