An enormous amount has already been written about the National Security Agency’s (NSA’s) “domestic spying” since The Guardian’s initial revelations about the secret collection of telco company records just a couple of days ago. That was followed 24 hours later by even more explosive revelations from The Washington Post of supposedly direct NSA access to the servers of major US Internet companies such as Apple, Google, Yahoo and Facebook.
Almost all the companies named in top-secret slides exposed by The Washington Post have issued strong denials — in the case of Google, multiple denials — of the allegation that the government has direct and unfettered server access. See for example:
- Google: Government Has No Back Door, Front Door Or Side Door To Our Data
- Evolution Of The PRISM Denials: This May Be Why They Seem So Similar
However, several people, including Danny Sullivan, have pointed out that the denials contain similar language suggesting that they don’t tell the whole story. The US acknowledged the existence of the PRISM surveillance program but argued the program has Congressional and judicial oversight, doesn’t target Americans and that all data sought and monitored are legally obtained under the Foreign Intelligence Surveillance Act (FISA).
Ironically, FISA was enacted in 1978 by Congress to curb abuses tied to domestic spying on Americans in the 1960s and 1970s. It was intended to protect Americans from illegal domestic surveillance.
But, shortly after 9/11, then President Bush authorized the NSA to pursue warrantless wiretapping inside the US. The subsequent revelation of warrantless spying on Americans by the Bush Administration caused a scandal and triggered myriad lawsuits against the US telcos that participated.
Telcos and ISPs have since been immunized against liability by Congress (it’s not clear whether that immunity would extend to Google, Apple and Facebook). FISA has been expanded and amended several times since 1978. In effect, it has been broadened and its various Constitutional safeguards and restrictions loosened.
In 2008, then Senator Barak Obama said the following about a controversial FISA reauthorization bill he supported, which included telco immunity:
It grants retroactive immunity to telecommunications companies that may have violated the law by cooperating with the Bush administration’s program of warrantless wiretapping. This potentially weakens the deterrent effect of the law and removes an important tool for the American people to demand accountability for past abuses. That’s why I support striking Title II from the bill, and will work with Chris Dodd, Jeff Bingaman and others in an effort to remove this provision in the Senate.
The ACLU takes the position that the 2008 FISA reauthorization is unconstitutional.
Under FISA, any surveillance within the US is supposed to be approved by a special FISA court. However, FISA courts operate in secret.
NSA requests for data (with FISA authorization) are then submitted to telcos, ISPs or Internet companies. The providers nearly always comply with them — though Google has recently resisted them. There are also emergency exceptions to the procedure, where electronic surveillance can be pursued prior to the obtaining of a FISA court authorization.
General criticism of the FISA process is two-fold: it occurs in secret and rarely do FISA courts deny government requests. Indeed, many critics have called the FISA request approval process perfunctory.
It’s clear that the various Internet companies have cooperated and turned over data to the US under NSA-FISA requests, but have they provided broader access? The questions that remain in this case are the following:
- Can the strongly worded denials of Google, Apple, Facebook and the others be reconciled with the top-secret slides that argue the agency has “direct server access”?
- Is the government’s characterization of “directly from the server” access wrong or are the tech company executives simply lying?
- What is the scope of NSA surveillance and/or data gathering regarding US citizens’ communications, notwithstanding US denials of domestic spying.
In response to reports from CNET that argued the US did not gain server-level access to Internet company data, The Guardian released the following additional slide (number 4) from the 41-slide presentation it has obtained (along with The Washington Post) from an internal NSA whistleblower.
I had been compiling articles and piecing together a FISA/NSA domestic surveillance timeline, but the Electronic Frontier Foundation has done a more complete and comprehensive version, dating back to 2000 and earlier.
Significantly, the NSA issued a report in 2000 about the transition from 20th Century threats and information gathering to the 21st Century with its emerging digital demands and infrastructure. Below is an excerpt from that document (.pdf):
Note the final line (from 2000): “To perform both its offensive and defensive missions, NSA must ‘live on the network.’”
Postscript: Yahoo has added its denial to the chorus of denials of direct or unrestricted NSA access to Internet company servers.
- US Gov’t: PRISM Isn’t Data Mining System, Doesn’t Pull Data Off Servers
- Scope of Alleged Spying On Americans’ Internet Activity Massive, “Beyond Orwellian”
- Google, Apple, Facebook & AOL Deny Participating In Alleged NSA “PRISM” Program
- Google & Facebook To Users: We’re Not Part Of PRISM & Government Needs More Transparency
- Imaginary Letter: Google CEO Larry Page Writes Congress, Asks “What’s Up With PRISM?”
- Did Tech Companies Have Checkout & Delivery System For Gov’t Access To Their Data?
- PRISM, The Tech Companies & Monitoring Versus Requests
- Google In Secret Legal Battle With Feds Over Consumer Data