In 2009 the U.S government dubbed January 28 "Data Privacy Day." Four years later, it's the government's own actions to obtain personal information that are in the spotlight, thanks to new reports from Google and Twitter.
The goal of Data Privacy Day is to educate people and companies on the vulnerability of personal data, including information shared on social networks, financial data and anything stored on cloud services. The holiday is spearheaded by the National Cyber Security Alliance (NCSA), a nonprofit organization that works with government agencies and major tech companies including Intel, Google, Microsoft and Facebook.
"We want to raise universal awareness about people respecting the privacy of others and safeguarding their data," said Michael Kaiser, NSCA's executive director.
To mark the occasion, Twitter released its latest transparency report, which breaks down government requests for user data as well as copyright complaints and "take down" requests. Google followed up on its own transparency report, released last week, with a blog post explaining how it fields government requests and a new section on its transparency report that addresses common questions about the process.
The numbers from the two companies show a steady increase in requests from the U.S. government for personal data. Usually these requests are part of criminal investigations or court cases, according to the two companies. The majority of requests from U.S. agencies are subpoenas, followed by search warrants, court orders and some emergency requests. Search warrants are more difficult to obtain than a subpoena and require a higher standard of probable cause.
In the past six months, Google received 21,389 requests for data, a 70% increase since the company first started releasing the report in 2010. The largest single entity requesting information continued to be the U.S. government, which submitted 8,438 of the requests. Google turned over some or all of the requested information 88 percent of the time, Twitter 57 percent of the time.
Twitter received 1,858 requests for information about 1,433 accounts, 815 of which were from the U.S. government. The social network added a new home for its transparency reports, transparency.twitter.com, and expanded the report to include more details about the requests and an expanded entry to cover the activity in the United States.
"It's our continued hope that providing greater insight into this information helps in at least two ways: first, to raise public awareness about these invasive requests; second, to enable policy makers to make more informed decisions," Twitter's legal policy manager Jeremy Kessel said in a blog post.
Transparency and education about what the government can access and how are important, but the companies also want to change the laws to better protect user privacy in the first place.
"We're a law-abiding company, and we don't want our services to be used in harmful ways. But it's just as important that laws protect you against overly broad requests for your personal information," said Google's chief legal officer David Drummon in a blog post on Monday.
Under the 1986 Electronic Communications Privacy Act (ECPA), a file stored on a hard drive in your home has greater protection than information stored with a third-party. Whereas the government would require a search warrant for anything in your house, it can request access to e-mails older than 180 days or information stored in the cloud with a subpoena, which is easier to obtain. Twitter and Google are both members of the Digital Due Process Coalition, an organization that is lobbying to update the act.
Drummon explained Google's process for handling requests, which involves notifying users of the requests when legally allowed, and requiring a search warrant for search query and private information from agencies conducting criminal investigations.
"We believe a warrant is required by the Fourth Amendment to the U.S. Constitution, which prohibits unreasonable search and seizure and overrides conflicting provisions in ECPA," says Drummon.
These kinds of reports and posts are important tools for educating the public about how and when government agencies can access information, but government requests are only one sliver of data privacy fluency. People can also take steps to better control what they share online on social networks or apps that collect location data. Kaiser recommends people familiarize themselves with privacy policies and regularly update privacy settings on sites such as Facebook.
The day isn't just to raise awareness among consumers. Business are also key players in data privacy, and while big names like Google and Twitter have large legal and security teams, smaller companies that also have access to personal data might not.
"We want them to be aware of their responsibility to be stewards of the data people entrust to them," said Kaiser.