We've been hearing more about outraged Congressional Representatives and Senators concerning NSA surveillance, with Rand Paul announcing that he's going to file a "class action lawsuit" against the administration, and Rep. Justin Amash suggesting something similar. While I appreciate the gesture, it seems like since those two (and others) are in Congress, their time might be better spent seeing what they can do to fix things from there. The lawsuits are going to flow, that seems fairly certain. But we'd already seen Senators and Representatives who tried to alert the world to what was going on prior to the leaks, so why don't Amash, Paul and the others team up and fix things the way they can: by using the legislature to rein in an intelligence community that is out of control, in large part because of permission Congress gave them.

It really was just a few months ago that the Supreme Court rejected a lawsuit filed by the ACLU, seeking to find the FISA Amendments Act unconstitutional. This is part of the law that is so key to the NSA's surveillance strategy, part of which was revealed over the past few days. The key problem for the Supreme Court was that the plaintiffs didn't have standing, because it was "too speculative" to suggest that the government had monitored their communications. Specifically, the court said that the injury must be "certainly impending." From the ruling:

Yet respondents have no actual knowledge of the Government’s §1881a targeting practices. Instead, respondents merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired under §1881a. .... “The party invoking federal jurisdiction bears the burden of establishing” standing—and, at the summary judgment stage, such a party “can no longer rest on . . . ‘mere allegations,’ but must ‘set forth’ by affidavit or other evidence ‘specific facts.’”.... Respondents, however, have set forth no specific facts demonstrating that the communications of their foreign contacts will be targeted. Moreover, because §1881a at most authorizes—but does not mandate or direct—the surveillance that respondents fear, respondents’ allegations are necessarily conjectural. .... Simply put, respondents can only speculate as to how the Attorney General and the Director of National Intelligence will exercise their discretion in determining which communications to target.

The court also points out that since the FISA Court could block such an attempt, the plaintiffs would also need to show that the FISC authorized the surveillance.

...even if respondents could show that the Government will seek the Foreign Intelligence Surveillance Court’s authorization to acquire the communications of respondents’ foreign contacts under §1881a, respondents can only speculate as to whether that court will authorize such surveillance

Right. So, given the now leaked documents showing that the FISA Court ordered the data on all phone calls from Verizon, and the further admission from multiple Senators that this program has been happening continuously since at least 2007, perhaps someone should be filing a lawsuit (if they haven't already), and using the latest leaks as proof of standing...

About a year ago, after a lot of pressure from Senator Ron Wyden, the government finally admitted (late on a Friday) that, yes, indeed some of its surveillance efforts had been found unconstitutional for violating the 4th Amendment. But they didn't explain what, nor did they reveal the FISA court ruling which made that assessment. Since that time, the EFF has been fighting the government to get it to reveal the ruling. The DOJ refused to release it following a Freedom of Information Act (FOIA) request, and later said that even if it wanted to, it can't release the document, because only the FISA Court (FISC) could release it. But, in an earlier ruling in a different case filed by the ACLU seeking to reveal a FISC ruling, FISC had said that FISC couldn't reveal it, and the ACLU needed to seek the document from the DOJ. In other words, both the DOJ and FISC are pointing fingers at each other, saying that only the other one can reveal the document. In response, the EFF has asked for confirmation from FISC that if a district court rules against the DOJ and tells it to release the document, that FISC will actually do so.

Now, the DOJ is fighting back with the most circular and ridiculous logic imaginable:

In its response filed with the FISC today, the government offers a circular argument, asserting that only the Executive Branch can de-classify the opinion, but that it is somehow prohibited by the FISC rules from doing so.

The government’s argument is guaranteed to make heads spin. DOJ earlier argued that it lacks discretion to release the FISC opinion without the FISC's consent, but DOJ now argues that if the FISC were to agree with EFF, “the consequence would be that the Government could release the opinion or any portion of it in its discretion.” But FISC material is classified solely because the Executive Branch demands that it be, so release of the opinion has always been a matter of Executive discretion.

Frankly, it’s difficult to understand what DOJ is saying. The Government seems to have a knee-jerk inclination towards secrecy, one that often – as in this case – simply defies logic. The government's bottom line is this: their rules trump the public's statutory rights. But it's not the province of the Executive branch to determine which rights citizens get to assert.

Basically, the finger pointing continues. However, considering the increasing concern about vast government surveillance, it certainly seems like the government should start looking into being a hell of a lot more transparent, and it could start by giving up this game and releasing that FISC ruling.

Late on Friday, the NY Times released the most detailed explanation to date of the PRISM system that was revealed on Thursday, claiming that nine of the biggest tech and internet companies were working with the NSA to give them "direct access" to servers. The explanation explains how both the original story was substantially true, as were the "denials," though the denials were (as predicted) a bit of doublespeak. Today, the Guardian revealed another slide from the presentation it has, which clarifies some more details.

Basically, it appears those companies all agreed to make it easier for the NSA to access data that was required to be handed over under an approved FISA Court warrant, and they appear to do this by setting up their own servers where they put that information (and just that information). From the NY Times report:

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.

The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

This is significantly less worrisome than the original Washington Post report, which suggested full real-time access to all servers. That's not quite what has happened, according to this report. This involves cases where the companies really do need to hand over this information. We can disagree with whether or not the FISA Court should issue these warrants, but at some point there may be information that the companies do need to hand over to the government. As for the Guardian, they published the following slide: As you can see, it notes multiple programs where they can get data. The programs on top are the ones such as the NSA servers installed at telcos to collect all traffic running through them, which have been revealed before. The program on the bottom is PRISM, which clearly states: "collection directly from the servers of these U.S. Service Providers," followed by the already known list. That certainly confirms the "direct access" claim from the original WaPo report, but it could also be true in conjunction with the NY Times report, if you look at it as the companies setting up special servers where they place information they're ordered to hand over via FISA court orders. The "denials" from the companies are also substantially true, as they mean that the NSA isn't getting direct access to all their servers, but rather the ones set up for handing over this information.

The real question should be about what information the FISA Court is approving warrants over:

FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms, lawyers who work with the orders said. There were 1,856 such requests last year, an increase of 6 percent from the year before.

In one recent instance, the National Security Agency sent an agent to a tech company’s headquarters to monitor a suspect in a cyberattack, a lawyer representing the company said. The agent installed government-developed software on the company’s server and remained at the site for several weeks to download data to an agency laptop.

In other instances, the lawyer said, the agency seeks real-time transmission of data, which companies send digitally.

Note just how broad some of those searches may be. Staying around for weeks to download logs? We're not talking about narrowly focused searches here.

Of course, what's now also come out is that, despite Google and Microsoft releasing transparency reports about government requests for data, they don't include FISA requests because of the gag orders on them. It's only recently that both Google and Microsoft were able to include "range" numbers for how many national security letter requests they get. One hopes they're pushing to be transparent on FISA requests as well.

The article makes it clear that Twitter was alone among the companies in refusing to join this program. That does not mean that Twitter does not hand over data to the government when receiving a legitimate FISA order. I'm sure it does. But it does mean that they have not set up a special system to make it easy for the government to just log in and get the data requested. Some people have suggested that the government has little need for Twitter to join the program since nearly all Twitter information is public, but that's not true. There is still plenty of important information that might be hidden, including IP addresses, email addresses, location information and direct messages that the NSA would likely want. Besides, YouTube is a part of the program, and most of its data is similarly "public."

This is not, by the way, the first time that we've seen Twitter stand up and fight for a user's rights against a government request for data. Over two years ago, we pointed out that Twitter, alone among tech companies, fought back when a court ordered it to hand over user info. Twitter sought, and eventually got, permission to tell the user, and allow that user to try to fight back. It later came out that, as part of that same investigation, the government also had requested information from Google and Sonic.net, with Sonic.net fighting back and losing. It never became clear whether Google fought back.

Separately, however, Chris Soghoian has noted that an "unnamed company" fought back and lost against a FISA court order... and that, according to the PowerPoint presentation, Google "joined" PRISM just a few months later. It is possible that Google fought joining the program, and then only did so after losing in court. That said, Google's most recent denial insists that "the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box." Perhaps they don't consider a special server set up for lawfully required information a "drop box," but others certainly might.

In the end, it appears that the initial Washington Post report was overblown in that it suggested direct access to all servers, rather than specific servers, set up to provide information that was required. That said, it is still true that the FISA Court appears to issue a fair number of secret orders for information from a variety of technology companies, some of them quite broad, and that many of the biggest tech companies have set up systems to make it easier to give the NSA/FBI and others access to that info -- though, they are often required by law to provide that information. The real outrage remains that all of this is happening in complete secrecy, where there is little real oversight to stop this from being abused. As we noted just a few weeks ago, the FISA Court has become a rubber stamp, rejecting no requests at all in the past two years.

Given the revelations of the past week, the public (and our representatives) need to demand much more transparency and oversight concerning these surveillance programs.

