How U.S. won deal with internet giants shows spy-law struggle
The president was ready to pledge on national television that he would let communications companies disclose more than ever about secret U.S. government data requests.
Problem was: big Internet firms weren't on board. And it was David O'Neil's job to fix it, fast.
The night before President Barack Obama's Jan. 17 speech, O'Neil, a Justice Department lawyer, and his boss, Deputy Attorney General James Cole, got on the phone with attorneys for five major technology companies. All five were suing the U.S. government for permission to disclose the extent of those same classified government orders, which require them to hand over records of customers' emails and Internet use.
O'Neil and Cole got straight the point: the president and attorney general wanted the government to be more transparent, and the companies should accept a deal and drop their suits, according to three government officials and two other people with direct knowledge of the negotiations who spoke to Bloomberg News. They all asked for anonymity to describe the private talks.
It took 10 more days from that Jan. 16 call for O'Neil to reach a compromise with Google Inc., Facebook Inc., LinkedIn Corp., Microsoft Corp. and Yahoo Inc. The tale of how that compromise was reached - on a comparatively straightforward issue - foreshadowed the challenge ahead as the Obama administration, Congress and businesses now try to craft a new law to govern who stores and controls access to millions of records now kept by the National Security Agency.
One Piece
"I don't think the issues are easy to solve, but they are solvable," said Cole, who declined to discuss the specifics of negotiations. "It may be a little harder to define the issue as you get into the far broader topics in surveillance writ large. But sometimes you have to break the issues apart and deal with them piece by piece. This was one piece."
The government's steps so far are "helpful" but "simply not enough," Facebook said in a statement after Chief Executive Officer Mark Zuckerberg and five other Internet and technology executives met on March 21 with Obama. "Facebook will keep urging the U.S. government to be more transparent about its practices and more protective of civil liberties."
Last week, Obama proposed as part of the new legislation that U.S. phone companies be required to maintain call records, not the National Security Agency, that the government would then access with court approval. Verizon Communications Inc. quickly raised an alarm, saying the companies shouldn't be asked to store more than they already do, or in new formats.
"It is critical to get the details of this important effort right," said Randal Milch, the New York-based company's general counsel and executive vice president for public policy.
Companies have always been permitted to disclose how many orders for information they receive because of local, state and federal criminal investigations. Not so with the classified orders they received from the secretive Foreign Intelligence Surveillance Court, or from the FBI in the form of National Security Letters.
Company Concerns
Some companies had advocated for years releasing such data, and the FBI consented in 2013 to permit Microsoft and Google to report roughly, in chunks of 1,000, the number of security letters, which are administrative subpoenas known as NSLs. That had quieted the issue until former NSA contractor Edward Snowden last June leaked reams of classified documents detailing the extent of U.S. surveillance, including bulk collection of phone records and interception of Internet data.
News reports about the Snowden leaks raised concerns among the companies that they were being seen as tools of the government, giving U.S. spies unfettered access to their systems and their customers' data.
Within a few months, Google, Yahoo and the other three companies filed suits seeking permission to publish the number of FISA orders they received and the number of accounts that were affected. They said they wanted to show that involved only a small portion of their customer base.
The Justice Department first proposed allowing the companies to publish total requests - NSLs, FISA orders and criminal orders - in bands of 1,000. The firms balked, saying such disclosures weren't transparent or specific enough.
Talks Falter
The talks faltered. The intelligence community viewed the companies as unlikely to ever settle because the lawsuit allowed them to look virtuous to customers who were skeptical of U.S. spying.
The companies argued that the government wasn't being transparent enough in light of the enormous controversy that had erupted and threatened their bottom lines.
Both sides dug in. One administration official described the atmosphere between the two parties as poisonous.
It became clear that "everybody had an incentive to hold out until the very end and so it was going to take high-level intervention to produce an agreement," said Stewart Baker, an attorney not involved in the negotiations who served as general counsel at the National Security Agency until the mid-1990s.
