Forgot your password?
typodupeerror
Government Privacy United States Apple

Apple Issues First Transparency Report 93

Posted by Soulskill
from the it-just-has-one-button dept.
Trailrunner7 writes "In a new report (PDF) detailing the number and kind of requests for user information it's gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATRIOT Act and would likely fight one if it ever came. The company also disclosed that it has received between 1,000 and 2,000 requests for user data from the United States government since January, but it's not clear how many of those requests it complied with because of the restrictions the U.S. government places on how companies can report this data. Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000. So Apple's report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000. Apple, along with a number of other companies, including Google and Microsoft, have asked the government in recent months for permission to disclose more specific numbers of requests, including specific numbers of National Security Letters."
This discussion has been archived. No new comments can be posted.

Apple Issues First Transparency Report

Comments Filter:
  • by Anonymous Coward

    Great job with that transparency, Apple.

    • by Anonymous Coward

      Well, as 1000 is in both groups, they maybe complied with all of them.

      • by rwise2112 (648849)

        Well, as 1000 is in both groups, they maybe complied with all of them.

        Yeah, with those numbers, they complied with somewhere between 0-100%. Not really that useful.

    • "Great job with that transparency, US Patriot Act."

      FTFY

  • by Anonymous Coward

    Maybe the NSA only makes one request for everyone's data.

    • Not maybe. That has already been done with the telcos (and even the little Lavabit) and Apple is just another telco, so it is safe to assume that they will also receive a single request for everything.
  • Inference (Score:3, Funny)

    by BradleyUffner (103496) on Tuesday November 05, 2013 @06:12PM (#45340803) Homepage

    I have complied with between -549 and 451 requests.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      "We received 1.235 thousand requests and complied with 0.422 thousand."

      There you go, reported in units of a thousand and all the transparency one could want.

  • by Anonymous Coward on Tuesday November 05, 2013 @06:14PM (#45340821)

    With a built-in backdoor there's no need to send request notices.

  • Couldn't they just report 1/opacity?

  • by swillden (191260) <shawn-ds@willden.org> on Tuesday November 05, 2013 @06:30PM (#45340907) Homepage Journal

    It's surprising to me that Apple didn't provide more detail. Others do. Yes, companies are currently not allowed to provide precise data on National Security Letter requests, but for all other sorts of government requests, including warrants and subpoenas, there are no legal restrictions. Google publishes the precise number of requests and the precise number of affected user accounts for those requests, falling back on giving ranges only for the NSLs (it's worth pointing out that it's thank to Google's efforts that anyone can publish any information on NSLs; they're the ones who negotiated the permission to publish ranges). Other companies also publish precise statistics for everything except NSLs.

    • by AHuxley (892839)
      It depends how you count. One NSL/~court document/letter could cover an entire group, brand, faith or generation of people. Other countries might have a count on the landline, cell, net log, postage, car tracking, friends, friends of friends vs roving surveillance or just metadata.
      Simple counting tricks would keep the number range down needed to present to any rubber stamp oversight committee.
      e.g. Australia may count what the US does not feel it has to http://www.crikey.com.au/2012/05/03/what-the-afp- [crikey.com.au]
      • It depends how you count. One NSL/~court document/letter could cover an entire group, brand, faith or generation of people.

        Not a legally valid NSL, per my understanding (which comes from Google's legal counsel -- I'm not sure how much detail I can provide, so I won't give any). And the ranges provided by most of the companies -- including Google -- cover not just number of requests but number of accounts impacts. For example, the most recent report from Google says that in 2012 Google received 0-999 requests which affected 1000-1999 user accounts.

        That's NSL's only. For other requests (subpoenas, warrants, etc.), in 2012 Google received 16,407 requests affecting 31,072 accounts, and produced at least some data in response to 89% of them.

        This is US only, but the data for other countries is like the non-NSL data from the US; very precise, and with specification of numbers of accounts affected. So your theory about this approach to masking broad access doesn't hold water, unless you assume that the numbers are either fabrications or not complete.