News that the NSA has unfettered access to most of the leading Internet services inevitably has an international dimension. After all, Microsoft, Yahoo!, Google and the rest of the Naughty Nine all operate around the world, so spying on their users means spying on people everywhere. Indeed, as Mike explained earlier today, the NSA is actually trying to quell criticism by selling this news as something that purely concerns non-Americans (although that's clearly rubbish.)

Despite that fact, the European Commission's Home Affairs department made the following reply to the journalist David Meyer when he asked them for a statement of the latest revelations:

We do not have any comments. This is an internal U.S. matter.

It was only later that it realized this was a ridiculous position, and issued the following statement:

We have seen the media reports and we are of course concerned for possible consequences on EU citizens' privacy. For the moment it is too early to draw any conclusion or to comment further. We will get in contact with our U.S. counterparts to seek more details on these issues.

That dismissive initial comment followed by the rather feeble backtracking suggests that the European politicians have not yet realized how big a problem this is going to be for them, as well as for the US authorities. For example, The Guardian has confirmed today that the UK has been tapping into Prism for a while:

The UK's electronic eavesdropping and security agency, GCHQ, has been secretly gathering intelligence from the world's biggest internet companies through a covertly run operation set up by America's top spy agency, documents obtained by the Guardian reveal.

Specifically:

It says the British agency generated 197 intelligence reports from Prism in the year to May 2012 -- marking a 137% increase in the number of reports generated from the year before. Intelligence reports from GCHQ are normally passed to MI5 and MI6.

Already, one Labour MP, Tom Watson, has said that he will table questions in the House of Commons next week, and it seems likely that others will be demanding to know how much the UK government knew of this pervasive spying activity, what information it received -- and what it gave in return.

Another European asking questions is Peter Schaar, Germany's federal commissioner for data protection, who told David Meyer the following:

Given the large number of German users of Google, Facebook, Apple or Microsoft services, I expect the German government... is committed to clarification and limitation of surveillance.

He then went on to make an important connection:

In addition, the reports illustrate the importance of strengthening the European data protection law. The dilatory attitude of the EU Interior and Justice Ministers towards the Privacy Policy reform package is a completely wrong signal.

As Techdirt has reported, new data protection rules currently being discussed by the European Union have come under fierce attack by US companies, who want them watered down. For the most part, they were succeeding, but it's possible that the revelations that the very same companies who have lobbied so hard to neuter EU regulations have allowed the NSA to access customer data may start to tip the balance the other way.

Some want to go further than simply strengthening data protection in Europe. The European privacy advocate, Alexander Hanff, is calling for the US's "safe harbor" status to be revoked. Here's why that matters:

The European Commission's Directive on Data Protection went into effect in October of 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) "adequacy" standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.

In order to bridge these differences in approach and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework and this website to provide the information an organization would need to evaluate -- and then join -- the U.S.-EU Safe Harbor program.

Without Safe Harbor status, no US company would be allowed to transfer personal data about Europeans out of the EU. It's unlikely that the European Commission would contemplate such a drastic move, but it's an indication of how high feelings are starting to run -- and this is only a few hours after the NSA story broke.

Mind you, however bad the situation is in Europe, President Obama can take comfort from the fact that it could be worse:

Peng Liyuan, the wife of Chinese leader Xi Jinping, appears to have an iPhone. And now, according to reports, US intelligence agencies may be spying on iPhone users through a secret data harvesting program. Does that mean there’s a possibility that the US is spying on the private messages of China’s first lady?

If confirmed, I don't think that's going to go down too well with the Chinese government...

Follow me @glynmoody on Twitter or identi.ca, and on Google+

The Next Web is noting that the Washington Post has quietly backtracked on its original claim that tech companies "participated knowingly" in the PRISM spying program. And, at the same time, some of the denials appear to be getting stronger. Google's CEO, Larry Page, posted a blog post with the interesting title, What the ...?:

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Mark Zuckberberg has now posted a similar denial to Facebook:

Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.

When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure.

Some have pointed out that these claims can still be read carefully to mean that other forms of data access potentially did happen, though some of the direct claims are pretty strong. It's also noteworthy that Page and Zuckerberg seem to mimic each other's word usage. Furthermore, it does seem odd that the President more or less confirmed the existence of the program, which all these tech companies are denying. Does that mean that something else is going on? Is the NSA doing this without letting the companies know? It's certainly unclear at this point, but it's going to come out eventually.

President Obama's incredibly weak response to the revelations this week of widespread data collection of pretty much everything by the NSA is to say that he "welcomes" the debate. But, of course, he hasn't actually welcomed the debate at all, because people have tried to bring that debate to him for years, and he's brushed them off:

When it comes to surveillance, Obama has as president shown no sign of really wanting to have a robust debate. For years, Sens. Ron Wyden (D-Ore.), Mark Udall (D-Colo.) and former Sen. Russ Feingold (D-Wis.) have been pleading with the administration to disclose more information about call-tracking tactics that they suggested would shock many Americans.

The administration largely rebuffed those calls. Only after the leak Wednesday of a four-page “top secret” court order indicating that millions of Americans’ phone calls were tracked on a daily basis did officials begin to confirm the program’s details.

But Obama could have chosen at any time to disclose the data-sifting program, or even its rough outlines. That fact leaves critics unimpressed with his latest round of let’s-talk-it-over.

In other words, he's not "welcoming" the debate at all. The debate is happening with or without him, and when he had the chance to "welcome" the debate, he didn't. Now, it appears, he's trying to appear willing "to talk" about something that's now gone way beyond the stage where "welcoming the debate" is sufficient.

If anything, his helps explain why over-aggressive secrecy is such a stupid government policy. If they had been open about this and there had been public discussions earlier, and people were free to express their concerns, and the government could explain its position, then the discussion would have been different, and more interesting. But having all this information denied by government officials for years, only to come out via a leak just looks so much worse.

Update: So around the time this post went up, President Obama actually spoke directly about all of this. He focused on a non-issue, however: about how they're not listening to everyone's phone calls. Except that was clear from the beginning. It was always said that it was just the data -- but it's a hell of a lot of data: who you called, when you called, how long you spoke to them. That's data that most people feel should be private. After that, he said this:

Now, with respect to the Internet and emails, this does not apply to U.S. citizens, and it does not apply to people living in the United States. And again, in this instance, not only is Congress fully apprised of it, but what is also true is that the FISA Court has to authorize it.

But that's not entirely accurate, since it seems pretty clear that there was access to data that included US citizens, so long as the claim was that the investigation (not necessarily any of the parties) targeted non-US persons.

He repeatedly points out that Congress and the FISA Court have repeatedly known and authorized all of this -- which could be read as throwing Congress a bit under the bus (not that they don't deserve it):

So in summary, what you’ve got is two programs that were originally authorized by Congress, have been repeatedly authorized by Congress. Bipartisan majorities have approved them. Congress is continually briefed on how these are conducted. There are a whole range of safeguards involved. And federal judges are overseeing the entire program throughout. And we’re also setting up — we’ve also set up an audit process when I came into office to make sure that we’re, after the fact, making absolutely certain that all the safeguards are being properly observed.

But that doesn't help. It just raises more questions about who Congress really represents, and whether or not "the public" is included.

The President does suggest that he might be open to reconsidering some of this, but also explains why he failed to live up to his promise to stop warrantless wiretapping:

But I think it’s important for everybody to understand, and I think the American people understand, that there are some trade-offs involved. You know, I came in with a healthy skepticism about these programs. My team evaluated them. We scrubbed them thoroughly. We actually expanded some of the oversight, increased some of the safeguards. But my assessment and my team’s assessment was that they help us prevent terrorist attacks. And the modest encroachments on privacy that are involved in getting phone numbers or duration without a name attached and not looking at content — that on, you know, net, it was worth us doing.

That’s — some other folks may have a different assessment of that. But I think it’s important to recognize that you can’t have a hundred percent security and also then have a hundred percent privacy and zero inconvenience. You know, we’re going to have to make some choices as a society.

He was also asked how he felt about it being leaked, and said he wasn't happy about it, given that it was secret for a reason -- but then uses the opportunity to throw Congress under the bus again:

That’s why these things are classified.

But that’s also why we’ve set up congressional oversight. These are the folks you all vote for as your representative in Congress, and they’re being fully briefed on these programs.

And if in fact there was — there were abuses taking place, presumably, those members of Congress could raise those issues very aggressively. They’re empowered to do so.

Congress: your ball.

One of the points we've made throughout this discussion on the revelations around widespread NSA surveillance is that if you had been paying attention, none of this should have come as a surprise. It's just the confirmation of the exact issues that people raised. In 2007, when Congress passed the "Protect America Act," some people quickly pointed out that it massively expanded warrantless surveillance with little oversight:

But the hastily-enacted legislation, dubbed the Protect America Act, does more than permit the interception of foreign-to-foreign communications. It permits warrantless surveillance "directed at a person reasonably believed to be located outside of the United States." There is no language specifically restricting surveillance activities to communications originating outside of the United States.

