On Feb. 6, 2018, Apple received a grand jury subpoena for the names and phone records connected to 109 email addresses and phone numbers. It was one of the more than 250 data requests that the company received on average from U.S. law enforcement each week at the time. An Apple paralegal complied and provided the information.
This year, a gag order on the subpoena expired. Apple said it alerted the people who were the subjects of the subpoena, just as it does with dozens of customers each day. But this request was out of the ordinary.
Without knowing it, Apple said, it had handed over the data of congressional staffers, their families and at least two members of Congress, including Rep. Adam Schiff, D-Calif., then the House Intelligence Committee’s ranking member and now its chair. It turned out the subpoena was part of a wide-ranging investigation by the Trump administration into leaks of classified information.
The revelations have now plunged Apple into the middle of a firestorm over the Trump administration’s efforts to find the sources of news stories, and the handling underscores the flood of law enforcement requests that tech companies increasingly contend with. The number of these requests has soared in recent years to thousands a week, putting Apple and other tech giants like Google and Microsoft in an uncomfortable position between law enforcement, the courts and the customers whose privacy they have promised to protect.
The companies regularly comply with the requests because they are legally required to do so. The subpoenas can be vague, so Apple, Google and others are often unclear on the nature or subject of an investigation. They can challenge some of subpoenas if they are too broad or if they relate to a corporate client. In the first six months of 2020, Apple challenged 238 demands from the government for its customers’ account data, or 4% of such requests.
As part of the same leak investigation by the Trump administration, Google fought a gag order this year on a subpoena to turn over data on the emails of four New York Times reporters. Google argued that its contract as The Times’ corporate email provider required it to inform the newspaper of any government requests for its emails, said Ted Boutrous, an outside lawyer for The Times.
But more frequently than not, the companies comply with law enforcement demands. And that underlines an awkward truth: As their products become more central to people’s lives, the world’s largest tech companies have become surveillance intermediaries and crucial partners to authorities, with the power to arbitrate which requests to honor and which to reject.
“There is definitely tension,” said Alan Z. Rozenshtein, an associate professor at the University of Minnesota’s law school and a former Justice Department lawyer. He said given the “insane amount of data these companies have” and how everyone has a smartphone, most law enforcement investigations “at some point involve these companies.”
On Friday, the Justice Department’s independent inspector general opened an investigation into the decision by federal prosecutors to secretly seize the data of House Democrats and reporters. Top Senate Democrats also demanded that the former attorneys general William Barr and Jeff Sessions testify before Congress about the leak investigations, specifically about the subpoena issued to Apple and another to Microsoft.
Fred Sainz, an Apple spokesman, said in a statement that the company regularly challenged government data requests and informed affected customers as soon as it legally could.
“In this case, the subpoena, which was issued by a federal grand jury and included a nondisclosure order signed by a federal magistrate judge, provided no information on the nature of the investigation and it would have been virtually impossible for Apple to understand the intent of the desired information without digging through users’ accounts,” he said. “Consistent with the request, Apple limited the information it provided to account subscriber information and did not provide any content such as emails or pictures.”
In a statement, Microsoft said it received a subpoena in 2017 related to a personal email account. It said it notified the customer after the gag order expired and learned that the person was a congressional staff member. “We will continue to aggressively seek reform that imposes reasonable limits on government secrecy in cases like this,” the company said.
Google declined to comment on whether it received a subpoena related to the investigation on the House Intelligence Committee.
The Justice Department has not commented publicly on Apple’s turning over House Intelligence Committee records. In congressional testimony this week, Attorney General Merrick Garland sidestepped criticism of the Trump administration’s decisions and said the seizure of records was made “under a set of policies that have existed for decades.”
In the Justice Department’s leak investigation, Apple and Microsoft turned over so-called metadata of people who worked in Congress, including phone records, device information, and addresses. It is not unusual for the Justice Department to subpoena such metadata, because the information can be used to establish whether someone had contact with a member of the media or whether the person’s work or home accounts were tied to anonymous accounts that were used to disseminate classified information.
Under the gag orders that authorities placed on the subpoenas, Apple and Microsoft also agreed to not tell those people whose information was being demanded. In Apple’s case, a yearlong gag order was renewed three separate times. That contrasted with Google, which resisted the gag order on a subpoena to turn over data on the four Times reporters.
The differing responses are largely explained by the different relationships the companies had with their customers in the case. Apple and Microsoft were ordered to hand over data related to individual accounts, while the subpoena to Google affected a corporate customer, which was governed by a contract. That contract gave Google a more specific basis on which to challenge the gag order, lawyers said.
The subpoena to Apple was also more opaque — it simply asked for information about a series of email addresses and phone numbers — and the company said it did not know it related to an investigation into Congress. For Google, it was clear that the Justice Department sought records from The Times because the email addresses were clearly those of Times reporters.
Google said it generally did not handle requests for customer information differently for individual accounts and corporate customers. But the company has a strong argument to redirect requests for data of corporate customers based on the Justice Department’s own recommendations.
In guidelines released in 2017, the Justice Department urged prosecutors to “seek data directly” from companies instead of going through a technology provider, unless doing so was impractical or would compromise the investigation. By going to Google to seize information about the reporters, the Justice Department sought to circumvent The Times. Google declined to say whether it used the Justice Department guidelines to fight the gag order.
Google said it produced some data in 83% of the nearly 40,000 requests for information from U.S. government agencies it received in the first half of 2020. By comparison, it produced some data in 39% of requests for information on 398 paying corporate customers of Google Cloud, including its email and web-hosting offerings, during the same time period.
Law enforcement requests for data from American tech companies have more than doubled in recent years. Facebook said it received nearly 123,000 data requests from the U.S. government last year, up from 37,000 in 2015.
Apple said that in the first half of 2020, it received an average of 400 requests a week for customer data from U.S. law enforcement, more than double the rate five years prior. The company’s compliance rate has remained roughly between 80% and 85% for years.
Authorities are also demanding information about more accounts in each request. In the first half of 2020, each U.S. government subpoena or warrant to Apple requested data for 11 accounts or devices on average, up from fewer than three accounts or devices in the first half of 2015, the company said.
Apple said that after the government began including more than 100 accounts in some subpoenas, as it did in the leak investigation in 2018, it asked law enforcement to limit requests to 25 accounts each. Police did not always comply, the company said.
Apple has often challenged subpoenas that included so many accounts because they were too broad, said a former senior lawyer for the company, who spoke on the condition of confidentiality. This person said that it would not have been surprising for Apple to challenge the 2018 Justice Department subpoena but that whether a request was challenged often depended on whether a paralegal handling the subpoena elevated it to more senior lawyers.