The United States is portrayed by some as unique in the world in its government’s desire for and access to personal data held by service providers. 1 In particular, the scope and scale of national security access to personal data continues to be a topic of international discussion in the wake of the Snowden revelations. 2 The declassification of certain National Security Agency (“NSA”) reports and opinions of the Foreign Intelligence Surveillance Court in the United States is shedding some light on the quantity and types of records requested for national security purposes. A comparison between the U.S. and other countries’ national
security access to data is made difficult by the even more secretive and opaque framework for access in other countries. 3 Service providers subject to such requests for data by the NSA are pushing for the ability to report with transparency on the nature and number of national security requests for information. 4
Certain online service providers publish “transparency reports” that disclose principally law enforcement authorities’ requests for information held by the providers. The figures for government information requests in these reports do not include U.S. national security-related requests, given the current legal restrictions on providers’ disclosure of precise numbers related to such requests. Thus, the reports concern official government requests for information during the course of law enforcement investigations. 5
Given the focus on government access to data held by third parties, it is timely to compare the available statistics as revealed in the transparency reports.
When the data contained in the reports are adjusted for population sizes of and the number of Internet users in each respective country, they reveal that the U.S. government requests information from these providers at a rate comparable to – and sometimes lower than – that of several other countries, including many European Union member states.
In fact, in 2012 it was reported that the rate at which European governments seek access to private data is at an “all-time high,” 6 having increased more than the rate of U.S. government requests during the same period.
Thus, as the national security access debate continues, the issue of whether the U.S. is an outlier when it comes to law enforcement access to data held by others can be resolved. In that regard, U.S. requests to service providers are not fundamentally different in quantity than requests by law enforcement authorities in other countries. 7
This White Paper analyzes government requests for information across several countries for at least a full year. We have used data from the transparency reports of Google Inc., 8 Microsoft Corporation, 9 Skype Communications S.A. 10 (acquired by Microsoft in 2011), Twitter, Inc., 11 and LinkedIn Corporation 12 because they are the only such reports that provide data on government information
requests across multiple countries.
While some companies recently have obtained U.S. permission to disclose the aggregated number of national security and law-enforcement-related information requests they receive, they are authorized to release these numbers only in ranges of thousands of requests. 13 Further, released reports do not include comparable figures for non-U.S. national security requests. Therefore, as these data do not enable meaningful statistical comparison across countries, they are outside the scope of this White Paper.
To maximize the timeframe represented in our calculations, we examined all such data available from each company: three years of data available from Google (2010 to 2012), 14 one-and-a-half years of data available from Twitter (2012 to June 2013) 15 and LinkedIn (July 2011 to 2012), and one year of data available from Microsoft and Skype (2012).
Rather than simply compare the raw numbers of requests for information by governments, this White Paper analyzes the total number of reported local and national government data requests per capita and per Internet user in each inscope country. 16 This is because countries with larger populations and greater numbers of Internet users have
more opportunities to monitor Internet traffic in legally authorized circumstances. Thus, the per-capita and perInternet-user information request rate is a better indicator of a government’s activism in seeking private information about individuals than is the raw number of information requests. 17
To calculate these figures, we used the total number of information requests included in the transparency reports, rather than number of users/accounts affected or number of requests fulfilled, because the latter two statistics are not consistently reported in pre-2012 datasets. 18 Moreover, these data provide a more useful illustration of each reported government’s willingness to approach service providers for electronic information.
The data reveal that the information requests that U.S. local, state, and federal government entities made to service providers are on par with those of developed democracies for which data are available.
Since 2010, U.S. authorities have made information requests to Google an average of 40 times per year for every million residents and 51 times per year for every million Internet users. Three countries had more per-capita
requests – the United Kingdom (43), Hong Kong (43), and France (41) – while two other countries had higher perInternet-user numbers: Hong Kong (59) and Singapore (55.2), with comparable numbers for France (50), the United Kingdom (50), Italy (48), Portugal (46), and Australia (46).
Click here to view table.
For Microsoft, U.S. government authorities requested information approximately 35 times per million people and 44 times per million Internet users. These both were lower than numbers for at least eleven other countries, including Taiwan, Turkey, the United Kingdom, Hong Kong, France, Luxembourg, Germany, Australia, Belgium, Portugal, and Spain.
Click here to view table.
Similarly, U.S. government entities made about four information requests per million people and five requests per million Internet users to Skype in 2012, compared to higher numbers for Luxembourg, the United Kingdom, Taiwan, Switzerland, Australia, Germany, and France. In the cases of Luxembourg and the United Kingdom, the percapita information request rate was vastly higher than that of the United States.
Click here to view table.
Twitter and LinkedIn
The data show that the U.S. government made more requests to Twitter and LinkedIn than did other governments – about five requests per million people and six requests per million Internet users to Twitter, compared to about two per-capita and per-Internet-user requests from the next-highest country, Qatar. The U.S. also made about 0.4 requests per million people and 0.5 requests per million Internet users to LinkedIn, compared to about 0.05 percapita and 0.06 per-Internet-user requests from the nexthighest country, the United Kingdom. However, both Twitter and LinkedIn received considerably fewer government information requests overall than did Google, Microsoft, or Skype. Total information requests by governments in 2012 amounted to approximately 115 for LinkedIn 22 and 1,942 for Twitter, 23 compared to 4,713 for Skype, 24 42,327 for Google, 25 and 70,665 for Microsoft. 26
Click here to view tables.
When we combine the per-capita and per-Internet-user data requests for Google, Microsoft, Skype, Twitter, and LinkedIn in 2012 – the only common year for which each of those providers released data – eliminating any countries for which data do not exist across companies, 29 the U.S. again fails to stand out. The U.S. government requests totaled approximately 96 per capita and 119 per Internet user to these five companies in 2012, compared to values over twice as high for Taiwan, the United Kingdom, an Hong Kong, and greater values for France, Australia, and Germany.
Click here to view table.
As usage of online services increases every year, governments have been increasing their information requests to providers. Over the past three years, the frequency of information requests to Google from EU member states included in Google’s report has risen 100%.31 During the same period, the U.S. government’s request rate has risen 85%.32
These data suggest that the number of information requests the U.S. makes to service providers is not out of the ordinary. In fact, in some circumstances the U.S. request rates are significantly lower than that of several other countries.
One reason Microsoft receives more requests from non- U.S. countries than does Google is its physical presence in over 100 countries, 33 compared to Google’s limited physical presence outside the United States. As Eva Galperin from the Electronic Frontier Foundation explains:
‘You can get very different [transparency report] numbers if the person filing requests is more familiar with Microsoft’s policies than Google’s or the other way around. . . . Microsoft has been around for much longer, and they probably have longer standing relations with governments. That means people in law enforcement are better trained to do this.’34
Microsoft itself notes that its physical presence in many countries “makes it easier for law enforcement authorities and/or courts to contact local Microsoft offices with requests for customer data.” 35
We also note that while none of the transparency reports break down the purposes for each information request, American companies have reported that many such requests are made for uncontroversial purposes, such as locating missing or exploited children. 36 Apple, for example, recently reported that of the 4,000 to 5,000 total information requests it received from the U.S. government between December 1, 2012 and May 31, 2013, “[t]he most common form of request comes from police investigating robberies and other crimes, searching for missing children, trying to locate a patient with Alzheimer’s disease, or hoping to prevent a suicide,” rather than from government agencies for national security purposes.37
Finally, the number of information requests reported in the transparency reports reflects only formal, lawful access requests to the providers’ information. However, some governments access private information from providers without using formal legal process or being transparent about this access. For example, Germany allows its Federal Office of Criminal Investigation, the Bundeskriminalamt (BKA), to use a computer virus to search IT systems, monitor ongoing communications, and collect communication traffic data without alerting service providers or data subjects.38 Although such access requires a court order, it would not be reported in a transparency report, as providers never become aware of it.
China’s filtering and censorship of Tom-Skype, and its ninety-six million users in China, provides another example of government access that would not be reported in
transparency reports. Tom-Skype has been linked to a “huge surveillance system in China that monitors and archives certain Internet text conversations that include politically charged words.” 39 Microsoft itself is likely alluding to this type of behind-the-curtain access when it notes that “while we may not receive law enforcement requests from some countries . . . we nevertheless understand some users of our services may be subject to government monitoring or the suppression of ideas and speech,” and warns users that “end points of a communication are vulnerable to access by third parties such as criminals or governments.”40 Transparency report numbers concerning governments that employ such tactics necessarily are artificially lower than numbers for governments that make formal data requests to service providers.
In summary, when adjusted to account for population sizes and numbers of Internet users, the recent Google, Microsoft, Skype, Twitter, and LinkedIn transparency reports provide a clearer picture of government practices for requesting information from service providers. They suggest that the U.S. government’s information request rates are comparable to, and in many cases lower than, those of several other democracies, including many European Union member states.