Apple Issues First Transparency Report 93
Trailrunner7 writes "In a new report (PDF) detailing the number and kind of requests for user information it's gotten from various governments, Apple said it has never received a request for information under Section 215 of the USA PATRIOT Act and would likely fight one if it ever came. The company also disclosed that it has received between 1,000 and 2,000 requests for user data from the United States government since January, but it's not clear how many of those requests it complied with because of the restrictions the U.S. government places on how companies can report this data. Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000. So Apple's report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000. Apple, along with a number of other companies, including Google and Microsoft, have asked the government in recent months for permission to disclose more specific numbers of requests, including specific numbers of National Security Letters."
Number complied with 0 (Score:2)
Great job with that transparency, Apple.
Re: (Score:1)
Well, as 1000 is in both groups, they maybe complied with all of them.
Re: (Score:2)
Well, as 1000 is in both groups, they maybe complied with all of them.
Yeah, with those numbers, they complied with somewhere between 0-100%. Not really that useful.
Re:Number complied with 0 (Score:5, Insightful)
Daily Canary Counts? (Score:2)
Section 215 includes the lovely clause that you are not allow to mention that you have received one. The fact that Apple is saying they haven't in interesting because if they stop saying there is a very clear inference that can be drawn. Think of it as a canary - when you see that line dropped in subsequent reports you can assume Apple has received one, even though they won't be able to say so.
The canary approach, yes. I've heard of libraries doing something along these lines, too. I was wondering: "can this could be taken one step further?" From TFA:
So Apple's report shows that although it received 1,000-2,000 requests for user data so far in 2013, the number that it complied with is listed as 0-1,000.
What if they issued such a report every day? On the date that(s) that the reported range changes, one can gain some finer granularity as to just how many were received. If they report "0-999" up until the day before yesterday, and then (yesterday) report "1000-2000", then there's a pretty good chance that the actual number is a lot closer to 100
Re: (Score:3)
Re: (Score:1)
Section 215 includes the lovely clause that you are not allow to mention that you have received one. The fact that Apple is saying they haven't in interesting because if they stop saying there is a very clear inference that can be drawn. Think of it as a canary - when you see that line dropped in subsequent reports you can assume Apple has received one, even though they won't be able to say so.
Section 215 allows you to lie, and it is considered the truth. Our lovely government thinks it can issue an edict that says "this is the truth now, when you are asked and you say that this never happened you are telling the truth."
In fact, this pronouncement means nothing. If, or should I say when, they got a request under section 215 they also got permission to say that it never happened. They are just taking advantage of that.
Re: (Score:2)
"Great job with that transparency, US Patriot Act."
FTFY
Re: (Score:2)
Are we still in the U. S.? Why?
Scope of request (Score:1)
Maybe the NSA only makes one request for everyone's data.
Re: (Score:3)
Re:NEVER received a Patriot act request? (Score:5, Insightful)
>I buy that as much as I buy Apple products.
I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
It would be rather useful if all organizations for which this was true would make such a statement. Then we could work out who did get the mandatory anal probe.
Re: (Score:1)
Re:NEVER received a Patriot act request? (Score:4, Insightful)
I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
Even more, the executives of shareholder-owned companies have rather strong legal requirements to be honest in statements to shareholders, which public statements are. Public falsehoods can send execs to prison. Barring some element of the law that can allow the US government to authorize (or require) them to lie, they legally can't. And, AFAIK, there is no such law. The government can gag them, but not force them to lie.
Re: (Score:2)
I do. Big corporations don't lie when they make simple statements like that. It's not the way they operate.
Even more, the executives of shareholder-owned companies have rather strong legal requirements to be honest in statements to shareholders, which public statements are.
Shady people can turn honesty on its head.
For example, the phrase "Apple said it has never received a request for information under Section 215 of the USA PATRIOT Act" does not mean that Apple has never received any requests for user info, nor does it mean that they've never turned user info over to the US government; all it means is that the Apple corporation is claiming that they haven't received a certain piece of paperwork
tied to a certain section of a certain law. They very well may have turned over pr
Re: (Score:2)
As far as we know, they could be handing user information over to the government the second it hits Apple's servers; no request necessary.
Except that they've previously denied doing that.
Re: (Score:2)
As far as we know, they could be handing user information over to the government the second it hits Apple's servers; no request necessary.
