Facebook, Microsoft Disclose National Security Data Requests

Microsoft and Facebook on Friday said the government has given them permission to disclose the number of national security-related requests they receive, though that data must be lumped in with other information requests.

During the last six months in 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts. Those requests came from U.S. governmental entities, which includes local, state, and federal officials.

Facebook, meanwhile, received between 9,000 and 10,000 requests related to 18,000 to 19,000 account.

"These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat," Ted Ullyot, Facebook's general counsel, said in a statement.

With 1.1 billion users, Ullyot said the numbers highlight the fact that only a "tiny fraction" of 1 percent of Facebook's users have been subject to such requests.

The news comes amidst reports that tech companies like Microsoft, Facebook, Google, and Apple have been providing the National Security Agency direct access to their servers. The firms have vehemently denied such reports, and said that while they comply with government requests for data, where appropriate, those entities do not have access to their servers.

Complicating things, however, is the fact that some government requests for data must remain classified under the Foreign Intelligence Surveillance Act (FISA). So, Facebook and Microsoft previously would have been unable to even acknowledge that they had received a request for data under FISA. But in a compromise like the one reached recently with Google regarding National Security Letters, Facebook and Microsoft can now reveal information about these requests, however vague.

"As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range," said Facebook's Ullyot.

"We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together," John Frank, Microsoft's deputy general counsel, wrote in a blog post.

Microsoft and Google (and Twitter) already post data online about government requests for data from officials around the globe. "But because the national security orders prohibit us from disclosing their existence, we could not include them in that data set," said Microsoft's Frank.

The FISA request that made headlines and started all the controversy was one that ordered Verizon to hand over all customer call data for a three-month period beginning in April. Verizon declined to comment on the specifics, but said it must comply with lawful requests for data. Microsoft said it has "not received any national security orders of the type that Verizon was reported to have received."

Earlier this week, Google penned a letter to the Department of Justice and FBI requesting permission to publish data about the number of FISA requests it receives. Acccording to NPR, Google is holding off on a deal similar to the one reached by Facebook and Microsoft in the hopes that it can publish more specific data rather than aggregate requests.

Benjamin Lee, the legal director for Twitter - which has thus far managed to stay out of the debate - tweeted: "We agree with @google: It's important to be able to publish numbers of national security requests—including FISA disclosures—separately."