As I noted yesterday, Verizon conveniently released its own transparency report 5 days before the government approved new transparency guidelines (according to one report, the deal was substantially completed earlier in the month, but had to wait on some tweaks to follow Obama’s speech).
Had Verizon released a transparency report yesterday, it would have added at least the following two details:
Non-Content FISA orders:
4 orders affecting 107,700,000 customers
Content FISA orders:
? orders affecting ? selectors (probably measuring the number of search terms — maybe something like “250” — Verizon searches for off its upstream collection affecting millions of people)
It would have painted a very different picture.
It turns out they did have time scheduled to write transparency claims yesterday. They released this statement attempting to reassure customers that Verizon doesn’t comply with any US government orders for data stored overseas. (h/t Chris Soghoian) Here’s an excerpt:
Over the past year there has been extensive discussion around the world about government demands for data. Last week, Verizon released a Transparency Report outlining the number of law enforcement requests for customer information that we received in 2013. In the report we noted that in 2013 we did not receive any demands from the United States government for data stored in other countries.
Although we would not expect to receive any such demands, there are persistent myths and questions about the U.S. government’s ability to access customer data stored in cloud servers outside the U.S. Now is a good time to dispel these inaccuracies and address the questions, which have been exacerbated by the stream of news reports since last June about national intelligence activities in the U.S. and elsewhere.
Our view on the matter is simple: the U.S. government cannot compel us to produce our customers’ data stored in data centers outside the U.S., and if it attempts to do so, we would challenge that attempt in court.
Here’s why.
The section of the national security laws often cited as granting the U.S. government authority to access data stored abroad is Section 215 of the Patriot Act.
While Section 215 allows a court to issue an order requiring a company operating in the U.S. to produce certain business records, it does not give the U.S. government the power to act outside the U.S. More importantly, Section 215 does not grant the U.S. government access to customer data stored in the cloud; it only applies to business records of the cloud provider itself. So the U.S. government cannot use Section 215 to compel a company to produce customer data stored in data centers outside the U.S.
[snip]
Finally, Section 702 of the Patriot Act also is not an option for the U.S. government to compel a U.S. company to turn over customer data stored in a data center outside the U.S. because the U.S. company does not have possession, custody or control of that data.
[snip]
customer data stored in data centers outside the U.S.
[snip]
data stored outside the U.S.
[snip]
data stored in the cloud outside the U.S.
[snip]
there should be no concern about the U.S. government compelling Verizon to disclose data our customers store in Verizon data centers outside the U.S. [my emphasis]
So having dodged by 5 days the obligation to report on all the data stored in the US it hands over to the government, it now wants to make claims about Verizon customer data stored overseas.
Stored, stored, stored, stored, stored, stored, stored, stored, stored, stored, store.
It chose not to say anything about data in transit, either here or in the US. In the US it is now permitted to talk about the data it collects in transit off its cables for the government in response to FISA Section 702 orders (though the deal only permits reports every 6 months; I guess it’s hoping we’ll forget about this soon).
To say nothing of the data it provides the government it collects as it transits overseas, perhaps in response to a polite request?
I’m actually most interested in Verizon’s claim it could not be required to turn over data stored overseas under Section 702.
Wouldn’t it primarily be served such a request under Section 703, which requires a warrant for electronic surveillance or access to stored communications of Americans overseas? Actually, I don’t know the answer to that — no one seems to, and I’ve been asking a lot of lawyer types.
But if Verizon says it can’t be served with an order for data stored overseas (in truth, many 703 orders must relate to searches conducted here on people who are physically overseas, but still), then the government isn’t using 703 in all the cases it is required to.
Whatever: the message to all you Europeans seems clear. Verizon would never let the government touch data it had in its own servers. Nosirree!
As far as data transiting its cables? All bets are off.