Wednesday, June 16, 2021
This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe
Your data isn't as safe as advertised
Your private data isn’t as private as you might think. That’s the takeaway from revelations that Apple (AAPL) and Microsoft (MSFT) fed users’ data to the Trump administration as it was probing media leaks. And regardless of any assurances from tech companies, they’re largely compliant when the government comes knocking for information about your digital life.
“It's not private at all,” Elizabeth Goitein, director of liberty and national security at the Brennan Center for Justice, told Yahoo Finance. “In the sense that law enforcement intelligence agencies have access to it under a number of different authorities — including some that are extremely permissive.”
The news that the government was snagging tons of data came via a New York Times article last week detailing how the Trump administration’s Department of Justice sought the so-called metadata on hundreds of users, including two members of Congress. That followed a report that Trump’s DOJ also went after the metadata of journalists reporting on the administration’s leaks.
Metadata is the who, what, when, and where of communications information. Essentially what phone numbers called each other, where they were located, when they called each other, and what they were calling on. And though it might seem vague, it can be used to piece together revealing patterns about everyday Americans. Joined an up-and-coming political movement? Called a suicide hotline? Had serious medical issues? Money troubles? Problems with your marriage? These are all things that can be inferred by using metadata.
“It really can run the gamut of your personal associations and activities and beliefs,” Goitein explained. “The more comprehensive the time period in the collection, the more the government's going to learn. It can create a very detailed and intimate picture of someone's personal life.”
It’s not just the data of journalists and politicians that’s at risk. The metadata of everyday Americans can also be grabbed, as well — and it can happen without your knowledge.
The solution? Legislative reform that informs Americans of when their information is being given to law enforcement and raises the standard for obtaining such information in the first place.
The government can force companies to hand over your data
The Times reported that in 2018, Apple received grand jury subpoenas for information related to user emails and phone numbers. But those subpoenas came with gag orders that prevented Apple from informing the users. The gag order has since been lifted, and Apple notified those impacted by the subpoenas, which included Rep. Adam Schiff (D-California), who was leading an investigation into Trump at the time. The Trump administration also tried to obtain Times reporters’ data from Google.
But it’s not just those few requests. Apple, Google, and Microsoft each provide transparency reports that indicate government agencies are seeking information on user data and accounts thousands of times a year — and the tech giants comply with many of these requests.
“If you read the fine print in, in all the privacy policies and disclosures, you will see that [these companies] will comply with legal process to turn over this information,” Goitein said.
And while Big Tech companies say they often resist pressure to provide such data, it behooves them to provide the data when facing the full pressure of the U.S. government.
“The companies themselves are in a very difficult position,” explained Michael Karanicolas, the executive director of the UCLA Institute for Technology, Law & Policy. “From a risk management perspective, from a business perspective, it's very easy to see why they would want to adopt a posture, which facilitates these requests and keeps the government on [their] side.”
In fairness to the companies, they often have policies to inform users when the government seeks their data. But gag orders throw that out the window. In the instance of Schiff’s data, the gag order was in place for three years.
“A very important thing is providing that notice, at least as soon as possible,” said Electronic Frontier Foundation deputy executive director Kurt Opsahl. “If it is before the information is revealed, then there are people who have an opportunity to challenge it and move to quash the subpoena. But if not, then the service providers will be the only line of defense.”
Legislation and privacy reform are needed to keep your data safe
According to Goitein, obtaining the kind of metadata sought from Schiff isn’t exactly difficult for the feds.
“It's a very low bar for the government to obtain Americans’ communications metadata, even though this is some of the most sensitive information about us, and that's a real problem,” she said. “That is a very clear example of the law completely failing to keep up with technology.”
So what kind of changes need to be put in place to keep Americans’ data safe, while still giving the government access to it in the course of legitimate investigations?
Attorney General Merrick Garland has said the DOJ will raise the bar for its policies around obtaining politicians’ and journalists’ information. But as each expert I spoke to pointed out, policies can change from administration to administration. And there’s no telling whether a future Justice Department will uphold the same standards Garland proposed.
Instead, Congress needs to craft legislation requiring companies to inform their users when the government is seeking their data — giving them enough time to fight to keep their information private.
“If the government tries to directly obtain Americans’ communications content (photos, emails, text messages) it generally needs a warrant,” Goitein explained. “It's time for Congress to update the law to make sure that other, sometimes equally sensitive types of information, like geolocation information, like communications metadata, received similarly strong protection."
Raising the standard for obtaining metadata might not be enough, though. The U.S. is still woefully behind Europe when it comes to comprehensive user data privacy laws. Individual states may have their own laws, but those don’t cover all Americans. Some form of legislation codifying data privacy protections needs to be put in place.
“I would like to see progress on data protection that extends beyond just how to guarantee greater security and integrity to journalists and members of Congress, but that improves the level of safety and security for the data of all Americans,” Opsahl said.
In reality, a comprehensive data privacy framework has eluded Washington for years — and getting one together anytime soon is likely still a ways off. But raising the bar for subpoenas could be within Congress’s reach.
More from Dan: