Embed Size (px)
Citation preview
GOVERNMENT REQUESTS FOR DATA:What Does it Mean for Your Organization?
EXECUTIVE BRIEF
IntroductionOver the past few years, there has been a “rising interest” from governments to gain access to data on customers from tech giants like Google, Amazon and Microsoft with thousands of requests for customer data every week.
In an ever-changing landscape of technology policy, these requests for data can cause conflict — the responsibility to preserve consumer privacy while meeting regulatory and/or public safety obligations have become increasingly complex and challenging.
Types of Government Requests The data requests include search warrants, subpoenas, or calls to restrict certain kinds of content.
GOVERNMENT REQUESTS FOR DATA
Subpoena:
Subscriber registration information (e.g., name, account creation information, associated email addresses, phone number)
Sign-in IP addresses and associated time stamps
Court Order:
Non-content information (such as non-content email header information)
Information obtainable with a subpoena
Search Warrant:
Email content
Information obtainable with a subpoena or court order
Copyright 2021, Unbound Tech Inc. 1
GOVERNMENT REQUESTS FOR DATA
Copyright 2021, Unbound Tech Inc. 2
US Government Requests Google, Amazon and Microsoft are US-based companies, falling squarely under US law, which means they can’t “ignore” requests for data from US law enforcement agencies.
Requests for “stored data” can be made under specific “stored data” laws since Google (GCP), Amazon (AWS) and Microsoft (Azure) because they are effectively datastorage companies, in that they store your data online so you can access it any point in any location. Requests can also fall under different areas of law--including the Patriot Act, among others.
The most common request for data is the subpoena, followed by search warrants. A federal statute called the Electronic Communications Privacy (ECPA) regulates how a government agency can use these types of legal processes to compel companies like the aforementioned to disclose information about users. The ECPA can allow a government agency to compel the disclosure of certain kinds of data with a subpoena or court order. For example, Google requires an ECPA search warrant for contents of Gmail and other services based on the Fourth Amendment to the US Constitution, which prohibits unreasonable search and seizure.
Furthermore, with the CLOUD Act, the United States government can access data of American companies stored abroad (e.g., data stored in a server that is located outside of the US). It sets up a new mechanism by which governments may agree bilaterally on procedures and safeguards to handle lawful requests for data stored under each other’s legal jurisdiction.
Non-US Government Requests Outside the US, these companies do not have the same level of requirement to hand over data to foreign governments or law-enforcement agencies--particularly if they do not have a physical presence in the country of that requesting state.
Mutual Legal Assistance (MLA) allows a government to seek help fwrom a foreign government where that person or company resides, because they have no jurisdictional power. In this case, it means a foreign government--like the UK, France, or Germany, for example-- would have to put in an “MLA request” to the US Department of Justice requesting help.
MLA treaties exist between most countries in the world, but not all. This means it can keep some countries at a distance in order to protect other governments from harming their own citizens, such as in Syria, for example.
There are many ways that other countries can obtain information from companies like Google outside of the MLA process, including joint investigations between US and local law enforcement, emergency disclosure requests, and others.
GOVERNMENT REQUESTS FOR DATA
Response Types Each company has its own policy for handling requests, and each company states that it works within the confines of the law when deciding whether or not to hand over user data.
Full Response:
Means that the company responded to valid legal process by providing all of the information requested.
100% 50% 0%
Partial Response:
Means that the company responded to valid legal process by providing only some of the information requested.
No Response:
Means that the company responded to valid legal process by providing none of the information requested.
Copyright 2021, Unbound Tech Inc. 3
Copyright 2021, Unbound Tech Inc. 4
GOVERNMENT REQUESTS FOR DATA
Requests in Numbers Google, Amazon, and Microsoft, among others, publish reports yearly on the number of government requests for data.(1),(2)
Google discloses the number of user data requests from government authorities alongside the total number of users/accounts specified in those requests in six-month increments, subject to certain limitations. They began by reporting on the number of users/accounts requested in the first half of 2011.
Requests by Reporting Period
Percentage of Requests Where Data Was Produced
(1) This brief focuses on Google, Amazon and Microsoft since they are primary CSPs today. However, other major technology companies receive similar requests and publish transparency reports online.(2) The following data does not include National Security Letters (“NSLs”) – by law organizations are only allowed to report a range of NSLs, not specific numbers.
