Apple Shareholders Fight NSA Bulk Surveillance
Apple needs our help resisting intrusive bulk surveillance of its users by the NSA and other international spies.
A group of concerned shareholders is working with Apple to develop concrete ways to help. Collaborating with Restore the Fourth, we’ve submitted a draft shareholder proposal and have begun engaging with executives there amid a new Apple commitment to transparency.
We will address the board and shareholders at Apple’s February 2014 annual shareholder meeting. We’re preparing the final draft of our shareholder proposal, and we want your input.
I’m alerting my favorite Apple watchers, current or former employees, passionate users of its services, security nerds, etc. – and soliciting feedback on these ideas and support in this effort.
The final proposal, to be submitted in two weeks, must be under 500 words.
Last week Apple made a public vow to maximize its transparency about privacy in its services. For one, Apple sought to reveal aggregate numeric information about how Apple handles government information requests. Only the USA declined to fully cooperate.
Amid these revelations about specific Account Requests (with individual targets) and Device Requests (e.g. tracking of stolen devices) Apple hasn’t included data on widely reported US attempts at bulk and suspicionless surveillance of Apple networks, users’ data and metadata. But we’ve been able to learn more.
Last month Ladar Levison, founder of the encrypted email service Lavabit used by whistleblower Edward Snowden, was finally ungagged by US federal courts and able to reveal government tactics employed to secretly gain access to service providers’ private user data.
- FBI agents verbally demanded Levison deliver the digital SSL key that would provide access to his more than 400,000 users’ communication data, without a court order or warrant justifying the need for such a key, under threat of crippling fines and imprisonment
- Levison was gagged – forbidden to communicate about the demands under similar threats
- Levison was ordered to comply with a pen register trap order to install spying equipment on his network
Believing these requests to be unconstitutional violations of his customers’ privacy, Levison shut down the Lavabit service rather than betray his customers’ trust or be punished with imprisonment and growing fines. These facts, not revealed in detail until last month, provide a glimpse of how the US government deals with ISPs like Lavabit and iCloud.
In conversations with attorneys, Apple has been unable to reveal whether it has received FBI visits, bulk surveillance court orders, warrants, or pen register traps on any subset of its 350 million iCloud users. We don’t know conclusively whether Apple is under the kinds of threats and gag orders Lavabit received. But it is reasonable to assume it is cooperating with such government requests, whether executives consider them constitutional and legal or not.
Apple executives and employees may already be gagged hostages. We aim to free them.
If en masse, shareholders compel Apple to take reasonable precautions to protect its users – such as revoking SSL keys and other digital certificates that may have been compromised by intruders – it’s not clear any government can prevent Apple from doing it.
More important, if Apple is truly committed to its users’ privacy and trust, it needn’t wait for shareholders to compel it. Like any bank whose credit card database has been compromised, Apple has a duty to protect its customers from intruders, and faces potential criminal liability if it is complicit, negligent, or otherwise fails to do so.
Thus we are pursuing this to protect against threats to our beneficial investments in Apple.
Apple can, TODAY, begin revoking SSL keys, update its IT procedures, and take other steps to improve users’ privacy, amid evident ongoing attempts to compromise its network.
Here’s a segment from the previous shareholder proposal draft, which helped recruit Apple executives’ cooperation:
Diminished trust inevitably slows the adoption of core Apple data services like iCloud and product features like Touch ID, for example. Specifically, users have no way to know which vows about Touch ID data made by Apple today may be reversed in the enforcement of a secret court order or National Security Letter tomorrow.
Failing to acknowledge and address these realities can cause the company serious ongoing financial harm, particularly in international markets. Instead, by addressing these issues forthrightly Apple can win back the trust of customers, provide leadership, offer competitive advantages, and strengthen the entire industry — as Apple has done before.
A week later we were contacted by Apple attorneys and Apple’s new transparency and privacy initiative was launched.