At Lookout we care deeply about our users who entrust us to secure their mobile devices and safeguard the personal information they keep. One of our core tenets is, “We’ve got your back,” which is a guiding principle that inspires every aspect of our culture, especially how we think about user privacy.
We believe privacy is essential for our users to have a truly secure mobile experience, which is why protecting our users’ privacy is perhaps the most important responsibility we have. We spend a lot of time thinking about how we can better protect our users through our own privacy practices. We also support coalitions like the Digital Due Process Coalition to advocate for the reform of legal standards to enhance privacy protections for our users. But that’s not enough. Being transparent with users around our privacy practices generally (and government requests specifically) is just as important to us as defending their privacy.
In 2013, we provided our first transparency report to provide meaningful insight into the government request landscape for Lookout. We wanted our users to have greater visibility about the types of law enforcement requests that we receive from the government about our users and have included metrics that show the types of requests that we receive, our response rate, and the frequency of non-disclosure orders in such requests.
We hope our transparency report will leave you empowered knowing that Lookout has your back.
*As of the date of this report, Lookout has not received a national security order and we have not been required by a FISA court to keep any secrets that are not in this transparency report.
Federal includes requests from federal law enforcement agencies such as the Federal Bureau of Investigation, Department of Homeland Security, and Department of Justice.
State includes requests from U.S.-based state and local law enforcement authorities (e.g. New York City Police Department).
Types of Domestic Legal Process
From January to December 2015, we received 14 requests for user information and we produced account data in response to 21% of these requests.
From January to June 2016, we received 3 requests for user information and we produced account data in response to 33% of these requests.
From January to December 2015, 21% of account information requests were accompanied by non-disclosure orders, meaning that a court legally prohibited us from notifying our users about the request. From January to June 2016, 0% of account information requests were accompanied by non-disclosure orders.
Is that an elephant in your data room?
There is no elephant in our data room as far as we can tell (and we look pretty hard). If there was, we wouldn’t ignore it. We have designed our products and architected our infrastructure to ensure there are no back doors to our systems. This privacy by design approach allows us to be the gatekeeper of the information we collect so that we can better scrutinize government requests and detect attempts to access user information.
What exactly is a government request?
For purposes of this report, it’s basically when a government asks us for user information. Governments often make requests of companies for things like a user’s account information to help their investigations. The majority of the requests we’ve received relate to criminal cases, like mobile phone theft, or when a mobile phone is used in connection with a crime. Most times, they’re looking for basic subscriber information, such as a mobile phone number or email address. If you want learn more about the data we collect and what we do with it, check out our privacy principles and practices here.
So when do you respond to a government request?
Government requests can be formal or informal, but we don't just give out user information anytime a government calls us up. All requests have to be lawful and supported by official documents. We require a subpoena, court order, or other valid legal process before providing information about users. And we'll give users a heads-up before giving that information, unless we can’t by law or if doing so could create a risk of injury or death (you know, the really serious scary stuff). We have strict guidelines in place to deal with all government requests. You can check them out here.
Does this report really show every government request you’ve ever received?
That’s all of them. This report contains every request for user data we received over the past six years.
Will you release reports like this in the future?
Maintaining a high level of transparency around government requests is critical to preserving the trust users have in us, and we believe it’s also the right thing to do. So you can count on having access to updated reports regularly in the future. That said, the form of our reporting could change from time to time just because we’re constantly experimenting with new ways to bring meaningful information about privacy to our users.
Hmm, I’m still curious. Where can I learn more?
You can read a lot more about our privacy principles and practices here.
Oh, and if you want to learn more about law enforcement requests generally, you should check out EFF’s Surveillance Self-Defense site: https://ssd.eff.org. There you can find out stuff like how the government can legally access your computer data and communications and what you can do to protect yourself.