The blindspot of transparency reports

Our personal data and communications may be tracked by investigative authorities. This happens without warning, and governments do not disclose requests made to the companies. In today’s post, learn more about the main source of what is provided and what is not provided: corporate transparency reports.

Revealing, With Restrictions

“We believe it’s your right to know what kinds of requests and how many each government is making of us and other companies”

This was said by Richard Salgado, Google’s legal director, in 2013. Typically, the report included only judicial and emergency data requests by type. That year, the company announced that it would disclose how many requests for communication content had been made through the Foreign Intelligence Surveillance Act (FISA), and had been barred by US authorities (information nowadays is available here). This came after Snowden’s revelations about the US government’s online surveillance under the banner of counter-terrorism.

Request made to Google by NSL (US National Security Agency) to provide name, address and registration of electronic communications particular email or IP

Excerpt from NSL letter of permission for Google to disclose data on how many orders received and accounts involved

Obtaining personal data from someone in investigations without informing the subject involved is neither new nor uncommon. Wiretapping is an example of this. The practice is part of the procedures adopted by authorities to prevent the investigated person from destroying potential evidence. These operations, however, were conducted in confidence until the information providers decided to publish some data.

The discussion on transparency reports

Since the past decade, internet and telecommunications giants have issued reports of these requests from authorities. Because they handle millions of personal data, they are often called upon to collaborate in investigations. Although they cannot disclose who was the target of the orders, the companies started to publicize the quantity of these requests and which countries make the requests.

Transparency reports consist of general explanations of reasons for whether or not to cooperate with requests from authorities, number of requests placed, and number of requests fulfilled, by country. Some services reveal the amount of user accounts involved and the type of request.

Since the regulation of telephone wiretap procedures, some question the practice of covert investigation. There is great controversy about the duty to inform the investigated person – even when the request does not involve communications, but “only” registration data, for example. On the one hand, some defend the provision of data to the authorities to promote law enforcement, investigating illicit acts, identifying and locating those responsible. On the other hand, it is argued that there is the right of a person, as a citizen, to know about accusations and suspicions about oneself, as well as investigations in which one is involved.

The investigative angle has been prioritized by legislation. Even the brand new (and soon to be effective) Brazilian General Data Protection Act (art. 4, III) excludes public security from its scope.

Why transparency matters? 

The processing and forms of obtaining personal data by authorities remain opaque. According to a report published by the EFF, most Latin American intelligence agencies were constituted in dictatorial periods. Those who investigate information and communications still have an authoritarian relationship of secrecy and hermeticism towards citizens. States do not produce transparency reports.

In this context, the reports are indicators of guarantees for privacy and informational self-determination. It is possible to know the largest plaintiffs and how many orders they placed. But it is not enough, as this information needs verification.

There are only two ends where the numbers and details about requests for personal data are known: the authorities and the companies. The culture of access to public information is not consolidated, especially in countries such as Brazil, with a dictatorial history – see the attempts to restrict the access to information law that took place this year. Due to the institutional policies of confidentiality of public security operations, requests for information are not reported by the authorities, their disclosure comes only from companies. This results in opaque transparency.

Broadening the perspective 

The current self-reporting model is important as it provides some basis for understanding the reality of information provision between companies and authorities. However, it does not allow you to verify that the data is correct. It is also difficult to question a particular case of surrender or refusal without knowing the details and their legal basis. We remain unaware of the way our personal data and communications are handled in investigations and therefore unable to push for change.

We may need to take a step back and, either as citizens, towards the government, or as consumers, towards businesses, push for more transparency about what is made of our data and communications also in the sphere of public security.

The subject of this post is also an invitation to debate on the subject, which will be further explored in a panel proposed by IRIS at the Internet Forum in Brazil (FIB) “Data Protection and Public Safety in Brazil: Current Regulatory Context and Future Prospects”. The panel will take place on October 4, 2019, in Manaus, will be broadcast live, where questions and speeches can be sent, and later will be available video on YouTube.