Cole, the deputy attorney general, tapped O'Neil, his chief of staff, to lead the negotiations. A boyish-looking 40-year-old with light-blue eyes and light brown hair, O'Neil was an ideal choice because of his easygoing nature and friendships with some of the attorneys at the tech firms.
Not that O'Neil was a pushover. A former federal prosecutor in New York City, the Harvard Law School graduate had spent the last two years helping run the day-to-day operations of a department with an annual budget of $27.3 billion. On March 21, he was named as acting head of the Justice Department's criminal division.
Obama Speech
O'Neil's goal in the talks with the Internet companies was to find a compromise that would end a time-consuming court fight that could end badly for the government. If the Justice Department lost in court, the intelligence community would have little control over what was published. He also was going to help fulfill a presidential promise.
In a speech delivered on Jan. 17 at the Justice Department, Obama would say, "We will also enable communications providers to make public more information than ever before about the orders that they have received to provide data to the government."
In their first calls to the firms on the eve of that speech, Cole and O'Neil offered to allow companies to separately report the number of NSLs and FISA orders they received every six months - in bands of 1,000. The companies could also break down the numbers between those seeking the content of communications and those seeking non-content-related business records, such as subscriber information.
The Justice Department attorneys also told the tech lawyers they wanted to keep secret the ability of the U.S. intelligence community to spy on emerging communication platforms.
Lawyers for the Internet companies argued the bands were too big; they also weren't on board with the exemption for new technologies, which might make it appear that a tech firm was in the pocket of the NSA and FBI.
Shuttle Diplomacy
Over the next 10 days, O'Neil engaged in shuttle diplomacy between the intelligence community and the companies. He told colleagues that the tech firms also seemed genuinely interested in protecting U.S. intelligence abilities and putting the lawsuit behind them. Intelligence officials came to agree that the companies were sincere in trying to find a way to be transparent without harming national secrets.
O'Neil pitched a six-month delay in reporting the figures, hoping to assuage the concerns of the U.S. spy agencies. He next proposed a two-year exemption for new technologies, a compromise that put a sunset on how long surveillance capabilities could be kept secret. Both sides accepted.
On Jan. 23, a Thursday, O'Neil and Cole called the company lawyers, expecting to cement a deal before they filed court papers as early as Monday announcing the settlement.
LinkedIn's attorney, Erika Rottenberg, balked, according to one of the people familiar with the talks. She argued that for companies that receive few requests such large bands wouldn't provide more transparency and might, in fact, do the opposite, the person said.
Rottenberg declined to comment through a LinkedIn spokesman.
New Offer
O'Neil worked all the next day and night and then into Saturday to find a solution. By Sunday Jan. 26, he and Cole came up with yet another offer: companies were to be given the option of lumping all of their requests - FISA orders and NSLs - into one number, in bands of 250. That meant a company could report it received between 0-249 such requests and that between 0-249 of its accounts were affected. It was the smallest number the intelligence community could stomach.
The firms took the deal, though not enthusiastically. "We still believe that buckets of 250 are too broad," said Hani Durzy, a LinkedIn spokesman, "and we will also continue to advocate for narrower disclosure ranges, which will provide a more accurate picture of the number of national security-related requests that companies like LinkedIn receive."
All five companies dropped their suits. Rather than making individual statements, they reacted as a group through the Reform Government Surveillance coalition, which also includes other companies.
"We're pleased the Department of Justice has agreed that we and other providers can disclose this information," they said in the joint statement. "While this is a very positive step, we'll continue to encourage Congress to take additional steps to address all of the reforms we believe are needed."
Within a week, they reported the more precise figures about government demands.
Google said the government submitted FISA orders during the first half of 2013, the last period available, for content involving between 9,000 and 9,999 accounts. LinkedIn reported in a blog post that the "we received between 0-249 national security-related requests, impacting between 0 and 249 accounts" during that same period. The company said it took that option because it gave the "public a more accurate picture of the number of national security-related requests we receive."
"Nothing is perfect," Cole said. "Both sides had legitimate issues. But we got to the point where we felt everybody's concerns were addressed at a reasonable level."