Tech companies are hand-in-hand cooperating to let the US government perform on-going monitoring of people, or at least their data. Right? Probably not. They are probably doing something very different, providing data when legally compelled to on a case-by-case basis. Understanding these two things is helpful to avoid some of the PRISM hysterics going on right now.
The PRISM Monitoring System
Around this time Thursday, the Washington Post and the Guardian had made the case that major tech companies were involved in a PRISM program that, to quote the whistleblower who provided the information, allows the NSA to “quite literally can watch your ideas form as you type.”
Scary stuff, especially for US citizens who expect that the Fourth Amendment of the US Constitution protects them somehow from this type of invasive search. But chances are, it’s not happening because Google, Facebook, Apple, Microsoft, Yahoo, AOL and, oh yeah, PalTalk are feeding the NSA a real-time stream of data.
No, I think the Washington Post and the Guardian are confused. One key aspect of this is the reports describe that the FBI might need to be a intermediary for requests. Another is talk of being dependent on “ISP provisioning.” Plus, most of the companies are coming out and doing flat denials of “direct access” to their servers.
I know, I know. Carefully chosen words to get around the fact that as it turns out, they’re building copies of all their data on servers technically run by the NSA, so there’s no direct access, so direct access can be denied!
No, I don’t think that’s the case either, though the latest revelations from the New York Times might cause some to believe this. I think what the New York Times describes is something entirely different than monitoring. It’s an system for answering requests. That’s much different, and it’s a distinction that should be noted.
Constant Monitoring Vs. Requests For Information
Monitoring is where you’re watching someone all the time. The cops are doing a stakeout. You’re being monitored. Your phone is bugged. Your mail is being opened. It’s generally an invasion of privacy, and in the US, we are supposed to allow only under very specific legal guidelines.
Requests do not involve constant monitoring. Instead, they are when there’s specific data that authorities want, and they go through legal channels to get it. Some monitoring may require a request. That phone can’t legally be bugged without a court order.
The PRISM system described on Thursday is one where there seems to be constant monitoring going on, monitoring that probably doesn’t involve the named tech companies. I think they’re coming up in those PRISM slides because of the completely separate requests that might go out from PRISM. Someone at PRISM counts them as part of the system, even if they feed in through a non-real time way.
The First Rule Of FISA Club Is Don’t Talk About FISA Club
When those requests are made, the companies themselves might not even know they are part of PRISM. All they know is that they received Foreign Intelligence Surveillance Act request, a request so secret that they can’t even say they have gotten them. Seriously, ask Google if they’ve received any FISA requests or if they can talk about it at all, and you’ll get this carefully crafted statement, as I did:
Due to US legal constraints we don’t discuss any legal requests issued under the national security laws, including provisions in the Foreign Intelligence Surveillance Act (FISA). The exception: We were able to add general data about the number of National Security Letters we receive to our Transparency Report in March after discussions with U.S. government officials.
When they get the requests, by law, they have to comply. And the system the New York Times describes seems to be about responding to those requests securely, on a case-by-case basis.
We Don’t Monitor!
That’s not monitoring. In fact, it’s so different from monitoring that if you headed a tech company, as Larry Page and Mark Zuckerberg do, you might be as clearly outraged as they were to be accused of it, assuming you’re not actually doing it.
Unfortunately, while being outraged, you probably were unable to talk about that whole secret request delivery system, one that perhaps you know is causing some of the confusion. You might feel the FISA provisions prevent discussing that.
That is indeed unfortunate, if this was the case. The denials have been so forceful on the one hand, over the very serious charge of monitoring, that not mentioning (or not being able to mention) the much-more reasonable secure delivery system suddenly throws those denials into question.
That’s my take. I don’t think, from all I’ve read and tried to investigate, that the tech companies named are part of a PRISM system that allows for real-time monitoring, at the very least not the most forceful objectors. I sure hope not, especially with the denials.
I do think they all get FISA requests and that they do have secure delivery systems to answer those. I could be off on any of this, of course. This is a story that gaining new details every few hours.
First Amendment Vs. FISA
As for the FISA requests, I tend to agree with what Mike Arrington wrote today:
What has these people, among the wealthiest on the planet, so scared that they find themselves engaging in these verbal gymnastics to avoid telling a simple truth?
The idea that a company can’t even say that it receives a FISA request or that it has a system to answer those seems absurd. Aside from Fourth Amendment rights being tested, perhaps it’s a good test for the First Amendment right of freedom of speech. A reminder of the First:
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
I’m not a constitutional lawyer, nor am I potentially on the hot seat for talking about a FISA request. It’s easy to write; harder to do. But perhaps a tech company speaking even generically about the FISA orders they clearly hate having to stay silent about would be a great First Amendment challenge.
How can you petition the government for a redress of grievances if you’re not allowed by the government to speak about what those are?
Postscript: In a third denial, Google has said it has no “drop box” delivery system. See: Google: Government Has No Back Door, Front Door Or Side Door To Our Data.
Postscript 2: The US government itself is now out with a denial: US Gov’t: PRISM Isn’t Data Mining System, Doesn’t Pull Data Off Servers.