Did Tech Companies Have Checkout & Delivery System For Gov’t Access To Their Data?


Tech companies named in reports to be part of the NSA’s “PRISM” data gathering program have strongly denied participating in programs giving “direct access” to their servers. But the New York Times is now reporting this may be because they provided indirect ways for the system to at least selectively request and receive data, after legal review.

The New York Times story, Tech Companies, Bristling, Concede to Federal Surveillance Program, may give the impression that all the named companies were part of the PRISM system, for those who have been following the story. But it never names PRISM and how data would be delivered isn’t how PRISM has been described. It does, however, paint a picture of how the companies might be indirectly part of PRISM.

How PRISM Works: Real-Time Monitoring & Data Access

Before going further into the New York Times story, it makes sense to recap what most people probably think PRISM is so far. Based on reports from the Washington Post and the Guardian, PRISM:

  • Gave the National Security Agency, the NSA, “direct” access to data at Apple, AOL, Facebook, Google, Microsoft, PalTalk and Yahoo
  • The was data “collection directly from the servers” from servers run by these companies
  • Data would include things like email, search history, video and voice chat, photos and voice calls
  • Data was gained with “assistance of communication providers in the US”
  • The FBI was an intermediary for requests
  • Access to the data was “100% dependent on ISP provisioning”
  • Data is only provided when there’s a 51% confidence in “foreignness,” that a target is not a US citizen
  • “They quite literally can watch your ideas form as you type,” said the unnamed whistleblower that leaked details

Those details paint a overall picture of the NSA being able to see everything that happens on these companies’ servers, in real-time, and pull whatever they want from those servers. There are a few points that seem odd, such at the FBI as an intermediary.

What The New York Times Describes

What the New York Times describes is far different than the PRISM system outlined above. There’s no real-time monitoring of data. There’s no instant access to that data. It seems more like what I’d call a “checkout” system that could selectively feed data into the PRISM system.

The story says that all the companies have been negotiating with the US government over more efficient ways it could receive the data it wants, when it has a legal request for it. The story also says that “in some cases, they changed their computer systems” to do this.

It specifically names Facebook and Google having negotiations to build “separate, secure portals” where the government would place data requests — apparently on a one-off basis, and not as best I can tell from my read, by having any type of real-time access or comprehensive collection of everything.

All the companies, the story says, were asked to build this type of “locked mailbox” system but only Facebook is named as having built one. But the story also says that data is shared when “company lawyers have reviewed the FISA request according to company practice.”

How This Connects To PRISM

Bottom line — this feels more like a library check-out system rather than handing over the entire library. To continue that metaphor, the government was interested in suspicious “books” held in one of these companies’ libraries, it would have to go through a legal process to request those. If granted, then the companies had an more efficient way to deliver those books. It might send them via overnight mail, for example, rather than through a slower method.

What might cause the government to flag a suspicious book? That’s unclear. My guess is that perhaps the government might see something unusual data from real-time it data it has perhaps by tapping into ISPs or phone provides, as is done with AT&T, Verizon and Sprint. For example, maybe someone sends an email from the US using Google to a suspicious location in a non-US country, which is spotted because the email goes through a third-party ISP.

That might send up a red flag with PRISM. Then, PRISM might be used to put in a request to learn more about the actual email from Google, one that would be granted after a legal review and approval. The email wouldn’t just be instantly accessible.

How This Connects To The Denials

All the named companies still have to give the data. Even Twitter, called out in the story for not cooperating on building and easier delivery system, would have to give the data. It would be be less efficient for Twitter to respond to those requests, even though ultimately, it would.

None of them, as best I can tell from my read, seem to have made it possible for PRISM to “quite literally can watch your ideas form as you type,” one of the key points about PRISM.

It’s also quite possible that none of the companies know that the request system, if this is indeed what it is and how it works, is considered part of the PRISM system.

Still, if the latest revelation holds up, even if the companies aren’t knowingly active participants in PRISM, the denials seem carefully constructed to avoid mentioning the delivery system they are part of. Further, again if this all holds up, the companies probably had a pretty good idea how they might have gotten confused with or mixed in with the PRISM system.

That would make those denials, especially the latter two from Google and Facebook that plead for more transparency, almost worse. That’s because rather than really being transparent about what’s going on, they were calculated to hold back, rather than provide clarity.

Of course, it is true that the companies might be forbidden from talking about the delivery systems. If so, it feels like they could have figured out some way to say, “we’re not doing this, but there’s also that” better than was done.

Postscript: I heard from someone at one of the named companies who says they work on services that would be involved if PRISM really tapped into their company as described. They note providing a real-time stream of data to the NSA would generate bandwidth usage that would be noticed by hundreds of people in the company (so hard to keep secret). They also added that the systems the New York Times describes seem to be indeed a way they have for delivering data securely when they receive a legal request, since printing it out isn’t really an option. They also stressed no data is given out without a legal request, and there’s no “surveillance” going on.

Postscript 2: Two other pieces on technical details of how PRISM and the separate request system might work, one from Lauren Weinstein & one from ZDnet, are worth a read.

Postscript 3: PRISM, The Tech Companies & Monitoring Versus Requests is a fresh post from me that expands more on the difference in PRISM and what the system above likely provides.

Postscript 4: In a third denial, Google has said it has no “drop box” delivery system. See: Google: Government Has No Back Door, Front Door Or Side Door To Our Data. CNET also has an article with sources saying companies gave no direct access to the US government to their data and suggests the companies aren’t even using a government CALEA system to deliver data ordered for release by a case-by-case basis.

Related Topics: Channel: Consumer | Features & Analysis | Legal: PRISM | Legal: Privacy


About The Author: is Founding Editor of Marketing Land. He’s a widely cited authority on search marketing and internet marketing issues, who has covered the space since 1996. Danny also serves as Chief Content Officer for Third Door Media, which publishes Search Engine Land and produces the SMX: Search Marketing Expo conference series. He has a personal blog called Daggle (and keeps his disclosures page there). He can be found on Facebook, Google + and microblogs on Twitter as @dannysullivan.

Connect with the author via: Email | Twitter | Google+ | LinkedIn

Marketing Day:

Get the top marketing stories daily!  


Other ways to share:

Read before commenting! We welcome constructive comments and allow any that meet our common sense criteria. This means being respectful and polite to others. It means providing helpful information that contributes to a story or discussion. It means leaving links only that substantially add further to a discussion. Comments using foul language, being disrespectful to others or otherwise violating what we believe are common sense standards of discussion will be deleted. You can read more about our comments policy here.
  • apfwebs

    I should say, thank you very much for tracking all this (Danny?). I’ve been watching your every tweet and post.

  • http://www.seobegin.com/ safcblogger

    Danny, I get the gist of where you are coming from with regards to the companies and their tippy toe between brand protection and transparency.

    I also understand the need for the power to protect and the sharing of that info between trusted parties, I am sure it is not much more than (in my mind) keyword triggers & filters where the need rises.

  • beautyequipment

    You’re welcome.

Get Our News, Everywhere!

Daily Email:

Follow Marketing Land on Twitter @marketingland Like Marketing Land on Facebook Follow Marketing Land on Google+ Subscribe to Our Feed! Join our LinkedIn Group Check out our Tumblr! See us on Pinterest


Click to watch SMX conference video

Join us at one of our SMX or MarTech events:

United States


Australia & China

Learn more about: SMX | MarTech

Free Daily Marketing News!

Marketing Day is a once-per-day newsletter update - sign up below and get the news delivered to you!