Earlier this year, I wrote that the wiretap numbers reported by the Administrative Office (AO) of the US Courts in its 2014 Wiretap Report and those disclosed in transparency reports by the major telecommunications companies just didn’t add up. While the AO reported 3554 wiretaps in 2014, the four major U.S. carriers reported 10,712 wiretaps implemented for the same period -- a threefold discrepancy. I received a lot of comments and potential explanations for the huge delta in reporting, and responded here that none of the explanations added up either. The AO reportedly was investigating the issue, but with the publication of the 2015 Wiretap Report, the gap has widened and explanations still are lacking.
The AO now reports that 4,148 wiretaps were authorized in 2015, a 17% increase over 2014. Twentysix of those authorized wiretaps apparently were never installed, and therefore probably do not appear in provider transparency reports. The four major carriers (AT&T, Sprint, Verizon and T-Mobile) reported a total of 11,633 wiretaps in 2015. Thus, provider numbers reflected an increase in surveillance as well, but only by about 8%. So the three-fold delta from 2014 remains while the actual number of wiretaps reported by providers only increased half as much as the percentage increase reported by the AO. That is hard to explain.
It becomes more difficult to explain as more providers have begun to report more granular statistics on the types of orders received. Google started the movement to report government requests with its path-breaking 2010 Transparency Report, and since that time, more and more providers have published data and improved upon their reporting. Thus, Google reported that in 2015, it received 15 wiretap orders that affected 17 accounts. Facebook reported that it received 296 wiretap orders that affected 399 user accounts in 2015. Snap did not receive any. Adding just those numbers to the carrier numbers, we see a total of 11,944 wiretap orders.
Is the real wiretap number for 2015 higher? Undoubtedly. Some providers like Microsoft, Apple, Twitter and Yahoo, do not break down their content requests by legal process. They should. There is a qualitative difference between content requests for stored data and prospective, ongoing surveillance. Kudos to New America’s Open Technology Institute and Harvard University’s Berkman Center for Internet & Society for their efforts to identify provider transparency reporting best practices and to create a template transparency report.
Transparency is a core privacy value. Users may not choose or flee from providers based on the number of wiretaps received or implemented, or responses to government data requests in general, but there is a huge value in provider and governmental reporting of surveillance practices. Surveillance policy should not be made without accurate and reliable information about the extent of surveillance that exists today. When the numbers don’t add up, confidence in the oversight of surveillance crumbles.
It becomes a crisis of confidence when a state prosecutor, for example, can run a year-long wiretap on her detective boy-friend based on a forged judge’s signature as just reported here. Presumably, that wiretap order was counted in the total reported by the provider that unwittingly implemented and extended the fake wiretap order over the course of a year, but the order and its multiple extensions no doubt fail to show up in the AO’s report. So the question for the AO is: how does that three-fold delta look now?