And then, a year later, we got the FISA Amendments Act (FAA), which raised more concerns:

In passing the FISA Amendments Act, Congress gave the executive branch the power to order Google, AT&T and Yahoo to forward to the government all e-mails, phone calls and text messages where one party to the conversation is thought to be overseas. President Bush signed the bill into law Thursday morning, describing it as a bill that "protect[s] the liberties of our citizens while maintaining the vital flow of intelligence."

Of course, last year, the FAA was up for renewal and we spent a lot of time discussing how folks in the House and the Senate (1) pretended that it only applied to foreign calls (when it clearly did not) and then (2) ignored Senators Wyden and Udall, who repeatedly made it clear that the law was being abused in this way, and asked others in Congress to demand a full and public accountability.

And, of course, the nefariousness here is not a partisan issue. Both of the laws above were signed by President Bush, and while President Obama campaigned on the fact that he would end such practices, we can safely say that that never happened.

So, while it's good that people are now realizing just how widespread the spying is, perhaps next time, when the same group of folks raise the alarm at these bills, they shouldn't be ignored or brushed off to the side as "oh you guys again..."

We've already talked about James Clapper, the Director of National Intelligence choosing weasel words to pretend they're saying that they weren't spying on Americans when they really were, and now some are arguing that the tech companies are doing the same exact thing. All of the tech companies listed have been denying their involvement, but again, the words are being chosen carefully, and there's a reasonable argument that they're denying certain specific claims while really side-stepping the bigger issue.

Comparing denials from tech companies, a clear pattern emerges: Apple denied ever hearing of the program and notes they “do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order;” Facebook claimed they “do not provide any government organisation with direct access to Facebook servers;” Google said it “does not have a ‘back door’ for the government to access private user data”; And Yahoo said they “do not provide the government with direct access to our servers, systems, or network.” Most also note that they only release user information as the law compels them to.

But the PRISM program’s reported access to data and the now repeatedly confirmed widespread access to phone records and other types of digital data appears to be almost exactly what the 2008 Protect America Act (PAA) allows Foreign Intelligence Surveillance Act (FISA) courts to compel tech companies to do — as many warned around the time of its passage. If tech companies are not providing direct access to their servers but are cooperating with the PRISM program, that leaves at least one other option: Companies are providing intelligence agencies with copies of their data.

Note the fine distinction. Giving the NSA a clone of their data wouldn't be giving them "access to our servers." It would be giving copies to the NSA... and then the NSA could "access" its own servers. And you were wondering why the NSA needed so much space in Utah. If they're basically running a replica of every major big tech company datacenter, it suddenly makes a bit more sense. Of course, at this point there's no evidence that this is necessarily the case -- and some are insisting that the denials are legit, and that the Washington Post's story is not entirely accurate. But... the wording here is extra careful, and the government's report really does seem to indicate that these companies are deeply involved.

By the way, if you'd like to dig in on annotating the various tech companies' denials, someone put them all up at RapGenius, the site for annotating text (not just rap songs).

So we already wrote a bit about how Director of National Intelligence James Clapper was using weasel words or outright lying, in trying to insist that the NSA wasn't actually gathering up data on pretty much every American. However, his statements go even further into the ridiculous. In his initial statement, even the title is combative:

DNI Statement on Recent Unauthorized Disclosures of Classified Information

Notice the focus is not on the unauthorized disclosure of widespread NSA surveillance, but rather "disclosure of classified information." So he's already priming the pump for the "real" villain: the press who are reporting on this.

The unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.

We've heard that before, and it's ridiculous on multiple levels. First, most would-be terrorists are likely to assume that the government is monitoring all of this stuff anyway, because there have been plenty of hints in the past. So, it's not really that likely that this sudden "revelation" is going to lead some massive change in how bad people communicate. But, more importantly, even if monitoring certain terrorists was so key to dealing with threats, that still doesn't matter. The DNI's job is not "stop threats by any means necessary." Because that's crazy. While it might help government respond to illegal activity, that doesn't mean that we give up our 4th Amendment rights, nor does it mean we need such broad, all-encompassing orders. Such things could easily have been done using a specific, targeted warrant, seeking information on a specific individual. That is, they could have done targeting which would have been useful, but they chose not to, and instead demanded all data.

But, of course, he doubles down at the end on how awful it is that people are talking about this (not that the NSA has access to so much data on everybody):

Discussing programs like this publicly will have an impact on the behavior of our adversaries and make it more difficult for us to understand their intentions.

Basically "hey everybody, shut up and stop confirming what everyone knew already: that the US spied on lots and lots of stuff." Also, this appears to be a government official telling everyone to not exercise their 1st Amendment rights to complain about the NSA violating their 4th Amendment rights. The Constitution is crying in the corner.