Major U.S. technology companies have largely ended the practice of quietly complying with investigators’ demands for email records and other online data, saying that users have a right to know in advance when their information is targeted for government seizure.
This increasingly defiant industry stand is giving some of the tens of thousands of Americans whose Internet data gets swept into criminal investigations each year the opportunity to fight in court to prevent disclosures.
Prosecutors, however, warn that tech companies may undermine cases by tipping off criminals, giving them time to destroy vital electronic evidence before it can be gathered.
Fueling the shift is the industry’s eagerness to distance itself from the government after last year’s disclosures about National Security Agency surveillance of online services. Apple, Microsoft, Facebook and Google all are updating their policies to expand routine notification of users about government data seizures, unless specifically gagged by a judge or other legal authority, officials at all four companies said. Yahoo announced similar changes in July.
As this position becomes uniform across the industry, U.S. tech companies will ignore the instructions stamped on the fronts of subpoenas urging them not to alert subjects about data requests, industry lawyers say. Companies that already routinely notify users have found that investigators often drop data demands to avoid having suspects learn of inquiries.
The Justice Department said in a statement that the new industry policies threatened investigations and put potential crime victims in greater peril.
The changing tech company policies do not affect data requests approved by the Foreign Intelligence Surveillance Court, which are automatically kept secret by law. National security letters, which are administrative subpoenas issued by the FBI for national security investigations, also carry binding gag orders.
The government traditionally has notified people directly affected by searches and seizures — though often not immediately — when investigators entered a home or tapped a phone line. But that practice has not survived the transition into the digital world. Cellular carriers such as AT&T and Verizon typically do not tell customers when investigators collect their call data.
Many tech companies once followed a similar model of quietly cooperating with law enforcement. Courts, meanwhile, ruled that it was sufficient for the government to notify the providers of Internet services of data requests rather than the affected customers.
Twitter, founded in 2006, became perhaps the first major tech company to routinely notify users when investigators collected data, yet few others followed at first. When the Electronic Frontier Foundation began issuing its “Who Has Your Back?” report in 2011 — rating companies on their privacy and transparency policies — Twitter was the only company to get a star under the category “Tell users about data demands.” Google, the next mostly highly rated, got half a star from the civil liberties group.
The following year, four other companies got full stars. The preparation of this year’s report, due in this month, has prompted a new flurry of activity in the legal offices of tech companies eager to gain a coveted star.
Google already routinely notified users of government data requests but updated its policy this week detailing the few situations in which notification is withheld, such as when there is imminent risk of physical harm to a potential crime victim.
“We notify users about legal demands when appropriate, unless prohibited by law or court order,” the company said in a statement.
Lawyers at Apple, Facebook and Microsoft are working on their own revisions, company officials said, although the details have not been released. All are moving toward more routinely notifying users, said the companies, which had not previously disclosed these changes.
The trend toward greater user notification gained new urgency amid the government surveillance revelations made by former NSA contractor Edward Snowden. Although the bulk data collection he disclosed was for national security purposes, not routine criminal investigations, companies grew determined to show that they prized their relationships with customers more than those with authorities.
The changing legal standards of technology companies most directly affect federal, state and local criminal investigators, who have found that companies increasingly balk at data requests once considered routine. Most now refuse to disclose the contents of emails or social media posts when presented with subpoenas, insisting that the government instead seek search warrants, which are issued only by judges and require the stricter legal standard of probable cause.
Subpoenas, by contrast, can be issued by a broader range of authorities and require only that the information sought be deemed “relevant” to an investigation. A 2010 ruling by the 6th U.S. Circuit Court of Appeals backed the industry’s contention that search warrants should be required for digital content, a standard now widely accepted.