Tech companies named in reports to be part of the NSA’s “PRISM” data gathering program have strongly denied participating in programs giving “direct access” to their servers. But the New York Times is now reporting this may be because they provided indirect ways for the system to at least selectively request and receive data, after legal review.
The New York Times story, Tech Companies, Bristling, Concede to Federal Surveillance Program, may give the impression that all the named companies were part of the PRISM system, for those who have been following the story. But it never names PRISM and how data would be delivered isn’t how PRISM has been described. It does, however, paint a picture of how the companies might be indirectly part of PRISM.
How PRISM Works: Real-Time Monitoring & Data Access
- Gave the National Security Agency, the NSA, “direct” access to data at Apple, AOL, Facebook, Google, Microsoft, PalTalk and Yahoo
- The was data “collection directly from the servers” from servers run by these companies
- Data would include things like email, search history, video and voice chat, photos and voice calls
- Data was gained with “assistance of communication providers in the US”
- The FBI was an intermediary for requests
- Access to the data was “100% dependent on ISP provisioning”
- Data is only provided when there’s a 51% confidence in “foreignness,” that a target is not a US citizen
- “They quite literally can watch your ideas form as you type,” said the unnamed whistleblower that leaked details
Those details paint a overall picture of the NSA being able to see everything that happens on these companies’ servers, in real-time, and pull whatever they want from those servers. There are a few points that seem odd, such at the FBI as an intermediary.
What The New York Times Describes
What the New York Times describes is far different than the PRISM system outlined above. There’s no real-time monitoring of data. There’s no instant access to that data. It seems more like what I’d call a “checkout” system that could selectively feed data into the PRISM system.
The story says that all the companies have been negotiating with the US government over more efficient ways it could receive the data it wants, when it has a legal request for it. The story also says that “in some cases, they changed their computer systems” to do this.
It specifically names Facebook and Google having negotiations to build “separate, secure portals” where the government would place data requests — apparently on a one-off basis, and not as best I can tell from my read, by having any type of real-time access or comprehensive collection of everything.
All the companies, the story says, were asked to build this type of “locked mailbox” system but only Facebook is named as having built one. But the story also says that data is shared when “company lawyers have reviewed the FISA request according to company practice.”
How This Connects To PRISM
Bottom line — this feels more like a library check-out system rather than handing over the entire library. To continue that metaphor, the government was interested in suspicious “books” held in one of these companies’ libraries, it would have to go through a legal process to request those. If granted, then the companies had an more efficient way to deliver those books. It might send them via overnight mail, for example, rather than through a slower method.
What might cause the government to flag a suspicious book? That’s unclear. My guess is that perhaps the government might see something unusual data from real-time it data it has perhaps by tapping into ISPs or phone provides, as is done with AT&T, Verizon and Sprint. For example, maybe someone sends an email from the US using Google to a suspicious location in a non-US country, which is spotted because the email goes through a third-party ISP.
That might send up a red flag with PRISM. Then, PRISM might be used to put in a request to learn more about the actual email from Google, one that would be granted after a legal review and approval. The email wouldn’t just be instantly accessible.
How This Connects To The Denials
All the named companies still have to give the data. Even Twitter, called out in the story for not cooperating on building and easier delivery system, would have to give the data. It would be be less efficient for Twitter to respond to those requests, even though ultimately, it would.
None of them, as best I can tell from my read, seem to have made it possible for PRISM to “quite literally can watch your ideas form as you type,” one of the key points about PRISM.
It’s also quite possible that none of the companies know that the request system, if this is indeed what it is and how it works, is considered part of the PRISM system.
Still, if the latest revelation holds up, even if the companies aren’t knowingly active participants in PRISM, the denials seem carefully constructed to avoid mentioning the delivery system they are part of. Further, again if this all holds up, the companies probably had a pretty good idea how they might have gotten confused with or mixed in with the PRISM system.
That would make those denials, especially the latter two from Google and Facebook that plead for more transparency, almost worse. That’s because rather than really being transparent about what’s going on, they were calculated to hold back, rather than provide clarity.
Of course, it is true that the companies might be forbidden from talking about the delivery systems. If so, it feels like they could have figured out some way to say, “we’re not doing this, but there’s also that” better than was done.
Postscript: I heard from someone at one of the named companies who says they work on services that would be involved if PRISM really tapped into their company as described. They note providing a real-time stream of data to the NSA would generate bandwidth usage that would be noticed by hundreds of people in the company (so hard to keep secret). They also added that the systems the New York Times describes seem to be indeed a way they have for delivering data securely when they receive a legal request, since printing it out isn’t really an option. They also stressed no data is given out without a legal request, and there’s no “surveillance” going on.
Postscript 3: PRISM, The Tech Companies & Monitoring Versus Requests is a fresh post from me that expands more on the difference in PRISM and what the system above likely provides.
Postscript 4: In a third denial, Google has said it has no “drop box” delivery system. See: Google: Government Has No Back Door, Front Door Or Side Door To Our Data. CNET also has an article with sources saying companies gave no direct access to the US government to their data and suggests the companies aren’t even using a government CALEA system to deliver data ordered for release by a case-by-case basis.