Evernote quietly disappeared from an anti-surveillance lobbying group’s website

In 2013, eight tech companies were accused of funneling their users’ data to the U.S. National Security Agency under the so-called PRISM program, according to highly classified government documents leaked by NSA whistleblower Edward Snowden. Six months later, the tech companies formed a coalition under the name Reform Government Surveillance, which as the name would suggest was to lobby lawmakers for reforms to government surveillance laws.

The idea was simple enough: to call on lawmakers to limit surveillance to targeted threats rather than conduct a dragnet collection of Americans’ private data, provide greater oversight and allow companies to be more transparent about the kinds of secret orders for user data that they receive.

Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo and AOL (to later become Verizon Media, which owns TechCrunch — for now) were the founding members of Reform Government Surveillance, or RGS, and over the years added Amazon, Dropbox, Evernote, Snap and Zoom as members.

But then sometime in June 2019, Evernote quietly disappeared from the RGS website without warning. What’s even more strange is that nobody noticed for two years, not even Evernote.

“We hadn’t realized our logo had been removed from the Reform Government Surveillance website,” said an Evernote spokesperson, when reached for comment by TechCrunch. “We are still members.”

Evernote joined the coalition in October 2014, a year and a half after PRISM first came to public light, even though the company was never named in the leaked Snowden documents. Still, Evernote was a powerful ally to have onboard, and showed RGS that its support for reforming government surveillance laws was gaining traction outside of the companies named in the leaked NSA files. Evernote cites its membership of RGS in its most recent transparency report and that it supports efforts to “reform practices and laws regulating government surveillance of individuals and access to their information” — which makes its disappearance from the RGS website all the more bizarre.

TechCrunch also asked the other companies in the RGS coalition if they knew why Evernote was removed and all either didn’t respond, wouldn’t comment or had no idea. A spokesperson for one of the RGS companies said they weren’t all that surprised since companies “drop in and out of trade associations.”

The website of the Reform Government Surveillance coalition, which features Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Snap, Twitter, Verizon Media and Zoom, but not Evernote, which is also a member. Image Credits: TechCrunch

While that may be true — companies often sign on to lobbying efforts that ultimately help their businesses; government surveillance is one of those rare thorny issues that got some of the biggest names in Silicon Valley rallying behind the cause. After all, few tech companies have openly and actively advocated for an increase in government surveillance of their users, since it’s the users themselves who are asking for more privacy baked into the services they use.

In the end, the reason for Evernote’s removal seems remarkably benign.

“Evernote has been a longtime member — but they were less active over the last couple of years, so we removed them from the website,” said an email from Monument Advocacy, a Washington, D.C. lobbying firm that represents RGS. “Your inquiry has helped to prompt new conversations between our organizations and we’re looking forward to working together more in the future.”

Monument has been involved with RGS since near the beginning after it was hired by the RGS coalition of companies to lobby for changes to surveillance laws in Congress. Monument has spent $2.2 million in lobbying to date since it began work with RGS in 2014, according to OpenSecrets, specifically on lobbying lawmakers to push for changes to bills under congressional consideration, such as changes to the Patriot Act and the Foreign Intelligence Surveillance Act, or FISA, albeit with mixed success. RGS supported the USA Freedom Act, a bill designed to curtail some of the NSA’s collection under the Patriot Act, but was unsuccessful in its opposition to the reauthorization of Section 702 of FISA, the powers that allow the NSA to collect intelligence on foreigners living outside the United States, which was reauthorized for six years in 2018.

RGS has been largely quiet for the past year — issuing just one statement on the importance of transatlantic data flows, the most recent hot-button issue to concern tech companies, fearing that anything other than the legal status quo could see vast swaths of their users in Europe cut off from their services.

“RGS companies are committed to protecting the privacy of those who use our services, and to safeguard personal data,” said the statement, which included the logos of Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Snap, Twitter, Verizon Media and Zoom, but not Evernote.

In a coalition that’s only as strong as its members, the decision to remove Evernote from the website while it’s still a member hardly sends a resounding message of collective corporate unity — which these days isn’t something Big Tech can find much of.