Except that they've previously denied doing that.
Well, good thing that corporations never lie or misrepresent information they present to the public, then. </sarc>
Re: (Score:2)
As far as we know, they could be handing user information over to the government the second it hits Apple's servers; no request necessary.
Except that they've previously denied doing that.
Well, good thing that corporations never lie or misrepresent information they present to the public, then. </sarc>
Do you have any evidence that they do make factual misrepresentations to the public? If the fact in question is one that could affect the value of the company, then making such statements is a crime that could land the executives in prison.
I think the history of the NSA revelations is interesting. We have numerous examples of government employees outright lying, but as far as I've been able to find, not a single one of a corporation executive lying. The telcos withheld the fact that they were providing me
Re: (Score:2)
As far as we know, they could be handing user information over to the government the second it hits Apple's servers; no request necessary.
Except that they've previously denied doing that.
Well, good thing that corporations never lie or misrepresent information they present to the public, then. </sarc>
Do you have any evidence that they do make factual misrepresentations to the public?
Hell yea! It's actually pretty easy to come up with incidents to cite, considering how openly evil banks have become in the past 30 years or so:
http://www.rollingstone.com/politics/news/the-great-american-bubble-machine-20100405 [rollingstone.com]
Re: (Score:2)
That's a different set of regulations and even mostly a different regulatory body, and the banks don't lie, they just make the truth so complicated no one can understand it.
Try again.
Re: (Score:2)
Why do you want the statement to answer a different question?
If Apple says it didn't receive a request for information under Section 215 of the USA PATRIOT Act, then you know exactly what that means.
The AC was saying that he/she/it didn't buy the truth of the statement. I argued that big corporations don't lie in that manner because there are strong reasons not to. This has no bearing on answers to different questions.
Re: (Score:2)
Why do you want the statement to answer a different question?
I don't think you picked up exactly what I was laying down. Namely, that being honest and being completely truthful aren't necessarily confluent.
For example, I could tell someone, "I never banged your sister," and be honest but not completely truthful; being completely truthful would require me to also disclose that I did get a BJ from her.
If Apple says it didn't receive a request for information under Section 215 of the USA PATRIOT Act, then you know exactly what that means.
Right* - we also know exactly what it doesn't mean - it doesn't mean that they never, ever gave user info to the feds, just that if they did it was not under Section 215
Re: (Score:2)
I don't dispute that some corporations mislead. But they usually do that through remaining silent and/or saying ambiguous things so that people will draw the wrong conclusion. Look at prescription drug marketing for example.
There are limits to what we can know. So it is correct to say Apple claimed X, but Y may or may not be true, where X is independent from Y.
I wonder at the telecom corps that did receive NSLs, where many people must have been in the know, but none of them fessed up.
Re: (Score:2)
I don't dispute that some corporations mislead. But they usually do that through remaining silent and/or saying ambiguous things so that people will draw the wrong conclusion.
Agreed, but you have to understand that being overly specific can have the same effect on understanding as being overly ambiguous.
There are limits to what we can know. So it is correct to say Apple claimed X, but Y may or may not be true, where X is independent from Y.
Pretty roundabout way to agree with someone, but I'll take it.
I wonder at the telecom corps that did receive NSLs, where many people must have been in the know, but none of them fessed up.
I still hold out hope that some telco employee has Edward Snowden-sized balls, and is just waiting for the right time to slap them on the table.
Inference (Score:3, Funny)
I have complied with between -549 and 451 requests.
Re: (Score:2, Funny)
"We received 1.235 thousand requests and complied with 0.422 thousand."
There you go, reported in units of a thousand and all the transparency one could want.
Mere formality for low level incidents (Score:5, Funny)
With a built-in backdoor there's no need to send request notices.
Re: (Score:2)
Add in terms like identifiable form, store and it all gets very creative.
Re: (Score:2)
I don't know why you were modded funny. One of the first slides to come out of the Snowden haul showed Apple as just the latest in a long line of companies to have had their systems backdoored by the NSA. We don't know if they were hacked or co-operated, but we do know the NSA has easy access.
Re:Clear as mud (Score:4, Insightful)
Try actually reading the summary. Legally, they can only report the number in increments of 1000. So 0-1000 means "somewhere between 0 and 1000 but we can't legally tell you how many".
They know down to the decimal, guaranteed (they bill for the requests at the very least).
