Hide Techdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Washington Post Quietly Backtrcks On Claim That Tech Companies Knowingly Gave NSA Data, As Denials Get Stronger

from the hmmm dept

The Next Web is noting that the Washington Post has quietly backtracked on its original claim that tech companies “participated knowingly” in the PRISM spying program. And, at the same time, some of the denials appear to be getting stronger. Google’s CEO, Larry Page, posted a blog post with the interesting title, What the …?:

First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.

Mark Zuckberberg has now posted a similar denial to Facebook:

Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn’t even heard of PRISM before yesterday.

When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure.

Some have pointed out that these claims can still be read carefully to mean that other forms of data access potentially did happen, though some of the direct claims are pretty strong. It’s also noteworthy that Page and Zuckerberg seem to mimic each other’s word usage. Furthermore, it does seem odd that the President more or less confirmed the existence of the program, which all these tech companies are denying. Does that mean that something else is going on? Is the NSA doing this without letting the companies know? It’s certainly unclear at this point, but it’s going to come out eventually.

Filed Under: , , , , ,
Companies: facebook, google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Washington Post Quietly Backtrcks On Claim That Tech Companies Knowingly Gave NSA Data, As Denials Get Stronger”

Subscribe: RSS Leave a comment
47 Comments
Anonymous Coward says:

How would a program this large have gone on for so long without ANYBODY in any of these companies noticing something was up. It just doesn’t seem feasible from a logical perspective that the US government was able to access and store all this data on a continual basis without ever screwing up and setting off some alarm bells.

anonymouse says:

Re: Re:

Seriously….a Small black box copying the data streams from Google servers or Facebook servers or even twitter is all that is needed, damn the sites would not even know they were being bled dry of all the details of their members.

That being said i am sure the NSA could easily get the internet businesses to install a few black boxes to grab data anywhere it is entered. I would not be surprised if every message sent via gmail was redirected to the nsa servers for backup and analysis.
And with having everyone involved sign a document declaring they would be charged with major crimes if they mentioned it to anyone i understand them standing up and claiming no such thing exists.

Androgynous Cowherd says:

What about...

…their ISPs and whoever they outsource the storage of their offsite backups to? Have they received any broad orders to allow traffic sniffing or to supply copies of data?

If it’s their ISPs, anyone using HTTPS Everywhere and https with google, facebook, and the like is not exposed through their use of those sites — unless the ISPs are running MITM attacks on HTTPS traffic, which would be a very big deal in its own right.

If it’s their backups, well, the government’s seeing pretty much everything, though maybe as it was a week or so ago.

Anonymous Coward says:

Re: What about...

I honestly don’t think that the NSA is doing a MITM attack live. Look at what is already out there with Mark Klein’s account of a passive splitter. It’s far less intrusive to download flows, and do crypto analysis on them then to try and insert yourself in the middle.

As far as Google, Facebook, etc, they have already stated that proper government subpoenas would be obeyed, and it’s well known that all information is archived. So by following these shitty laws that have been enacted, they can legally get the information without much trouble.

Anonymous Coward says:

Re: What about...

Couple of points, here:

Firstly, you’re assuming that the NSA hasn’t somehow compromised the SSL certificates for the various sites. If they somehow got hold of the private keys for the certificates, they’d be able to decrypt the traffic without needing to run MITM. Given the NSA’s brief, trying to covertly grab copies of major sites’ private SSL keys would seem like a logical and (relatively) easy step.

Secondly, if you look at the leaked powerpoint slides, you’ll notice that they talk about communications flowing “into and through” the US. To me, this suggests that they’re tapping the major network hubs, rather than the endpoint ISPs. Tapping into Google’s ISP would only get them traffic heading “into” Google; tapping all the dark fiber hubs would give them everything “into” and “through”. That’s a truly absurd amount of data to mine, but any implementation of PRISM would require sifting absurd amounts of data.