#amazon, #apple, #articles, #cloud-storage, #computing, #congress, #edward-snowden, #europe, #evernote, #facebook, #government, #linkedin, #mass-surveillance, #microsoft, #national-security-agency, #prism, #security, #software, #spokesperson, #techcrunch, #transparency-report, #twitter, #united-states, #usa-freedom-act, #verizon, #washington-d-c, #yahoo

Ring won’t say how many users had footage obtained by police

Ring gets a lot of criticism, not just for its massive surveillance network of home video doorbells and its problematic privacy and security practices, but also for giving that doorbell footage to law enforcement. While Ring is making moves towards transparency, the company refuses to disclose how many users had their data given to police.

The video doorbell maker, acquired by Amazon in 2018, has partnerships with at least 1,800 U.S. police departments (and growing) that can request camera footage from Ring doorbells. Prior to a change this week, any police department that Ring partnered with could privately request doorbell camera footage from Ring customers for an active investigation. Ring will now let its police partners publicly request video footage from users through its Neighbors app.

The change ostensibly gives Ring users more control when police can access their doorbell footage, but ignores privacy concerns that police can access users’ footage without a warrant.

Civil liberties advocates and lawmakers have long warned that police can obtain camera footage from Ring users through a legal back door because Ring’s sprawling network of doorbell cameras are owned by private users. Police can still serve Ring with a legal demand, such as a subpoena for basic user information, or a search warrant or court order for video content, assuming there is evidence of a crime.

Ring received over 1,800 legal demands during 2020, more than double from the year earlier, according to a transparency report that Ring published quietly in January. Ring does not disclose sales figures but says it has “millions” of customers. But the report leaves out context that most transparency reports include: how many users or accounts had footage given to police when Ring was served with a legal demand?

When reached, Ring declined to say how many users had footage obtained by police.

That number of users or accounts subject to searches is not inherently secret, but an obscure side effect of how companies decide — if at all — to disclose when the government demands user data. Though they are not obligated to, most tech companies publish transparency reports once or twice a year to show how often user data is obtained by the government.

Transparency reports were a way for companies subject to data requests to push back against damning allegations of intrusive bulk government surveillance by showing that only a fraction of a company’s users are subject to government demands.

But context is everything. Facebook, Apple, Microsoft, Google, and Twitter all reveal how many legal demands they receive, but also specify how many users or accounts had data given. In some cases, the number of users or accounts affected can be twice or more than threefold the number of demands they received.

Ring’s parent, Amazon, is a rare exception among the big tech giants, which does not break out the specific number of users whose information was turned over to law enforcement.

“Ring is ostensibly a security camera company that makes devices you can put on your own homes, but it is increasingly also a tool of the state to conduct criminal investigations and surveillance,” Matthew Guariglia, policy analyst at the Electronic Frontier Foundation, told TechCrunch.

Guariglia added that Ring could release the numbers of users subject to legal demands, but also how many users have previously responded to police requests through the app.

Ring users can opt out of receiving requests from police, but this option would not stop law enforcement from obtaining a legal order from a judge for your data. Users can also switch on end-to-end encryption to prevent anyone other than the user, including Ring, from accessing their videos.

#amazon, #apple, #articles, #electronic-frontier-foundation, #encryption, #facebook, #google, #hardware, #judge, #law-enforcement, #microsoft, #neighbors, #operating-systems, #privacy, #ring, #security, #smart-doorbell, #software, #terms-of-service, #transparency-report

Reddit’s transparency report shows a big spam problem and relatively few government requests

Reddit has published its transparency report for 2020, showing various numbers relating to removed content, government requests and other administrative actions. The largest problem by far — in terms of volume, anyway — is spam, which made up nearly all content taken down. Legal requests for content takedown and user information were far fewer, but not trivial, in number.

The full report is quite readable, but a bit long; the main points to understand are summarized below.

Of nearly 3.4 billion pieces of content created on Reddit (which is to say posts, comments, hosted images, etc.), 233 million were removed. These numbers are both up by 20%-30% from 2019. Of those 233 million, 131 million were “proactive” removals by the AutoMod system and 13.6 million were removed after user reports by subreddit moderators.

The remaining 85 million were taken down by Reddit admins; 99.76% of these were spam or “content manipulation” like brigading and astroturfing, with around 50,000 each of harassment, hate and sexualization of minors, smaller amounts of violent speech, doxing and so on.

Chart showing that content removal on reddit was largely spam.