Re:Clear as mud (Score:4, Funny)
Try actually reading the summary.
You're setting a pretty high bar there...
Re:Clear as mud (Score:4, Interesting)
If a company wanted to provide this information without actually explicitly stating it, couldn't they release a more detailed report of their finances, including business expenses incurred as a part of dealing with these requests. If they accounted for each request as a flat rate, it would be possible to glean the information without breaking any laws about publishing how many requests they received.
Similarly, they could be taking an interesting approach with regards to Section 215 requests. Legally they're not allowed to even state that they've received any, so the claim that they've given could be a lie. However, if it isn't, if any future reports omit any mention of the number of Section 215 requests, it would be safe to assume that they have received one.
They're already all really good at finding tax loopholes and dodging around other legal requirements, so I would imagine that even if the government wants to keep this information under wraps that some of these companies will find a way to get that information out.
Re: (Score:2)
Similarly, they could be taking an interesting approach with regards to Section 215 requests. Legally they're not allowed to even state that they've received any, so the claim that they've given could be a lie. However, if it isn't, if any future reports omit any mention of the number of Section 215 requests, it would be safe to assume that they have received one.
Lying would be illegal (misleading shareholders and all that stuff). And if they are clever, they wouldn't just leave out any mention of Section 215 requests, they would write something like "in our previous report we said that we hadn't received any Section 215 requests".
Re: (Score:2)
That's communicating the number of requests. The law doesn't exempt indirect communication of that informa
Re: (Score:2)
They know down to the decimal, guaranteed (they bill for the requests at the very least).
What makes you think companies get to bill the government for compliance with legal orders? It's possible they can recover reasonable costs for collecting the data, but I strongly doubt they can get anything. Just like all of the other paperwork that governments require of them, I'm sure it's just a cost of doing business.
Re: (Score:2)
Even if they couldn't invoice the government, they could (and possibly according to GAAP should) still account for it, even if it just get's written off as an operational cost.
If they didn't account for it, then how could they justify paying the two full time employees who spend their days filling out the reports, taking requests, etc. :p
You can bet that if these companies are well run, accounting knows how much they are spending on legal compliance to this sort of request, even broken down to which agency
Re: (Score:2)
I don't think they'd need to account for it separately for GAAP compliance, or to call it out as operational costs. It could just as easily be bucketed as miscellaneous legal and/or compliance overhead, and there's no reason to specifically "write it off" as an operational cost... the salaries of the employees doing it are going to be part of the operational cost structure regardless of whether or not the details are tracked.
You can bet that if these companies are well run, accounting knows how much they are spending on legal compliance to this sort of request, even broken down to which agency is their biggest cost center.
Probably, but just as part of their own internal management, not for any externally
Transparency report. (Score:2)
Couldn't they just report 1/opacity?
Re: (Score:2)
That depends on whether or not you are a window.
Odd, why the range for law enforcement requests? (Score:4, Interesting)
It's surprising to me that Apple didn't provide more detail. Others do. Yes, companies are currently not allowed to provide precise data on National Security Letter requests, but for all other sorts of government requests, including warrants and subpoenas, there are no legal restrictions. Google publishes the precise number of requests and the precise number of affected user accounts for those requests, falling back on giving ranges only for the NSLs (it's worth pointing out that it's thank to Google's efforts that anyone can publish any information on NSLs; they're the ones who negotiated the permission to publish ranges). Other companies also publish precise statistics for everything except NSLs.
Re: (Score:2)
I am guessing its to make the United States Government to look bad.
I'm all for that!
Re: (Score:2)
Simple counting tricks would keep the number range down needed to present to any rubber stamp oversight committee.
e.g. Australia may count what the US does not feel it has to http://www.crikey.com.au/2012/05/03/what-the-afp- [crikey.com.au]
Re:Odd, why the range for law enforcement requests (Score:4, Informative)
It depends how you count. One NSL/~court document/letter could cover an entire group, brand, faith or generation of people.
Not a legally valid NSL, per my understanding (which comes from Google's legal counsel -- I'm not sure how much detail I can provide, so I won't give any). And the ranges provided by most of the companies -- including Google -- cover not just number of requests but number of accounts impacts. For example, the most recent report from Google says that in 2012 Google received 0-999 requests which affected 1000-1999 user accounts.