So, my guess is that they’re tapping the super-fast, massive routers in the backbone, rather than tapping into individual ISPs. It’s a huge amount of data, but it would be relatively easy to filter that data based on source/destination IP. If they’ve also compromised the SSL certificates, and I’m willing to bet that they have, they could then read everything sent to or from the compromised sites regardless of whether or not it used HTTPS. Done right, the companies they were tapping wouldn’t even know about it.

Anonymous Coward says:

Re: Re: What about...

Here’s the thing, they don’t even talk about costs. In order to do this surveillance, you are talking about top notch technology. I’m a network engineer, so I would say you would probably need a Cisco CRS-3 with 100Gbps modules, the modules themselves are about $70k, let alone the cost of the CRS-3, the servers to carry the load to separate traffic, and the amount of man hours spent to analyze and actually know how to set up the system.
http://www.costcentral.com/proddetail/Cisco_CRS_3_1_Port_100_Gigabit_Ethernet_Interface_Module/1X100GBE/11806624/
Divide that up to the amount of DCs that Mark Klein stated and we are talking probably billions of dollars, to catch the one in a billion transaction that occurs every second of which we can almost guarantee there will be stuffed missed.

Anonymous Anonymous Coward says:

Re: What about...

Does the government even use ISP’s? It seems to me they could reserve some IP addresses and connect directly themselves. Never having done this myself, I may be missing some equipment or ‘permissions’, but those are easily dealt with.

Imagine the ‘governments ISP’ being part of the cache and outing ***** Departments commo traffic, and that getting hacked to Wikileaks, or their replacement.

That is a possible unintended consequence that I foresee. These databases getting hacked, and all our stuff either just out there or, maybe worse, quietly and nefariously used (and I don’t mean by Google or any other legitimate company, however scummy some of them may be).

The government will learn, along with the rest of us, if you want it kept private, don’t put a network card, CD or DVD writer, or USP port, or Floppy drive, or Blue-tooth or whatever else I have forgotten in the computer.

Then turn it on only when necessary, and then only in a cave deep in the mountains, way outside of Cellphone range, wrapped in a tent of 30 layer heavy duty aluminum foil, with noise canceling equipment NOT tuned to the diesel generator, with all entrances and air ducts covered by covert teams of ex-special forces commandos from private contractors that don’t recognize the rule of law and have probable deniablilty, with your anti-intrusion waves emanating from the mountaintop…

:end thought stream

Anonymous Coward says:

It’s certainly unclear at this point, but it’s going to come out eventually.

Much of this information has been out for years, as this story from 2007 shows.

And just like when the floodgates were thrown wide back then, I doubt little will be done about it this time either because, like most other problems we face today, too many people will blame one party or another. Not enough people are willing to concede that BOTH parties are broken and corrupt at this point.

aldestrawk says:

Re: Re:

The NSA wears two hats: 1) to collect signal intelligence on foreign governments and individuals and 2) protecting the communications of US government, business, and citizens as well as general computer security stuff. For example, a secure linux version was developed by the NSA. Ostensibly, Google’s arrangement with the NSA was to help investigate the Aurora attack and help secure Google’s servers against further security breaches. Although, you never know if the NSA is keeping it’s other hat in their back pocket.

Anonymous Coward says:

Re: Re:

The CEO of Google, Eric Schmidt[sp?] gave Obama a butt load (or should I say a google load) of money during his campaign and received a nice cushy job with the government in exchange.
He became some top dog adviser on Science and Technology.

Pretty transparent to me when you look at things at face value.

