Massive corporate databases become government tools of surveillance

Illstration of the surveillance represented by user data requests.

The number of data requests the US government sent to Google has increased 510% since 2010. US government requests to Facebook have also increased 364% since the beginning of 2013. The databases of private companies are increasingly being used to monitor individuals with little transparency into the process.

In 2013, when Edward Snowden revealed the National Security Agency was conducting dragnet, mass surveillance, he forced the public to refocus on how to protect the right to privacy. These revelations inspired the founders of ProtonMail to begin thinking about how people could privately communicate with each other. 

Two years later, the US Congress passed the Freedom Act, which stopped the NSA’s bulk collection of private data. Data collection can only be performed against individual suspects with the approval of the secretive FISA court. However, the bulk collection of private data still happens; only now it is carried out by private corporations like Google, Facebook, and Internet service providers.  

This article will examine how mass data collection by corporations has enabled the governments around the world to continue spying on individuals and how this type of surveillance has increased over the past several years.

Once data is collected, it can be shared

It’s hard to conceive of how much data corporations have. Google handles over 83,000 searches and Instagram (owned by Facebook) users upload 994 photos — per second. Each of these actions leaves a record, and it does not take long for these companies to build very comprehensive and detailed user profiles. That same year, a journalist from The Guardian used the GDPR to request his personal data from Google and Facebook. He received the equivalent of 3 million Word documents from Google and 400,000 Word documents from Facebook. These companies analyze all this information and use it to target you with ads. 

It is possible to limit the amount of data corporations collect and delete the information they already have. We have made a guide to help you manage your privacy on Google. However, if you do not take the time to adjust your privacy settings and delete your data, these corporations have troves of personal information to share with national governments.

The number of government data requests is increasing

While US law prevents the NSA from performing bulk data collection, corporations like Google and Facebook face few restrictions on gathering data on their users. So, to get the data it wants, the NSA simply goes to these companies with user data requests. Under the Freedom Act, if the US government can convince a judge in the FISA court that an investigation pertains to national security, then they can request that a company share whatever data it has on an individual. And requests that are delivered via a national security letter do not need a judge’s approval, not even from the FISA court. This secretive system gives the government access to the reams of personal information these companies collect with little transparency or public oversight.

Companies can refuse or argue that the request should be more narrowly interpreted, but then they face costly legal action. Google began charging governments a fee for processing such  data requests, a move that some claim will help winnow out frivolous or unnecessary requests. That being said, the majority of user data requests are respected. Facebook has shared information in response to a user data request roughly 74% of the time, and that percentage has remained steady since 2017.

This success rate has led more and more governments to use online platforms as their data collection services. Between the first half of 2013 and the end of 2019, the number of data requests made by governments worldwide to Facebook, Google, Twitter, and Yahoo has increased by roughly 320%.

Line graph showing the increase in user data requests from around the world from 2013 to 2019.

Unsurprisingly, given the weak privacy protections offered by the FISA courts, the United States sent the most data requests to private companies in 2019. In fact, the US made more data requests (168,000) to Facebook, Google, Twitter, and Yahoo than the rest of the countries that make up the 14 Eyes intelligence-sharing agreement combined. (These statistics do not include the user data requests sent to Twitter and Yahoo for the second half of 2019, as they have not yet shared this data.)

Bar graph depicting the number of user data requests made by each country in the 14 eyes intelligence sharing agreement.

The two companies that receive the most requests, by far, are Google and Facebook. It is not a coincidence that these are also the two companies that collect the most data from their users. In 2019 alone, Google received 157,435 user data requests worldwide and Facebook received 269,492. 

Bar graph depicting the number of user data requests Google and Facebook have received.

Because of the secrecy surrounding the FISA court proceedings, it is hard to say what the US government is doing with the data they collect. Most requests come with a gag order, which prevents companies from informing their users if their information has been requested by the government. 

ProtonMail: a safe place for your messages

This demonstrates the profound impact the tools you use online have on your privacy. But there are safe alternatives that protect your privacy. ProtonMail is based in Switzerland, which is not a member of the 14 Eyes agreement. We cannot act on a data request until it has been approved by the appropriate Swiss authority. We keep a full record of the data requests we receive in our Transparency Report

If we receive an approved request from the Swiss authorities, we are bound by Swiss law to share what information we have. However, even if we wanted to, we cannot access the content of your messages because we use end-to-end encryption and zero access encryption. This is also why we minimize the amount of data we require to set up an account and allow our users to use anonymous payment options

Proton’s mission is privacy. Because we see your data as something to protect, not profit off of, we cannot and will not become a tool that helps governments spy on you.

You can get a free secure email account from ProtonMail here.

We also provide a free VPN service to protect your privacy. ProtonMail and ProtonVPN are funded by community contributions. If you would like to support our development efforts, you can upgrade to a paid plan. Thank you for your support.

About the Author

Richie Koch

Prior to joining Proton, Richie spent several years working on tech solutions in the developing world. He joined the Proton team to advance the rights of online privacy and freedom.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

2 comments on “Massive corporate databases become government tools of surveillance

  • The United States cannot use a national security letter to get whatever it wants from a private company. A national security letter only allows the United States to get metadata, where you don’t have a reasonable expectation of privacy, from a national security warrant, which is actually a type of government subpoena. If the United States wants the content of the communication associated with the metadata and any other information where a person has a reasonable expectation of privacy, then a national security letter isn’t sufficient. That requires a warrant, such as a FISA warrant or a probable cause warrant.

    Now, it is true that metadata can often supply the United States with the basis for requesting a warrant for search, seizure, or monitoring or surveillance. And the circumstances when a person has a reasonable expectation of privacy in what information are often a matter of legal debate for the discretion of the court. But national security letter alone cannot reach the content of communications, where a person has a reasonable expectation of privacy in that communication, for that right is a personal constitutional right that the Fourth Amendment of the U.S. Const. grants and protects, and which can only be changed by amending the U.S. Constitution.

    Reply
  • I do not contest the point that a NSA letter is insufficient for obtaining contents of communications between parties because I do not know about that.

    However, reporting from PBS Frontline, NYT, WaPost, as well as Edward Snowden have repeatedly shown that FISA courts operate in an almost opaque capacity and often serve as little more than rubber-stamp bodies. While the blog post may not identify the specific mechanisms, the overall post supports the conclusion that the biggest tech firms today have a seeming tacit understanding of sharing user data with government agencies.

    Isn’t that why we are cheering for projects like ProtonMail to succeed?

    Reply