That's NSL's only. For other requests (subpoenas, warrants, etc.), in 2012 Google received 16,407 requests affecting 31,072 accounts, and produced at least some data in response to 89% of them.
This is US only, but the data for other countries is like the non-NSL data from the US; very precise, and with specification of numbers of accounts affected. So your theory about this approach to masking broad access doesn't hold water, unless you assume that the numbers are either fabrications or not complete.
Re: (Score:2)
Thanks to compartmentalisation the numbers seen might be correct for "the" legal documents in/out. The paperwork and numbers need to be "perfect".
That would ensure all staff would feel comfortable long term and never whisper to the press/other govs about some small detail in the paperwork over the years that they picked up on.
Ide
Re: (Score:2)
Re: (Score:2)
The other historic option was http://open.salon.com/blog/stuartbramhall/2013/10/08/the_phone_company_that_said_no_to_nsa [salon.com]
Thanks to Snowden the world now has a much more complete understanding of role of US encryption and the global role big US brands played
Re: (Score:2)
Except... that the phone companies never denied sharing data with the NSA. They knew they were doing it, it wasn't compartmentalized. They didn't volunteer it, but as soon as they were asked directly, they admitted it. In contrast, the tech companies have flatly denied any sharing beyond that mandated by law that must go through the front door and is accounted for in these transparency reports.
There is no evidentiary basis, not even by analogy with the phone companies, to support your supposition. And th
Re: (Score:3)
Did you even read the summary? Here - let me make it easy for you:
Right now, companies such as Apple, Google and others that issue so-called transparency reports are only allowed to report the volume of requests they get in increments of 1,000.
Did you get that? They didn't provide more detail because they are legally not allowed to beyond a range of 1000. If they could provide more detail, they would.
In fact, they are filing an amicus brief in the efforts of gaining permission to disclose numbers in greater detail.
http://appleinsider.com/articles/13/11/05/apple-court-filing-asks-for-transparency-on-government-user-information-requests [appleinsider.com]
Oh, and the list of companies fighting for permi
Re: (Score:2)
You didn't read my post :-)
I said that Google does NOT provide precise numbers for NSLs, but DOES provide precise numbers for everything else. Apple provided precise numbers for nothing, which is why I found it odd.
Re: (Score:3)
It's surprising to me that Apple didn't provide more detail. Others do.
Here's what Apple does:
...
Australia: Exact numbers.
Brazil: Exact numbers.
China: Exact numbers.
UK: Exact numbers.
USA: Sorry, we can only say "Between 0 and 1000"
That's all the information that you need to know as a citizen about what's going on. The richest company in the world is not allowed to tell you exact numbers. What else is there to know?
Re: (Score:2)
So? (Score:1)
Last time I checked, Apple was not a telecom company.
What about SSL/TLS keys? (Score:3)
I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:
NSA: "Hey, we won't bother you all the time with requests if you'll just give us a copy of your private key."
Apple: "Well, that would save us a bunch of time, effort and expense...but if the users ever discovered..."
NSA: "No worries. Just hand it over whenever you get a new one."
Apple: "Yeah, I guess we could point out we never give out the current one, only old keys we no longer use."
NSA: " Well, just deny it, saying you did not give out the current keys. You can leave out that little detail about the old keys."
I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.
(This is not my field of study, so if I have this wrong, I'd appreciate a correction.)
Re: (Score:2)
I just wanted to add in what I know.
Chrome and Firefox both do, though Firefox only supports part of the cipher suite.
I recall Microsoft claiming they were going to add it in a future IE, but never actually checked... So I'll believe that one if/when I see it.
I didn't know about Safari or Opera, so thank you for that.
Re: (Score:2)
Sounds like it's a mixed bag for all browsers (I'm mainly referring to the comments):
http://stackoverflow.com/questions/17308690/how-do-i-enable-perfect-forward-secrecy-by-default-on-apache [stackoverflow.com]
Re: (Score:3)
I'm be more interested to know if they shared their private key for SSL/TLS. Since Apple's Safari (to the best of my knowledge) does not support perfect forward secrecy (PFS), someone recording the encrypted session could later decode the session contents if they ever acquired the private key at any point in the future. The conversation might go like this:
I should point out that IE doesn't support PFS either, so Microsoft could be in the same boat. I think Chromium and Opera support PFS, but I'm not 100% certain.
