In the several years since a handful of companies began disclosing how many times the government had demanded data on their customers, every tech and telecoms giant in the Fortune 500 has since followed suit.
These so-called transparency reports, often published biannually, serve as a tool to counterbalance the assumption that governments have unfettered access to the systems of Silicon Valley giants. Such claims first came to light following the disclosure of classified documents leaked by whistleblower Edward Snowden. The belief is that releasing detailed and audited figures on how many times the company has buckled under the weight of a legal order — or steadfastly refused — exposes government overreach and promotes corporate responsibility, like a customer’s right to privacy — something tech giants have appeared to try to promote.
But one renowned academic suggests that transparency reports might not be so transparent after all.
The research, which primarily focuses on telecoms providers in Canada but still applies across the border, argues that a lack of context among transparency reports makes it difficult — impossible, in some cases — to know what the reported wiretap and surveillance figures actually mean.
“The transparency reports can keep secret as much as they reveal,” said Christopher Parsons, research associate at University of Toronto’s Citizen Lab and the managing director of the Telecom Transparency Project, who authored the paper.
“Where statistics are provided, they may not be sufficiently granular for a reader to understand who is making requests for information, on what grounds, and how many persons are affected,” he said.
Transparency reports are important for the public to read (and we regularly cover them on ZDNet), but Parsons argues that they don’t tell the full story.
High on the list of issues is that there is no one-size-fits-all “standard” template for reporting government data demands across the industry. It’s difficult to compare side-by-side what kind of data has been demanded and how often. Given that a single order under US and Canadian law can affect not just one, but tens or even hundreds or thousands of subscribers, that lack of context can make it impossible to know how many individual customers are directly impacted by a single demand.
“Furthermore, few companies explain whether they refused certain requests and, if so, which requests they denied… nor is it always clear why a given set of requests were declined,” he said. In many cases, companies don’t say whether a request was rejected because there was no data, or because the request was overbroad.
“As a result, the reports actually have the effect of keeping secret important aspects of government requests for telecommunications data and consequently only provide a modicum of transparency of corporate activity,” he said.
Some telecoms firms, for example, actively focus on the number of data demands they receive as it looks better for the company’s image, rather than explaining why it complies with certain things, all while omitting their involvement in coaching government agencies on how to legally compel information in the first place.
“In effect, there is the danger that transparency reports treat the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms,” he added.
That was an issue that was thrust into the spotlight after nine tech giants were accused of giving the National Security Agency “direct access” to their servers, which forced the companies to react in some cases with their debut transparency reports. Though the claims were largely disproven, there is an element of truth that US and Canadian tech companies — and telecom providers in particular — are mandated under various state laws to allow authorities to wiretap their systems.
Parsons said that creating a standard in reporting across the industry would help fix the incoherent and varied way that companies report the number of data demands they receive, but “shouldn’t be seen as a solution to any problem other than a lack of comparability,” he explained.
But without a collective industry effort or another Snowden-like event, he’s not holding his breath for change any time soon.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
ZDNET INVESTIGATIONS
US government pushed tech firms to hand over source code
At the US border, expect discrimination, detention, searches, and interrogation
Leaked: TSA documents reveal New York airport’s wave of security lapses
Meet the shadowy tech brokers that deliver your data to the NSA
Trump aides’ use of encrypted messaging may violate records law
An unsecured database leaves off-the-grid energy customers exposed
Inside the global terror watchlist that secretly shadows millions
Security flaws in Pentagon servers “likely” under attack by hackers
Revealed: How one Amazon Kindle scam made millions of dollars
US government subcontractor leaks confidential military personnel data