Tom Williams says:

I call bullshit on Zuckerberg

because I have personally witnessed a state parole department employee logging into a custom facebook page where they could view private information from parolees accounts. The employee also searched for, identified, and inspected facebook accounts that were tied to parolees but which the parolees had hidden from them and which they had no prior knowledge of. I was told that Facebook has several ways of linking the unknown and often private accounts together (ip address, cookies, etc.) and that the parole department had full ability to search and access accounts based on that. The only restrictions placed on the parole department employees was that there was an audit trail and that they were forbidden to look at accounts other than those known, found, or suspected to be tied to their parolees. If state parole departments have this ability then I’m quite sure that state police departments and federal government agencies have it and perhaps more.

aldestrawk says:

Re: I call bullshit on Zuckerberg

That is interesting, but I don’t believe it extends, in general, to other law enforcement activities. Some parolees, no doubt, have agreed, as part of their parole, to have their social media accounts monitored. Neither IP address or cookies alone will identify an alternate account as belonging to the parolee, so they had better be pretty damn sure their not accessing the account of someone else. I would like to know the grimy details of how hidden account access takes place. Another troubling aspect is that friends of the parolee have lost some privacy here. This could be considered similar to the case where law enforcement has the right to search a car if one of the passengers, even a hitch hiker, is a parolee.

WP "held back quite a bit from this story"!!!!!!! says:

Re: the next web got it wrong

In this video interview with the Wash Post reporter, he says the Post self-censored “quite a bit” (i.e., a whole lot) of this story. The phrase “Tip of the Iceberg” was emphasized as well. The WP reporter also calls bullshit on the tech company spin, evasion, bob & weave, weasel dance, etc…

Anonymous Coward says:

If Congress had any balls...

…they would subpoena all of them. NSA staff, White House staff, tech company CEOs, CTOs, engineers, NOC operators, anybody and everybody with a plausible hand in this.

If any decline to appear: send armed federal marshalls after them and drag them into Congress, in chains.

The hearing should be fully open to the public. It should last as long as is necessary. (Congress isn’t really doing anything else useful, anyway.)

If any decline to answer questions, they should be found in contempt of Congress and locked in a cell until they answer or die.

The American people deserve to know, down to the last detail, exactly what’s going on here, who’s responsible, and whether what we used to call “our laws” have been broken.

Anonymous Coward says:

Give Full Access to the Public

The NSA should be required to turn over all data and control of PRISM to the public so that we will be able to see exactly what they did. It appears beyond a reasonable suspicion that they have broken the law. All information surrounding it should be used as evidence. The public should also be given access to all phone, email and internet usage records of congress, the executive branch and the courts in order to determine their involvement and to determine if laws were broken and rights were infringed upon.

Unless of course you do not believe in truth and freedom.

FM Hilton (profile) says:

Another batch of denials?

Sure, FB is not allowing the government to look at user information, nor is Google. They deny having given them access to user records.

They don’t have to. All the Government has to do is go on the net themselves, log into Google or FB and there is the data.

Then they can screen capture all of the relevant information and there you go!

Handy dandy way to deny plausibility.

Hey, if it works for potential or present employers, it should work for the NSA, right?

OldMugwump (profile) says:

Who are you going to believe?

I’m tempted to say “Who are you going to believe – Page and Zuckerberg or Obama and the NSA?”.

But this is an odd one. Altho the government obviously lies all the time, and tech CEOs usually don’t, what motive does the POTUS have for admitting that spying is going on, if it isn’t?

All I can think of is this – Obama really thinks the techs are cooperating, but they’re not. The NSA has infiltrated moles inside Yahoo, Google, etc. The moles are (illegally) supplying NSA with access. The NSA tells the executive branch that the techs are cooperating (per the leaked slides – tho it’s not true), in order to cover up the source of the intelligence.

If so – the leaked slides are falsely claiming to the “users” of the intelligence that the data comes from the techs – when in fact it comes from moles without the tech’s management’s knowledge.

Imagine you’re an infrastructure manager with Apple or Google – would you hire some bright young thing with A++ recommendations from their previous employer – the NSA? Sure you would…

If this is it, it’s a far bigger scandal than anything revealed so far.

weneedhelp - not signed in says:

BS artists

“First, we have not joined any program that would give the U.S. government” No mention of being compelled.

“Second, we provide user data to governments only in accordance with the law.” See above.