(This is not my field of study, so if I have this wrong, I'd appreciate a correction.)
PFS is dependent on the cipher suite that is used. Safari and IE both *do* support some PFS suites, but not all PFS capable cipher suites. And for those they do like, they seem to prefer them less than some non PFS cipher suites. Safari seems to be better than IE at this as they support more suites but the non-elliptic-curve ones are used only as a last resort. So, the problem is web servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does
Re: (Score:3)
What "hand it over"? Do you have any belief that there is not effectively an auto-copy escrow feature sitting at Verisign and GoDaddy and all the other SSL key vendors, for precisely this sort of access? And if there wasn't one planned, that there's not one embedded by the NSA and every other security agency that can afford a few bribes and a laptop p0wned inside their firewall?
I don't think SSL/TLS works the way you think it does.
These companies don't by "SSL keys", they buy signatures on their own public keys. No one should be giving their private keys over to a certificate authority in order to get a signed certificate.
Now, if you meant the CAs may have provided some sort of intermediate CA to the government so it could sign their own certs and masquerade as anyone and act as a MITM, than that is more likely.
Illegal is doubly so when the government does it (Score:2)
Re: (Score:2)
Those practices are repeatedly passed by the congress, signed into law by two presidents and upheld by the courts. They aren't illegal. You may not like the law, but it is the law. You as a citizen have the right to vote for legislators that oppose the patriot act and similar acts.
Re: (Score:2)
You need to learn about the law. It doesn't matter what congress does or how many Presidents sign off on it. You may not like the Constitution and the Bill of Rights, but they are the law.
Re: (Score:3)
Except, as the poster you replied to says, once these been upheld by courts ... well, they're now the law too.
Increasingly, the Constitution and Bill of Rights are more or less being bypassed -- by allowing a 'border' stop within 100 miles of a border, warrantless wiretapping, 'free speech zones' and all sorts of stuff.
What you say is good in principle, but in practice, those documents seem to be getting over-ruled in the name of
Re: (Score:2)
This is a very misunderstood concept. When two laws contradict each other there is a hierarchy in place. For example, if a state passes a law making it illegal to be black and live in their state that "law" is illegal. The "law" itself, while "on the books" isn't legal and so it is not really a law. The fact that local judges may uphold the "law" doesn't make it any more legal. The fact that p
Understandable (Score:2)
Where is the law? (Score:2)
These companies keep saying they can only legally report the numbers in these very coarse terms. I smell weasel words and voluntary censorship. Can someone identify the US law that prohibits reporting of precise numbers, not the details of targets etc., of requests that are not subject to national security suppression orders?
Re: (Score:3)
Re: (Score:2)
... which is precisely why I excluded requests subject to national security suppression orders. Apple state they have never received such an order under PATRIOT Act in any case. There is no national security impact when the FBI/Police/court executes a warrant for access to information to locate a stolen phone, track down an individual wanted for minor theft offences, or release of email content for a court proceeding. Nonetheless, Apple and friends are reporting all US law enforcement requests as if they
Re: (Score:2)
These companies keep saying they can only legally report the numbers in these very coarse terms. I smell weasel words and voluntary censorship. Can someone identify the US law that prohibits reporting of precise numbers, not the details of targets etc., of requests that are not subject to national security suppression orders?
See my post on this topic: http://apple.slashdot.org/comments.pl?sid=4414461&cid=45340907 [slashdot.org]
Re: (Score:2)
What is Apple attempting to achieve by releasing a non-transparent transparency report?
Maybe you should write to your senator and complain. Maybe everybody should do that. Maybe that's what Apple tries to achieve.
Nice warrant canary... (Score:3)
Keep an eye on that part of the report.
Maybe (Score:1)
Apple gets around this sort of request by being proactive and supplying the "security forces" with the means to act on their own, through Apple devices.
In other words designed to be exploited from the ground up.
I'm not touching you! (Score:2)
Why does anybody think that a tactic no more sophisticated than sticking your finger and inch away from your little sister's nose and chanting "I'm not touching you!" is going to work? You mom didn't fall for that shit when you were 10 and the courts aren't going to fall for that shit now. There's probably even some language in the NSLs that says that you may not inform others by acts of either commission or omission, just to cover this kind of stuff.
The only reasonably sound suggestion I've heard is tha
Report link broken (Score:1)