        • by AHuxley (892839)
          How to put it in an easy to understand historic context. Its like Engima getting an extra rotor. Everybody now knows its all went back to plain text. The encryption was junk.
          Thanks to compartmentalisation the numbers seen might be correct for "the" legal documents in/out. The paperwork and numbers need to be "perfect".
          That would ensure all staff would feel comfortable long term and never whisper to the press/other govs about some small detail in the paperwork over the years that they picked up on.
          Ide
          • by swillden (191260)
            Ah, so you're going with incomplete. You have a rather verbose way of saying it.
            • by AHuxley (892839)
              I am going with classic compartmentalisation, then PR has the same numbers any other staff and it all seemed just fine.
              The other historic option was http://open.salon.com/blog/stuartbramhall/2013/10/08/the_phone_company_that_said_no_to_nsa [salon.com]
              Thanks to Snowden the world now has a much more complete understanding of role of US encryption and the global role big US brands played :)
              • by swillden (191260)

                Except... that the phone companies never denied sharing data with the NSA. They knew they were doing it, it wasn't compartmentalized. They didn't volunteer it, but as soon as they were asked directly, they admitted it. In contrast, the tech companies have flatly denied any sharing beyond that mandated by law that must go through the front door and is accounted for in these transparency reports.

                There is no evidentiary basis, not even by analogy with the phone companies, to support your supposition. And th

    • Did you even read the summary? Here - let me make it easy for you:

      Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000.

      Did you get that? They didn't provide more detail because they are legally not allowed to beyond a range of 1000. If they could provide more detail, they would.

      In fact, they are filing an amicus brief in the efforts of gaining permission to disclose numbers in greater detail.

      http://appleinsider.com/articles/13/11/05/apple-court-filing-asks-for-transparency-on-government-user-information-requests [appleinsider.com]

      Oh, and the list of companies fighting for permi

      • by swillden (191260)

        You didn't read my post :-)

        I said that Google does NOT provide precise numbers for NSLs, but DOES provide precise numbers for everything else. Apple provided precise numbers for nothing, which is why I found it odd.

    • It's surprising to me that Apple didn't provide more detail. Others do.

      Here's what Apple does:

      Australia: Exact numbers.
      Brazil: Exact numbers.
      China: Exact numbers.
      ...
      UK: Exact numbers.
      USA: Sorry, we can only say "Between 0 and 1000"

      That's all the information that you need to know as a citizen about what's going on. The richest company in the world is not allowed to tell you exact numbers. What else is there to know?

      • by swillden (191260)
        You seem to have missed my point. Apple is allowed to provide exact numbers for everything except NSLs... and actually they provided an exact number for that: "none". So there was no legal reason for them not to be precise.
  • Last time I checked, Apple was not a telecom company.

  • by MasterOfGoingFaster (922862) on Tuesday November 05, 2013 @06:51PM (#45341073) Homepage

    I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:

    NSA: "Hey, we won't bother you all the time with requests if you'll just give us a copy of your private key."
    Apple: "Well, that would save us a bunch of time, effort and expense...but if the users ever discovered..."
    NSA: "No worries. Just hand it over whenever you get a new one."
    Apple: "Yeah, I guess we could point out we never give out the current one, only old keys we no longer use."
    NSA: " Well, just deny it, saying you did not give out the current keys. You can leave out that little detail about the old keys."

    I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.

    (This is not my field of study, so if I have this wrong, I'd appreciate a correction.)

    • by dissy (172727)

      I just wanted to add in what I know.

      Chrome and Firefox both do, though Firefox only supports part of the cipher suite.
      I recall Microsoft claiming they were going to add it in a future IE, but never actually checked... So I'll believe that one if/when I see it.

      I didn't know about Safari or Opera, so thank you for that.

    • Sounds like it's a mixed bag for all browsers (I'm mainly referring to the comments):

      http://stackoverflow.com/questions/17308690/how-do-i-enable-perfect-forward-secrecy-by-default-on-apache [stackoverflow.com]

    • by Nixoloco (675549)

      I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:

      ....

      I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.

      (This is not my field of study, so if I have this wrong, I'd appreciate a correction.)

      PFS is dependent on the cipher suite that is used. Safari and IE both *do* support some PFS suites, but not all PFS capable cipher suites. And for those they do like, they seem to prefer them less than some non PFS cipher suites. Safari seems to be better than IE at this as they support more suites but the non-elliptic-curve ones are used only as a last resort. So, the problem is web servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does

  • They should have posted the exact number of requests along with an open letter to the government about how the government's illegal practices will not be tolerated. I have a right as a citizen to know what those criminals are up to (the US Government ) Apple's sales would go through the roof. I, who currently don't own any Apple devices would buy two if they did, and I mean that sincerely.
    • by jbolden (176878)

      Those practices are repeatedly passed by the congress, signed into law by two presidents and upheld by the courts. They aren't illegal. You may not like the law, but it is the law. You as a citizen have the right to vote for legislators that oppose the patriot act and similar acts.

      • "Those practices are repeatedly passed by the congress, signed into law by two presidents and upheld by the courts. "

        You need to learn about the law. It doesn't matter what congress does or how many Presidents sign off on it. You may not like the Constitution and the Bill of Rights, but they are the law.

        • by gstoddart (321705)

          You may not like the Constitution and the Bill of Rights, but they are the law.

          Except, as the poster you replied to says, once these been upheld by courts ... well, they're now the law too.

          Increasingly, the Constitution and Bill of Rights are more or less being bypassed -- by allowing a 'border' stop within 100 miles of a border, warrantless wiretapping, 'free speech zones' and all sorts of stuff.

          What you say is good in principle, but in practice, those documents seem to be getting over-ruled in the name of

          • "Except, as the poster you replied to says, once these been upheld by courts ... well, they're now the law too"

            This is a very misunderstood concept. When two laws contradict each other there is a hierarchy in place. For example, if a state passes a law making it illegal to be black and live in their state that "law" is illegal. The "law" itself, while "on the books" isn't legal and so it is not really a law. The fact that local judges may uphold the "law" doesn't make it any more legal. The fact that p

  • Those requests were probably handled by one of the many Apple subsidiary companies. You know, the ones that have no tax jurisdiction, either.
  • These companies keep saying they can only legally report the numbers in these very coarse terms. I smell weasel words and voluntary censorship. Can someone identify the US law that prohibits reporting of precise numbers, not the details of targets etc., of requests that are not subject to national security suppression orders?

    • by faffod (905810)
      according to wiki, the patriot act includes a gag order. http://en.wikipedia.org/wiki/National_security_letter [wikipedia.org]
      • ... which is precisely why I excluded requests subject to national security suppression orders. Apple state they have never received such an order under PATRIOT Act in any case. There is no national security impact when the FBI/Police/court executes a warrant for access to information to locate a stolen phone, track down an individual wanted for minor theft offences, or release of email content for a court proceeding. Nonetheless, Apple and friends are reporting all US law enforcement requests as if they

    • by swillden (191260)

      These companies keep saying they can only legally report the numbers in these very coarse terms. I smell weasel words and voluntary censorship. Can someone identify the US law that prohibits reporting of precise numbers, not the details of targets etc., of requests that are not subject to national security suppression orders?

      See my post on this topic: http://apple.slashdot.org/comments.pl?sid=4414461&cid=45340907 [slashdot.org]

  • by wiredog (43288) on Wednesday November 06, 2013 @06:50AM (#45343895) Journal

    Keep an eye on that part of the report.

  • by koan (80826)

    Apple gets around this sort of request by being proactive and supplying the "security forces" with the means to act on their own, through Apple devices.

    In other words designed to be exploited from the ground up.

  • Why does anybody think that a tactic no more sophisticated than sticking your finger and inch away from your little sister's nose and chanting "I'm not touching you!" is going to work? You mom didn't fall for that shit when you were 10 and the courts aren't going to fall for that shit now. There's probably even some language in the NSLs that says that you may not inform others by acts of either commission or omission, just to cover this kind of stuff.

    The only reasonably sound suggestion I've heard is tha

  • Just a little ironic.

A LISP programmer knows the value of everything, but the cost of nothing. -- Alan Perlis

Working...