0%
10%
20%
30%
40%
50%
60%
70%
80%
Jan-Jun2012
Jan-Jun2015
Jan-Jun2010
Jan-Jun2013
Jan-Jun2016
Jan-Jun2011
Jan-Jun2014
Jan-Jun2017
Jan-Jun2018
Jul-Dec2012
Jul-Dec2015
Jul-Dec2010
Jul-Dec2013
Jul-Dec2016
Jul-Dec2011
Jul-Dec2017
Jul-Dec2018
Jul-Dec2014
180,000
160,000
140,000
120,000
100,000
80,000
60,000
40,000
20,000
0
Jan-Jun2012
Jan-Jun2015
Jan-Jun2010
Jan-Jun2013
Jan-Jun2016
Jan-Jun2011
Jan-Jun2014
Jan-Jun2017
Jul-Dec2017
Jul-Dec2009
Jul-Dec2012
Jul-Dec2015
Jul-Dec2010
Jul-Dec2013
Jul-Dec2016
Jul-Dec2011
Jul-Dec2014
Note: the number of data requests is significantly smaller for Amazon compared to Google & Microsoft, since Amazon has less end-user services rich with information like email account, etc.
GOVERNMENT REQUESTS FOR DATA
AMAZON
Amazon began publishing information concerning requests for data in 2015. Learn more about Amazon’s corporate policy concerning government requests for data at Amazon Law Enforcement Guidelines.
Requests by Reporting Period
Percentage of Requests Where Data was Produced
Copyright 2021, Unbound Tech Inc. 6
0
700
1400
2100
2800
Jan-Jun2015
Jan-Jun2018
Jan-Jun2016
Jan-Jun2019
Jan-Jun2017
Jul-Dec2015
Jul-Dec2018
Jul-Dec2016
Jul-Dec2017
0%
20%
40%
60%
80%
Jan-Jun2015
Jan-Jun2018
Jan-Jun2016
Jan-Jun2019
Jan-Jun2017
Jul-Dec2015
Jul-Dec2018
Jul-Dec2016
Jul-Dec2017
Percentage of Requests Where Data was Produced
GOVERNMENT REQUESTS FOR DATA
MICROSOFT AZURE
Twice a year Microsoft publishes the number of legal demands for customer data that they receive from law enforcement agencies around the world. While this report only covers law enforcement requests, Microsoft follows the same principles for responding to government requests for all customer data. Learn more here.
Requests by Reporting Period
Copyright 2021, Unbound Tech Inc. 7
10000
20000
30000
40000
Jan-Jun2015
Jan-Jun2018
Jan-Jun2015
Jan-Jun2016
Jan-Jun2013
Jan-Jun2017
Jan-Jun2014
Jul-Dec2016
Jul-Dec2019
Jul-Dec2017
Jul-Dec2013
Jul-Dec2018
Jul-Dec2014
0%
20%
40%
60%
80%
Jan-Jun2015
Jan-Jun2018
Jan-Jun2015
Jan-Jun2016
Jan-Jun2013
Jan-Jun2017
Jan-Jun2014
Jul-Dec2016
Jul-Dec2019
Jul-Dec2017
Jul-Dec2013
Jul-Dec2018
Jul-Dec2014
Unbound Techwww.unboundtech.com | [email protected]
Follow Us
GOVERNMENT REQUESTS FOR DATA
Implications of GovernmentRequests for Data Based on the data presented above, government requests for data have increased over time and if current trends are any indicator, they will continue to increase.
When the government requests data from a CSP, they are not required to notify the customer. Therefore, if your organization is storing data in the cloud, and is subpoenaed, you may or may not know how the CSP responded to the request for data.
Furthermore, organizations may be at odds with privacy persevering regulations Unbound Tech Follow Us [email protected] www.unboundtech.com such as GDPR/CCPA if their data is given to the government by CSPs and other data storing providers.
Only those customers who control their own encryption keys will be notified if their data has been requested by the government. When encryption keys are controlled by the customer, the CSP has no authority to respond to government requests for data. A subpoena will have to be directed at the customer a SaaS provider) in order to obtain any key material and the data that it protects.
�����
������
�������
����
