Late on Friday, the NY Times released the most detailed explanation to date of the PRISM
system that was revealed on Thursday, claiming that nine of the biggest tech and internet companies were working with the NSA to give them "direct access" to servers. The explanation explains how both the original story was substantially true, as were the "denials," though the denials were (as predicted) a bit of doublespeak. Today, the Guardian revealed another slide
from the presentation it has, which clarifies some more details.
Basically, it appears those companies all agreed to make it easier
for the NSA to access data that was required to be handed over under an approved FISA Court warrant, and they appear to do this by setting up their own servers where they put that information (and just that information). From the NY Times report:
But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.
The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.
This is significantly less worrisome than the original Washington Post report, which suggested full real-time access to all servers. That's not quite what has happened, according to this report. This involves cases where the companies really do need to hand over this information. We can disagree with whether or not the FISA Court should issue these warrants, but at some point there may be information that the companies do need to hand over to the government. As for the Guardian, they published the following slide:
As you can see, it notes multiple programs where they can get data. The programs on top are the ones such as the NSA servers installed at telcos to collect all traffic running through them, which have been revealed before. The program on the bottom is PRISM, which clearly states: "collection directly from the servers of these U.S. Service Providers," followed by the already known list. That certainly confirms the "direct access" claim from the original WaPo report, but it could also be true in conjunction with the NY Times report, if you look at it as the companies setting up special servers where they place information they're ordered to hand over via FISA court orders. The "denials" from the companies are also substantially true, as they mean that the NSA isn't getting direct access to all
their servers, but rather the ones set up for handing over this information.
The real question should be about what information
the FISA Court is approving warrants over:
FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms, lawyers who work with the orders said. There were 1,856 such requests last year, an increase of 6 percent from the year before.
In one recent instance, the National Security Agency sent an agent to a tech company’s headquarters to monitor a suspect in a cyberattack, a lawyer representing the company said. The agent installed government-developed software on the company’s server and remained at the site for several weeks to download data to an agency laptop.
In other instances, the lawyer said, the agency seeks real-time transmission of data, which companies send digitally.
Note just how broad some of those searches may be. Staying around for weeks to download logs? We're not talking about narrowly focused searches here.
Of course, what's now also come out is that, despite Google and Microsoft releasing
about government requests for data, they don't include
FISA requests because of the gag orders on them. It's only recently that both Google and Microsoft were able to include "range" numbers for how many national security letter requests they get. One hopes they're pushing to be transparent on FISA requests as well.
The article makes it clear that Twitter was alone among the companies in refusing to join this program. That does not
mean that Twitter does not hand over data to the government when receiving a legitimate FISA order. I'm sure it does. But it does mean that they have not set up a special system to make it easy for the government to just log in and get the data requested. Some people have suggested that the government has little need for Twitter to join the program since nearly all Twitter information is public, but that's not true. There is still plenty of important information that might be hidden, including IP addresses, email addresses, location information and direct messages that the NSA would likely want. Besides, YouTube is a part of the program, and most of its data is similarly "public."
This is not, by the way, the first time that we've seen Twitter stand up and fight for a user's rights against a government request for data. Over two years ago, we pointed out that Twitter, alone among tech companies, fought back
when a court ordered it to hand over user info. Twitter sought, and eventually got, permission to tell the user, and allow that user to try to fight back. It later came out that, as part of that same investigation, the government also had requested information from Google and Sonic.net
, with Sonic.net fighting back and losing. It never became clear whether Google fought back.
Separately, however, Chris Soghoian has noted that an "unnamed company" fought back and lost
against a FISA court order... and that, according to the PowerPoint presentation, Google "joined" PRISM just a few months later. It is possible that Google fought joining the program, and then only did so after losing in court. That said, Google's most recent denial
insists that "the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box." Perhaps they don't consider a special server set up for lawfully required information a "drop box," but others certainly might.
In the end, it appears that the initial Washington Post report was
overblown in that it suggested direct access to all
servers, rather than specific servers, set up to provide information that was required. That said, it is still true that the FISA Court appears to issue a fair number of secret orders for information from a variety of technology companies, some of them quite broad, and that many of the biggest tech companies have set up systems to make it easier to give the NSA/FBI and others access to that info -- though, they are often required by law to provide that information. The real outrage remains that all of this is happening in complete secrecy, where there is little real
oversight to stop this from being abused. As we noted just a few weeks ago, the FISA Court has become a rubber stamp
, rejecting no requests at all in the past two years.
Given the revelations of the past week, the public (and our representatives) need to demand much more transparency and oversight concerning these surveillance programs.