03/23/2015

There's something unique about Amazon (the “e-tail” giant, not the river): of all American Internet companies listed on the Fortune 500, it's the only one that still hasn't bothered releasing any transparency reports discussing how many user-data demands it's received from the U.S. government.

Transparency reports are a fact of life in the modern United States. Ever since whistle-blower Edward Snowden's revelations regarding NSA surveillance of American citizens, it's been common knowledge that the government engages in mass warrantless surveillance of electronic communications, and furthermore that the communications companies are legally obligated to go along with this.

The government also has the power to impose “gag orders” that make it illegal for companies to admit they're being forced to spy upon their own customers.

So most tech companies (though not Amazon) responded by producing and releasing periodic transparency reports detailing – within legal censorship limits – what information they can about their spy activities.

Just last week, for example, Facebook released its most recent transparency report, which noted that “we continue to see an increase in government requests for data and content restrictions,” including 14,274 different requests for data from “United States Law Enforcement,” and a number somewhere between 0 and 999 “United States National Security Requests for Data.”

Vagueness required

Why was Facebook so very precise regarding its requests from “law enforcement” – specifying 14,274 rather than “over 14,000,” “nearly 14,300” or some other mathematically acceptable rounding-off – yet so uselessly vague regarding “National Security Requests?”

Because vagueness is required by law, as Facebook explained in its report: “The chart below reflects the ranges for National Security Letters (NSLs) received during the reporting period and the ranges for all accounts specified in the requests. We are limited to reporting this data in bands of 1000.”

Other companies hide “warrant canaries” in their transparency reports to hint at their legally mandated spy activities. A warrant canary is a statement meant to show that an organization, such as a tech company or even a public library, has not been forced to comply with a secret government investigation coupled with a gag order. And if the warrant canary disappears, that suggests the opposite.

Thus, if a company puts out one transparency report containing a phrase such as “The government has never ordered us to spy on anybody,” and then the next transparency report lacks that sentence – perhaps that company has been forced to spy and forbidden to admit it.

The canary died?

Last September, when Apple released its third transparency report, sharp-eyed privacy advocates noticed the absence of a suspected warrant-canary phrase which had appeared in the first two reports: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.”

Other companies attempt to fight the surveillance laws in other ways. Last October, Twitter sued the U.S. government on First Amendment grounds, basically arguing that government-imposed gag orders violated the company's right to free speech.

One month before Twitter filed this suit, Yahoo won what was then hailed as a “major court victory” – specifically, it won an American court's permission to admit to Americans that starting in 2008, the government ordered Yahoo to turn over massive amounts of confidential data on its users, and if Yahoo didn't comply, the company would initially be fined $250,000 per day, with the amount set to double every week: $500,000 per day for the second week, $1 million a day for the third, then $2 million, then $4 million … enough to bankrupt the company in a matter of months.

Yahoo was forced to do this for six years before it was even granted legal permission to admit what it was forced to do or the crippling financial penalties it faced if it would not comply.

Hit a wall

This is the context in which Amazon stands out for its lack of transparency. Earlier this month Christopher Soghoian, a tech-privacy advocate who is also the ACLU's Principal Technologist, spoke at a Seattle Town Hall conference on the theme “Reining in Our Surveillance Society.”

During the question-and-answer period, audience members asked him about Amazon's policies, and Soghoian said that he routinely chats with attorneys “at all the big tech companies” with the exception of Amazon. “I’ve hit a wall with Amazon,” he said. “It’s just really difficult to reach people there.”

Amazon has had this reputation for a long time. Back in July 2012, for example, the Puget Sound Business Journal kicked off a story about then-current tech-company privacy policies by noting “No surprise to media reporters — Amazon is among the least transparent companies in the world.”

But why is Amazon so opaque? Is it because the company makes so much money off government spying programs (such as the $600 million deal Amazon made to provide cloud-computing services for the CIA)?

Not likely. As Zack Whittaker pointed out in an analysis for ZDNet, such speculation simply “doesn't add up.” Thing is, many major American tech companies have major money-making contracts with various agencies and departments of the U.S. government, yet manage to produce transparency reports anyway:

Microsoft has contracts with various governments to provide Windows and Office software. Google offers a range of open-source and cloud-based services to the government, and Apple provides iPhones and iPads to government and military users, thanks to earning various certifications.

Those three mentioned companies – Microsoft, Google and Apple – all earned six out of a possible six stars from the Electronic Frontier Foundation's 2014 “Who Has Your Back?” report, which ranks how effective companies are at “Protecting Your Data From Government Requests.”

One little star

By contrast, Amazon only got two stars: one star because it “requires a warrant for content” and another because it “fights for users' privacy rights in courts.” EFF's four other star-categories are “tells users about government data requests,” “publishes transparency reports,” “publishes law enforcement guidelines” and “fights for users' privacy rights in Congress.”

Despite their various government contracts, Microsoft, Google and Apple nonetheless earned stars in all six of EFF's categories (as did Credo Mobile, Dropbox, Facebook, Sonic.Net, Twitter and Yahoo).

Although Amazon got its start as a retailer, in recent years it's branched out to cover far more than retail goods: it also offers e-readers, cloud computing, the Silk browser, all sources of consumer data far more personal than merely knowing what you bought and how much you paid for it.

As Whittaker suggested: “If Amazon is getting into Microsoft and Google territory with the amount of data it has, it should be expected to be just as transparent. At very least, it should be held to the same standard by consumers.”