P11(a). Data about government demands for user information

Please make sure you have read the note on transparency reporting indicators before using this indicator.

The company should regularly publish data about government demands for user information.

Elements:

1. Does the company list the number of government demands it receives by country?
2. Does the company list the number of government demands it receives for stored user information and for real-time communications access?
3. Does the company list the number of accounts affected?
4. Does the company list whether a demand sought communications content or non-content or both?
5. Does the company identify the specific legal authority or type of legal process through which law enforcement and national security demands are made?
6. Does the company include government demands that come from court orders?
7. Does the company list the number of government demands it complied with, broken down by category of demand?
8. Does the company list what types of government demands it is prohibited by law from disclosing?
9. Does the company report this data at least once per year?
10. Can the data reported by the company be exported as a structured data file?

Content — The information contained in wire, oral, or electronic communications (e.g., a conversation that takes place over the phone or face-to-face, the text written and transmitted in an SMS or email).

Court orders – Orders issued by a court. They include court orders in criminal and civil cases.

Government demands — This includes demands from government ministries or agencies, law enforcement, and court orders in criminal and civil cases.

Non-content — Data about an instance of communication or about a user. Companies may use different terms to refer to this data, including metadata, basic subscriber information, non-content transactional data, account data, or customer information.

In the U.S., the Stored Communications Act defines non-content customer communications or records as, “name; address; local and long distance telephone connection records, or records of session times and durations; length of service (including start date) and types of service utilized; telephone or instrument number or other subscriber number or identity (including any temporarily assigned network address); and means and source of payment for such service (including any credit card or bank account number).” The European Union’s Handbook on European Data Protection Law states, “Confidentiality of electronic communications pertains not only to the content of a communication but also to traffic data, such as information about who communicated with whom, when and for how long, and location data, such as from where data were communicated.”

Real-time communications access — Surveillance of a conversation or other electronic communication in “real time” while the conversation is taking place, or interception of data at the very moment it is being transmitted. This is also sometimes called a “wiretap.” Consider the difference between a request for a wiretap and a request for stored data. A wiretap gives law enforcement authority to access future communications, while a request for stored data gives law enforcement access to records of communications that occurred in the past. The U.S. government can gain real-time communications access through the Wiretap Act and Pen Register Act, both part of the Electronic Communications Privacy Act (ECPA); the Russian government can do so through “System for Operative Investigative Activities” (SORM).

Structured data — “Data that resides in fixed fields within a record or file. Relational databases and spreadsheets are examples of structured data. Although data in XML files are not fixed in location like traditional database records, they are nevertheless structured, because the data are tagged and can be accurately identified.” Conversely, unstructured data is data that “does not reside in fixed locations. The term generally refers to free-form text, which is ubiquitous. Examples are word processing documents, PDF files, e-mail messages, blogs, Web pages and social sites.” Sources: PC Mag Encyclopedia: “structured data” http://www.pcmag.com/encyclopedia/term/52162/structured-data

“unstructured data” http://www.pcmag.com/encyclopedia/term/53486/unstructured-data

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: Companies frequently receive demands from governments to hand over user information. These demands can come from government agencies or courts (both domestic and foreign). We expect companies to regularly publish data about the number and type of such demands they receive, and the number of such demands with which they comply. Companies should disclose data about requests they receive by country, including from their home and foreign governments, as well as from law enforcement and courts. We also expect company disclosure to indicate the number of accounts affected by these demands and to delineate by category the demands with which the company has complied. We recognize that companies are sometimes not legally allowed to disclose demands for user information made by governments. However, in these cases, we expect companies to report what types of government demands they are not allowed to disclose by law. Companies should also report this data once a year and should ensure the data can be exported as a structured data file.

In some cases, the law might prevent a company from disclosing information referenced in this indicator. For example, we expect companies to publish exact numbers rather than ranges of numbers. We acknowledge that laws sometimes prevent companies from doing so, and researchers will document situations where this is the case. But a company will lose points if it fails to meet all elements. This represents a situation where the law causes companies to fall short of best practice, and we encourage companies to advocate for laws that enable them to fully respect users’ rights to freedom of expression and privacy.

• Company transparency report,
• Company law enforcement report
• Company sustainability report