Image Credits: Reddit

82,858 subreddits were removed, nearly four times more than 2019. The majority of these were for lack of moderation, followed by hate, harassment and ban evasion (e.g., r/bannedsub starts r/bannedsub2).

When it came to removing comments, hate, violence and harassment were much more prevalent. And 92% of private messages removed (of about 25,000 total) were for harassment.

Outside of spam and content manipulation, hate speech resulted in far more bans than any other infraction; more accounts were permanently banned for hate in 2020 than for all causes combined in 2019. (But far fewer for content violations than for spam and ban evasion.)

Government requests to remove content were relatively few. Overall Reddit received a couple hundred requests covering about 5,000 pieces of content or subreddits. For example, 753 subreddits had their access restricted to Pakistani users due to anti-obscenity laws there.

Requests from individuals or companies to remove things numbered in the hundreds, and copyright takedown notices asked for about half a million pieces of content to be removed (375,774 were), more than twice 2019’s. Only a handful of DMCA counter-notices were received.

Law enforcement came to Reddit 611 times for user information, up 50% from last year, and the company granted 424 of those requests. These are mostly subpoenas, court orders and search warrants. Since Reddit isn’t really a social network and accounts can be essentially anonymous or throwaway, it’s hard to say what level of disclosure this actually represents. Emergency disclosure requests numbered about 300 and were mostly complied with — these are supposedly life-or-death situations in which a Reddit account is concerned.

Lastly Reddit received somewhere between 0 and 249 secret requests for data, targeting somewhere between 0 and 249 users, same as last year. Sadly, federal law prohibits them from saying any more than this regarding FISA orders and National Security Letters.

Overall the picture painted of Reddit in 2020 is of a growing community plagued by spam and inauthentic activity, plus a significant and growing contingent of hate, harassment and other prohibited content (though last year was surely an exceptional one for this). Lacking much fundamental access to or use of personally identifiable data, Reddit isn’t much of a target for three-letter agencies and law enforcement. And with “free speech”-focused alternatives to Reddit and other platforms popping up, it’s likely that the hate and harassment that were deplatformed will roost elsewhere in 2021.

#reddit, #social, #transparency-report

Amazon says government demands for user data spiked by 800% in 2020

New transparency figures released by Amazon show the company responded to a record number of government data demands in the last six months of 2020.

The new figures land in the company’s bi-annual transparency report published to Amazon’s website over the weekend.

Amazon said it processed 27,664 government demands for user data in the last six months of 2020, up from 3,222 data demands in the first six months of the year, an increase of close to 800%. That user data includes shopping searches and data from its Echo, Fire, and Ring devices.

The new report presents the data differently from previous transparency disclosures. Amazon now breaks down the top requesting countries. U.S. authorities historically made up the bulk of the overall data demands Amazon receives, but this latest report shows Germany with 42% of all requests, followed by Spain with 18%, and Italy and the U.S. with 11% share each.

But the report also removes the breakdown by legal process, and now only differentiates between the requests it gets for user’s content and for non-content. Amazon said it handed over user content data in 52 cases.

For its Amazon Web Services cloud business, which it reports separately, Amazon said it processed 523 data demands, with 75% of all requests made by U.S. authorities, and Amazon turned over user’s content in 15 cases.

An Amazon spokesperson would not say what led to the sharp rise in data demands. (Amazon seldom comments on its transparency reports.)

Amazon’s transparency report is one of the lightest reads of all the tech giants at just three pages in length, and spends most of the report explaining how it responds to each legal demand than on the data itself. The company, known for its notorious secrecy, became the last of the major tech giants to push out a transparency report in 2015. Where most tech companies added data to their transparency reports, like takedown notices and account removals, Amazon bucked the trend by removing data from its reports, despite the company’s growing reach into millions of homes.

The Financial Times reported this weekend that Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, now has 2,000 law enforcement partners across the United States, allowing police departments to access homeowners’ doorbell camera footage.

#amazon, #amazon-echo, #amazon-web-services, #articles, #computing, #germany, #italy, #ring, #security, #spain, #spokesperson, #technology, #the-financial-times, #transparency, #transparency-report, #united-states

Apple opens up — slightly — on Hong Kong’s national security law

After Beijing unilaterally imposed a new national security law on Hong Kong on July 1, many saw the move as an effort by Beijing to crack down on dissent and protests in the semi-autonomous region.

