In Leak Investigation, Tech Giants Are Caught Between Courts and Prospects
On February 6, 2018, Apple received a grand jury subpoena for the names and phone details associated with 109 email addresses and phone numbers. It was one of more than 250 requests for data the company received an average of every week from US law enforcement at the time. An Apple attorney came over and provided the information.
That year a gag order for a subpoena expired. Apple said it alerted those who were the subject of the summons, just as it does with dozens of customers every day.
But this request was unusual.
Unknowingly, Apple said it had handed over the records of congressional officials, their families, and at least two members of Congress, including California MP Adam B. Schiff, then the top Democrat on the House of Representatives Committee on Intelligence and now its chairman. The subpoena turned out to be part of an extensive investigation by the Trump administration into classified information leaks.
The revelations have now plunged Apple into the middle of a firestorm over the Trump administration’s efforts to find the sources of news, and the deal underscores the spate of law enforcement inquiries that technology companies are increasingly grappling with. The number of these inquiries has grown to thousands per week in recent years, placing Apple and other tech giants like Google and Microsoft in an awkward position between law enforcement, courts and the customers whose privacy they have promised to protect.
The companies regularly comply with the requests, as they are legally obliged to do so. The subpoenas can be vague, so Apple, Google, and others are often unclear about the nature or subject of an investigation. You can contest some of the subpoenas if they are too broad or relate to a corporate client. In the first six months of 2020, Apple challenged 238 government requests for customer account information, or 4 percent of such requests.
As part of the same leak investigation by the Trump administration earlier this year, Google battled a gag order on a subpoena to release data on the emails of four New York Times reporters. According to Ted Boutrous, an outside Times attorney, Google argued that its contract as corporate email provider required The Times to notify the newspaper of all government inquiries for its email.
But for the most part, companies comply with law enforcement requirements. And that underscores an uncomfortable truth: As their products become increasingly important in people’s lives, the world’s largest tech companies have become surveillance brokers and key partners of government agencies, with the power to decide which applications to fulfill and which to reject.
“There is definitely tension,” said Alan Z. Rozenshtein, associate professor in the University of Minnesota law school and former Justice Department attorney. He said that given the “insane amount of data these companies have” and the fact that everyone has a smartphone, most law enforcement investigations “have at some point involved these companies.”
On Friday, the Department of Justice’s independent inspector general opened an investigation into federal prosecutors’ decision to secretly seize data from Democrats and House reporters. Top Senate Democrats also called for former Attorney General William P. Barr and Jeff Sessions to testify in front of Congress about the leak investigations, specifically the subpoena to Apple and another to Microsoft.
Fred Sainz, an Apple spokesperson, said in a statement that the company regularly contests government data requests and informs affected customers as soon as it is legally possible.
“In this case, the subpoena, issued by a federal grand jury and containing a confidentiality order signed by a federal judge, contained no information about the nature of the investigation and it would have been virtually impossible for Apple to understand the intent.” desired information without digging through the user accounts, ”he said. “In accordance with the request, Apple limited the information it provided to account subscriber information and did not provide content such as emails or images.”
In a statement, Microsoft said it had received a subpoena in 2017 regarding a personal email account. It said it notified the customer after the toggle arrangement expired and learned that the person was a member of Congress. “We will continue to aggressively seek reforms that set appropriate limits on state secrecy in such cases,” the company said.
Let us help you protect your digital life
Google did not want to comment on whether it had received a subpoena in connection with the investigation by the House of Representatives Committee on Intelligence.
The Justice Department has not commented publicly on Apple releasing House Intelligence Committee records. In a testimony before Congress this week, Attorney General Merrick B. Garland evaded criticism of the Trump administration’s decisions, saying the record seizure was “under a set of guidelines that have existed for decades.”
In the Justice Department’s leak investigation, Apple and Microsoft shared so-called metadata from people who worked in Congress, including phone records, device information and addresses. It is not uncommon for the Justice Department to subpoena such metadata because the information can be used to determine whether someone has had contact with a media representative or whether their work or personal accounts were linked to anonymous accounts used to disseminate classified information.
As part of the gag order imposed by the authorities at the summons, Apple and Microsoft also agreed not to disclose anything to the people whose information was requested. In the case of Apple, a one-year toggle arrangement was extended three times. This was in contrast to Google, which opposed the gag order of a subpoena to release data on the four Times reporters.
The different answers are mainly explained by the different relationships between the companies and their customers in this case. Apple and Microsoft were instructed to release data on individual accounts, while the subpoena to Google concerned a contracted corporate customer. That contract gave Google a more specific basis to challenge the gag order, lawyers said.
The subpoena to Apple was also more opaque – it only requested information on a range of email addresses and phone numbers – and the company said it had nothing to do with a Congressional investigation. It was clear to Google that the Justice Department wanted The Times to keep records because the email addresses were clearly those of Times reporters.
Google said customer information requests are generally not handled differently for individual accounts and corporate customers. However, the company has a strong case for redirecting data requests from corporate clients based on the Justice Department’s own recommendations.
In guidelines released in 2017, the Department of Justice urged prosecutors to “obtain data directly from companies” rather than contacting a technology provider, unless doing so was impractical or jeopardized the investigation. When the Justice Department turned to Google to confiscate information about the reporters, the Justice Department attempted to bypass the Times. Google didn’t want to say whether it used Justice Department guidelines to combat the gag order.
Google said it provided data on 83 percent of the nearly 40,000 requests for information from US government agencies it received in the first half of 2020. By comparison, Google delivered some data cloud, including their email and web hosting offerings, to Google’s 398 paying corporate customers in 39 percent of requests for information over the same period.
Law enforcement requests for data from American tech companies have more than doubled in recent years. Facebook said it received nearly 123,000 data requests from the US government last year, up from 37,000 in 2015.
Apple said it received an average of 400 US law enforcement requests for customer data per week in the first half of 2020, more than twice as many as five years earlier. The company’s compliance rate has been between 80 and 85 percent for years.
In addition, the authorities require information on additional accounts in every request. In the first half of 2020, every U.S. government subpoena or arrest warrant to Apple requested an average of data for 11 accounts or devices, up from fewer than three accounts or devices in the first half of 2015, the company said.
Apple said that after the government began adding more than 100 accounts to some subpoenas, as it did with the leak investigation in 2018, law enforcement officials were asked to limit applications to 25 accounts at a time. The police did not always adhere to it, the company said.
Apple has often challenged subpoenas containing so many accounts because they were too broad, said a former senior attorney for the company, who spoke on condition of confidentiality. That person said it wouldn’t have been surprising to Apple to challenge the Justice Department subpoena in 2018, but whether or not an application is challenged often depends on a paralegal handling the subpoena elevating them to senior lawyers.
Charlie Savage contributed to the coverage.