On February 6, 2018, Apple received a grand jury subpoena for the names and phone details associated with 109 email addresses and phone numbers. It was one of more than 250 requests for data the company received an average of every week from US law enforcement at the time. An Apple lawyer complied and provided the information.
That year a gag order for a subpoena expired. Apple said it alerted those who were the subject of the summons, just as it does with dozens of customers every day.
But this request was unusual.
Without knowing it, Apple said it had handed over the data of the congress staff, their families, and at least two members of Congress, including Rep. Adam B. Schiff of California, then the top Democrat on the House of Representatives Committee on Intelligence and now chairman. The subpoena turned out to be part of an extensive investigation by the Trump administration into classified information leaks.
The revelations have now been in the middle of a firestorm over the Apple The Trump Administration’s Efforts to Find the Sources of News, and the handling underscores the deluge of law enforcement inquiries that technology companies are increasingly grappling with. The number of these inquiries has grown to thousands per week in recent years, placing Apple and other tech giants like Google and Microsoft in an awkward position between law enforcement, courts and the customers whose privacy they have promised to protect.
The companies regularly comply with the requests, as they are legally obliged to do so. The subpoenas can be vague, so Apple, Google, and others are often unclear about the nature or subject of an investigation. You can dispute some of the subpoenas if they are too broad or relate to a corporate client. In the first six months of 2020, Apple challenged 238 government requests for customer account information, or 4 percent of such requests.
As part of the same leak investigation by the Trump administration, Google fought against a gag order this year with a subpoena to surrender data the emails of four reporters from the New York Times. Google argued that its contract as the Times corporate email provider required it to notify the newspaper of all government inquiries for its emails, said Ted Boutrous, an outside Times attorney.
But for the most part, companies comply with law enforcement requirements. And that underscores an uncomfortable truth: as their products become increasingly important in people’s lives, the world’s largest tech companies have become surveillance brokers and key partners of government agencies, with the power to decide which applications to fulfill and which to reject.
“There is definitely tension,” said Alan Z. Rozenshtein, associate professor in the University of Minnesota law school and former Justice Department attorney. He said that given the “insane amount of data these companies have” and the fact that everyone has a smartphone, most law enforcement investigations “eventually enter these companies.”
On Friday the independent inspector general of the Ministry of Justice launched an investigation into the decision of the federal prosecutors to secretly seize the data of Democrats and reporters of the House of Representatives. Top Senate Democrats also called for former Attorney General William P. Barr and Jeff Sessions to testify in front of Congress about the leak investigations, specifically the subpoena to Apple and another to Microsoft.
Fred Sainz, an Apple spokesperson, said in a statement that the company regularly contests government data requests and informs affected customers as soon as it is legally possible.
“In this case, the subpoena, issued by a federal grand jury and containing a confidentiality order signed by a federal judge, did not provide information about the nature of the investigation and it would have been virtually impossible for Apple to understand the intent.” Information without digging through user accounts, ”he said. “In accordance with the request, Apple limited the information it provided to account subscriber information and not provided content such as emails or images.”
In a statement, Microsoft said it had received a summons to a personal email account in 2017. It said it notified the customer after the toggle arrangement expired and learned that the person was a member of Congress. “We will continue to aggressively seek reforms that set appropriate limits on state secrecy in such cases,” the company said.
Google did not want to comment on whether it received a subpoena in connection with the investigation by the House Intelligence Committee.
The Justice Department has not commented publicly on Apple releasing House Intelligence Committee records. In a testimony before Congress earlier this week, Attorney General Merrick B. Garland evaded criticism of the Trump administration’s decisions, saying the file seizure “followed a set of guidelines that have existed for decades.”
In the Justice Department’s leak investigation, Apple and Microsoft shared so-called metadata from people who worked in Congress, including phone records, device information and addresses. It is not uncommon for the Justice Department to subpoena such metadata, as the information can be used to determine whether someone has had contact with a media representative or whether their work or personal accounts were linked to anonymous accounts used to disseminate classified information.
As part of the gag order imposed by the authorities at the summons, Apple and Microsoft also agreed not to disclose anything to the people whose information was requested. In the case of Apple, a one-year toggle arrangement was extended three times. This was in contrast to Google, which defied the gag order of a subpoena to release data on the four Times reporters.
The different answers are essentially explained by the different relationships between the companies and their customers in this case. Apple and Microsoft were instructed to release data on individual accounts, while the subpoena to Google concerned a contracted corporate customer. That deal gave Google a more precise basis to challenge the gag order, lawyers said.
The subpoena to Apple was also more opaque – it only requested information on a range of email addresses and phone numbers – and the company said it had nothing to do with a Congressional investigation. It was clear to Google that the Justice Department wanted The Times to keep records because the email addresses were clearly those of Times reporters.
Google said customer information requests are generally not handled differently for individual accounts and corporate customers. However, the company has a strong case for redirecting requests for data from corporate clients based on the Justice Department’s own recommendations.
In guidelines published in 2017The Justice Department asked prosecutors to “obtain data directly from companies” instead of contacting a technology provider, unless doing so would be impractical or jeopardize the investigation. By reaching out to Google to confiscate information about the reporters, the Justice Department attempted to bypass the Times. Google didn’t want to say whether it used Justice Department guidelines to combat the gag order.
Google said it produced some data in 83 percent of the nearly 40,000 requests for information from US government agencies it received in the first half of 2020. By comparison, it provided some data on 398 paying corporate customers of Google Cloud in 39 percent of information requests, including its email and web hosting plans over the same period.
Law enforcement requests for data from American tech companies have more than doubled in recent years. Facebook said it received nearly 123,000 requests for data by the US government last year, down from 37,000 in 2015.
Apple said it received an average of 400 US law enforcement requests for customer data per week in the first half of 2020, more than twice as many as five years earlier. The company’s compliance rate has been between 80 and 85 percent for years.
In addition, the authorities require information on additional accounts in every request. In the first half of 2020, every U.S. government subpoena or arrest warrant to Apple requested an average of data for 11 accounts or devices, up from fewer than three accounts or devices in the first half of 2015, the company said.
Apple said that after the government began adding more than 100 accounts to some subpoenas, as it did with the leak investigation in 2018, law enforcement officials were asked to limit applications to 25 accounts at a time. The police did not always adhere to it, the company said.
Apple has often challenged subpoenas containing so many accounts because they were too broad, said a former senior attorney for the company, who spoke on condition of confidentiality. That person said it wouldn’t have been surprising to Apple to challenge the Justice Department subpoena in 2018, but whether or not an application is challenged often depends on a paralegal handling the subpoena elevating them to senior lawyers.
Charlie Savage Reporting contributed.