Soon after, a number of tech giants — including Microsoft, Twitter and Google — said they would stop processing requests for user data from Hong Kong authorities, fearing that the requested data could end up in the hands of Beijing.

But Apple was noticeably absent from the list. Instead, Apple said it was “assessing” the new law.

When reached by TechCrunch, Apple did not say how many requests for user data it had received from Hong Kong authorities since the new national security law went into effect. But the company reiterated that it doesn’t receive requests for user content directly from Hong Kong. Instead, it relies on a long-established so-called mutual legal assistance treaty, allowing U.S. authorities to first review requests from foreign governments.

Apple said it stores iCloud data for Hong Kong users in the United States, so any requests by Hong Kong authorities for user content has to be first approved by the Justice Department, and a warrant has to be issued by a U.S. federal judge before the data can be handed over to Hong Kong.

The company said that it received a limited number of non-content requests from Hong Kong related to fraud or stolen devices, and that the number of requests it received from Hong Kong authorities since the introduction of the national security law will be included in an upcoming transparency report.

Hong Kong authorities made 604 requests for device information, 310 requests for financial data, and 10 requests for user account data during 2019.

The report also said that Apple received 5,295 requests from U.S. authorities during the second half of last year for data related to 80,235 devices, a seven-fold increase from the previous six months.

Apple also received 4,095 requests from U.S. authorities for user data stored in iCloud on 31,780 accounts, twice the number of accounts affected during the previous six months.

Most of the requests related to ongoing return and repair fraud investigations, Apple said.

The report said it received 2,522 requests from U.S. authorities to preserve data on 6,741 user accounts, allowing law enforcement to obtain the right legal process to access the data.

Apple also said it received between 0-499 national security requests for non-content data on between 15,500 and 15,999 users or accounts, an increase of 40% on the previous report.

Tech companies are only allowed to report the number of national security requests in ranges, per rules set out by the Justice Department.

The company also published two FBI national security letters, or NSLs, from 2019, which the company petitioned to make public. These letters are subpoenas issued by the FBI with no judicial oversight and often with a gag order preventing the company from disclosing their existence. Since the introduction of the Freedom Act in 2015, the FBI was required to periodically review the gag orders and lift them when they were no longer deemed necessary.

Apple also said it received 54 requests from governments to remove 258 apps from its app store. China filed the vast majority of requests.

#apple, #department-of-justice, #government, #icloud, #law-enforcement, #operating-systems, #security, #transparency-report

Amazon says police demands for customer data have gone up

Amazon has said the number of demands for user data made by U.S. federal and local law enforcement have increased during the first half of 2020 than during the same period a year earlier.

The disclosure came in the company’s latest transparency report, published Thursday.

The figures show that Amazon received 23% more subpoenas and search warrants, and a 29% increase in court orders compared to the first half of 2019. That includes data collected from its Amazon.com retail storefront, Amazon Echo devices and its Kindle and Fire tablets.

Breaking those figures down, Amazon said it received:

  • 2,416 subpoenas, turning over all of partial user data in 70% of cases;
  • 543 search warrants, turning over all of partial user data in 79% of cases;
  • 146 court orders, turning over all of partial user data in 74% of cases.

The number of requests to the company’s cloud services, Amazon Web Services, also went up compared to a year earlier.

But it’s not clear what caused the rise in U.S. government demands for user data. A spokesperson for Amazon did respond to a request for comment.

But the company saw the number of overseas requests drop by about one-third compared to the same period a year earlier. Amazon rejected 92% of the 177 overseas requests it received, turning over partial user data in 10 cases and all requested data in four cases.

Amazon also said it received between 0 and 249 national security requests, flat from previous reports. Justice Department rules on disclosing classified requests only allow companies to respond in numerical ranges.

Amazon was one of the last major tech companies to issue a transparency report, despite mounting pressure from privacy advocates. But its report remains far lighter on details compared to its Silicon Valley rivals.

The company’s Ring smart camera division, despite facing criticism for its poor security practices and its close relationships with law enforcement, has yet to release any data related to police requests for user data.

#amazon-alexa, #amazon-echo, #articles, #assistant, #business, #cloud-services, #department-of-justice, #hardware, #kindle, #law-enforcement, #publishing, #security, #transparency-report, #u-s-government, #united-states, #web-services