“Our legal team reviews each and every request” – And provided me with this “denial” speech.

“Any suggestion that Google is disclosing information about our users? Internet activity on such a scale is completely false. ” – We only gave them the records of 45 million. (Sticks out tongue)

Violated (profile) says:

Damage

All I read about this is damage control. Such claims of having the NSA root though all their data can be economically very damaging for the tech companies involved.

The US Administration likes to have a plan for every eventually so here they are running their mandated damage avoidance plan in a scheme that is extremely carefully worded to remain legally truthful without revealing anything about the real truth.

You may notice that nowhere in their denial do they demand that the FBI/NSA should explain themselves. So just imagine the worst option possible and remain extremely skeptical.

aikiwolfie (profile) says:

Who cares?

Personally I’m less worried about being spied on than I am of the knowledge that our governments don’t seem to be able to comprehend security.

Highly sensitive US military networks are apparently vulnerable to anybody with a few scrip-kiddie tools and in the UK our government can’t even keep social security records on laptops safe.

I mean my god the NSA just grabbed everybody’s data in a drag net to catch one or two people. Does anybody think Fox Mulder is going to be sitting there reading every single e-mail and web search? Uncaring emotionless computers will do all the grunt work.

Nobody cares you watch lesbian granny porn and pay for the privilege.

Now Google and other similar companies already track everything you do on-line. And they can’t even claim it’s in the interests of national security.

Suzanne Lainson (profile) says:

Re: Who cares?

Nobody cares you watch lesbian granny porn and pay for the privilege.

Same here. I’m not overly concerned about being caught in a dragnet because of what I do online or offline. Not only do I not do anything worth spying upon, I’m not worth the time and effort to catch me doing something.

What DOES concern me is replacing one type of concentration of power with another one. The goals of Google, Facebook, and Amazon seem to be to run as much of the world through their servers as possible. I don’t necessary view their power grabs as inherently better than NSA’s power grab. So I don’t buy the “Don’t trust the US government, but do trust us” pitch that seems to come from some business folks.

Basically what I see are a variety of institutions, both public and private, wanting to know everything about everyone — because the technology allows it. However, government operations can’t really do much with what most of us do day-to-day, while big companies CAN do something with (either sell us something or sell our data to someone). Therefore, the minutiae of my daily life is much more likely to come to the attention of companies like Google, Facebook, and Amazon than US security operations.

As I have been saying on Techdirt for quite awhile now, I anticipate that at some point the US government will privatize all security operations and whenever there is a political flap, it will let private companies take the heat. The private companies are already collecting the data and it would be easy enough for them to flag whatever any customer (in this case the US government) wants them to flag. Want to develop profiles of gun owners who will likely become mass murderers? Done. Want to profile airline passengers? Done.

Citizens are already been flagged by credit companies, insurance companies, real estate companies, etc. The government will likely buy that data for its own uses, too.

Maybe at some point there will more transparency on the part of both government and private companies, fully disclosing what they are collecting, what they are doing with that data, and who has access to it.

Suzanne Lainson (profile) says:

Re: Re: Who cares?

I’m getting caught up on my reading and just saw this.

Are coders worth it?: “We like to think that because we can code, we have unprecedented leverage over the world. We decide what 15 million people will see when they follow a link. Our laptops literally get hot from the electric action we command.”

I perceive that attitude a lot as I read the articles about what’s wrong with DC and how the tech companies know better. Yes, there’s a ton wrong with DC. But I don’t want one group of “we know best” to be replaced with another group of “we know best.”

The Silicon Valley/Davos/TED environment is more elitist, I believe, than the participants realize. And of course, the same thinking happened among previous generations. It’s not new, which is the point. It’s the same thinking among whoever controls the wealth and power at any given moment.

Whoever is hot shit at the moment thinks they know best. Then eventually they get displaced by something. But before they get displaced, they try to hang on to what they have in the same ways as each power generation tries to hang on.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...