Transparency Reports Should Be Standard Practice

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-26T15:51:55


Transparency report With less than three full months gone in 2013, Facebook, Apple and Microsoft all have admitted publicly to serious security breaches, something that would have seemed like an elaborate practical joke just a couple of years ago. But the times and the climate have changed, and if you needed more evidence of these facts, it arrived last week in the form of the first Microsoft Transparency Report.

It’s not the content of the report that’s so remarkable; indeed much of it is fairly run-of-the-mill data explaining how many requests for user content and information the company received from law enforcement last year. Other companies, including Twitter and Google, have been producing such reports for some time now, so MIcrosoft’s publication isn’t unique. What’s interesting is that Microsoft is publishing such a report at all.

The company’s decision to publicly disclose the volume of user-data requests it gets from law enforcement agencies may seem like a me-too move designed to bring Microsoft into the conversation with Google and the other companies doing so. And on one level it is. In a lot of cases, Microsoft likes to let other companies make big moves, see how they work out and then decide whether to follow suit. That was true in the video game, mobile phone and cloud markets.

And while Microsoft has been out in front on the security front in many ways, that hasn’t necessarily been the case when it comes to privacy and transparency. But Microsoft’s Transparency Report included something that the other companies have not yet put into theirs: data on National Security Letters. These ultra-secret documents have been a favored weapon for government agencies in the last decade. Often used in counter-terrorism investigations, NSLs can be issued without a warrant and the organizations that receive them are prevented from discussing them publicly, even to mention that they received such a letter.

However, in the wake of a U.S. District Court ruling that NSLs are unconstitutional, Microsoft released some limited data on the company’s experience with the documents. Although what Microsoft revealed was only a broad range of the number of NSLs it has received, that’s a significant change in the way that companies that handle large amounts of user data handle those requests. If the court ruling on NSLs holds, we may see more companies publishing similar data.

But even if not, the actions of Microsoft, Google and Twitter in publishing their transparency reports should serve as an example for other companies with similar amounts of user data. Wireless carriers, ISPs, data brokers and other organizations that hold or transmit large volumes of sensitive user data would do well to publish their own transparency reports. It’s time for these disclosures to become as commonplace as quarterly earnings reports.

That may be a stretch, but the same could have been–and often was–said about simple data breach reports just a few years ago. Disclosures of major data thefts used to be quite rare, but now there are dozens every month. What that says about the security of user data is a topic for another day. But the precedent set by those disclosures is one that companies can follow when it comes to law enforcement requests.

The data belongs to the users, and they deserve to know where it’s going.