Transparency Reporting After the Cloud Act - It's Time for a Refresh

I’ve written here, here and here about the interception flaw in the US-UK Agreement under the CLOUD Act, which permits at least the UK to order US platforms to wiretap a user in a third country, without notice or permission of the third country and possibly against its law. Now I want to ask the question how will we ever know if that actually happens?  

Because these CLOUD Act wiretaps are not performed pursuant to US law, they will not be reported in the annual wiretap reports published by the Administrative Office of the United States because section 2519(3) of Title 8 requires the AO to report only the number of federal and state applications for “orders authorizing or approving the interception of wire, oral, or electronic communications pursuant to this chapter.” In other words, the AO only reports US court-approved wiretaps, not CLOUD Act wiretaps. Bear in mind, if the number of executive agreements approved under the CLOUD Act grows, as is expected, the number of non-US wiretaps requiring US providers to wiretap their users soon will outpace US interception numbers. But we may never know the order of magnitude.

Nothing in the CLOUD Act requires reporting or transparency about the number of interceptions US providers will perform or, for that matter, the location of the targets. Interestingly, however, the US-UK Agreement states that it “does not in any way restrict or eliminate a Covered Provider’s reporting of statistical information, consistent with applicable law, regarding Legal Process received by the Covered Provider.” Article 12, par. 5. At first blush, the Agreement seems to confirm that US providers can continue to publish statistics about the number of data requests received and accounts/users affected thereby. But a closer reading suggests otherwise. While the Agreement itself does not restrict or eliminate the reporting of data requests, such reporting must be “consistent with applicable law.” Whose law? 

The Agreement states that “any legal effect of an Order subject to this Agreement derives solely from the law of the Issuing Party.” Article 3, Par. 2. So if an interception order from the UK prohibits disclosure, will providers be able to include the request in their reports? We may already know the answer to that thanks to Vodafone’s transparency reporting. It says in its most recent report that it has been prohibited from reporting even aggregate statistics for UK interceptions:

Section 19 of the Regulation of Investigatory Powers Act 2000 prohibits the disclosure of the existence of any lawful interception warrant and the existence of any requirement to provide assistance in relation to a warrant. This duty of secrecy extends to all matters relating to warranted lawful interception. Data relating to lawful interception warrants cannot be published. Accordingly, to publish aggregate statistics would be to disclose the existence of one or more lawful interception warrants.     

All of the major US providers include aggregate statistics about the number of requests for access to data coming from the UK, the number of accounts affected and what percentage of those requests were fulfilled. You wouldn't expect those data requests to include wiretaps because absent a CLOUD Act agreement, as noted in my prior posts, a provider would reject such a foreign demand as contrary to US law. Have US providers (i.e., platforms and email providers) received wiretap orders on email or other applications from US authorities? Absolutely.  

According to the 2018 Wiretap Report, a total of 2,937 wiretaps were reported as authorized in 2018, with 1,457 authorized by federal judges and 1,480 authorized by state judges. The Central District of California authorized the most federal wiretaps, approximately 8 percent of the applications approved by federal judges. The most frequently noted location in reported wiretap applications was “portable device.” This category includes cell phone communications, text messages, and application software (apps). In 2018, a total of 96 percent of all authorized wiretaps (2,831 wiretaps) were reported to have used portable devices. 600 of the 1684 federal wiretaps authorized included electronic communications (e.g., fax, computer, pager).  

The form used by prosecutors for submitting wiretap information to the AO includes the following in the instructions:  

Electronic - Computer: An intercept of electronic communications like email involving one or more desktop, laptop, iPad, or tablet computer. Note: Authorization to intercept IM or Skype conversations from a computer should be categorized as an application under App.

So buried in those statistics are wiretaps on email accounts and other social media. We just don't know which providers, for what applications, or for that matter anything about prospective data collection practices. So next we have to look to provider transparency reports to get an idea of the volume of interception requests. Unfortunately, the data is uneven and provider practices are not consistent.

Twitter reports interception requests separately from other data access requests, saying in its latest report: 

To date, Twitter has not received a valid wiretap order. Twitter has received orders purporting to require such real-time surveillance, but these orders were not issued in compliance with the requirements of the Wiretap Act and therefore Twitter did not comply with the wiretap request. 

Facebook just released its latest report and states that it received 281 wiretap orders in just the first 6 months of 2019. Other providers identify wiretap orders as a type of legal process that can be used to access user data but do not separately report interceptions from stored communications.  None of the transparency reports disclose how interceptions are implemented on any given application nor do they disclose the location of the target. In the later case, a US wiretap demand on an email account may, as noted in my prior posts, target a user outside the US. How are providers responding to such requests? We don’t know.  

What is clear is that it’s time for a refresh of provider transparency reports. Those reports should break down the data access requests in the US to disclose the type of request (e.g., wiretap order, PR/TT, location tracking, etc.), the application or service to which such orders applied, whether and how such orders were implemented, the number of accounts affected and the location of affected user if outside the issuing country’s territory. And providers should commit to reporting of CLOUD Act demands the same way. We have come to depend on provider leadership on transparency to understand government access demands, and with the CLOUD Act and executive agreements, we will need providers more than ever.