Microsoft, Google and other leading US tech companies trying to regain their customers' trust over how much data they secretly share with the American government have won a court battle that allows them to be more transparent, but it won't be enough to reassure their UK business customers according to experts.
Monday's breakthrough ruling by the US Foreign Intelligence Surveillance Court in Washington DC has persuaded the five companies involved - Microsoft, Google, Yahoo, LinkedIn and Facebook - to drop their legal action against the Obama administration.
The ruling enables both US high-tech and phone companies to more freely disclose the number of requests they get from the NSA intelligence agency, FBI and others to hand over customer data – but they still can't reveal the names of the customers involved.
The greater transparency is also mired in restrictions – vendors can choose to reveal the number of requests only in bands of 1,000 or 250, depending on whether or not they lump together requests from different agencies, and these figures can only be released after a six-month time-lag, rising to two years for requests relating to new ‘platforms, products or services'.
The move has been welcomed as ‘a first step' by industry expert Steve Durbin, global vice president of the Information Security Forum (ISF) - which advises business and government organisations on cyber security issues – but he insists it does not go far enough.
“Some of the fundamentals these companies are trying to address are really around trust and reputation. This has gone part way towards addressing that, because they can now at least disclose some of what they have to share with the federal authorities, so that their customers can see how much information is being passed across,” he told SCMagazineUK.com.
“But we really need to go very much further than this - because simply quoting numbers isn't going to deliver full transparency, it's simply going to highlight that there is a traffic flow between the tech providers and the Department of Justice.”
Durbin added: “I think it's the right first step but we need to continue to press for increased transparency if we're going to engender more trust between customer and supplier.”
Microsoft's top lawyer and chief compliance officer, Brad Smith, tweeted a response to the ruling on behalf of the five companies involved that showed they too feel more needs to be done.
"We filed our lawsuits because we believe that the public has a right to know about the volume and types of national security requests we receive,” he said.
“We're pleased the Department of Justice has agreed that we and other providers can disclose this information. While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed.”
Durbin agreed with Smith, however, that more must be done so that businesses can be more transparent on the level of government surveillance.
“For me, to go the full distance, to regain full trust and reputation, simply saying the number of incidents that they have to report probably doesn't go far enough.”
The US court ruling confirms: “The Government will permit the petitioners to publish the aggregate data at issue...relating to any orders pursuant to the Foreign Intelligence Surveillance Act (FISA). The Director of National Intelligence has declassified the aggregate data...The Government will therefore treat such disclosures as no longer prohibited.”
And an accompanying letter from US Deputy Attorney General James M Cole offers a further olive branch to the vendor companies.
“We look forward to continuing to discuss with you ways in which the government and industry can similarly find common ground on other issues raised by the surveillance debates of recent months.”
The ruling comes just days after Microsoft declared it would allow its UK and other business and government cloud services customers to move their data out of the US, and choose the region where it is held (SCMagazineUK.com, January 24).
Brad Smith said at the time: “People should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.”
Steve Durbin sees this as another positive step. “The tech providers, in fairness, are responding,” he told SCMagazineUK.com.
“They are trying to be relatively more open in terms of saying this is what we're doing and what we're obliged to do. That's why I'm so in favour of what Microsoft did. I think that was a very proactive move on their part.”
The US court ruling comes as more revelations emerge of secret electronic surveillance by the UK's GCHQ intelligence agency and NSA. Reports this week from America's NBC News, The Guardian and New York Times claim that GCHQ has secretly tapped into and analysed social media data including YouTube videos, Facebook 'likes' and Tweets. The NSA and GCHQ have also reportedly harvested information from mobile phone apps – including Angry Birds –about the user's age, gender and location.