Update: With little fanfare, the Guardian has now added a note (at the bottom) saying that it has adjusted the story because of the initial misleading claims:
This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders.
I wonder how many people who have been repeating the initial misleading claims will go back and see that change? Original story below:
I'm seeing a bunch of folks passing around a story by Spencer Ackerman at The Guardian, claiming that tech companies lied about their "denials" of PRISM
. The story is incredibly misleading. Ackerman is one of the best reporters out there on the intelligence community, and I can't recall ever seeing a story that I think he got wrong, but this is one. But the storyline is so juicy, lots of folks, including the usual suspects
are quick to pile on without bothering to actually look at the details, insisting that this is somehow evidence of the tech companies lying.
So, let's look at what actually happened. The report is based on statements by Rajesh De, the NSA general counsel, who was testifying before the US's Privacy and Civil Liberties Oversight Board (PCLOB). Here's the part that's catching everyone's attention:
Asked during at a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”
When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook, Paltalk, AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.
Everything stated above is technically true, but misleading. The problem is that what the companies denied is not what De is talking about. What they denied is what both the Washington Post and the Guardian initially implied: that the NSA had "direct access" to the servers of the nine companies named under PRISM, with the clear implication of the stories being that direct access was to basically all servers. All of the companies denied that level of access (which was and remains true). They also (as Ackerman does mention) denied knowing what PRISM was. Within a day or so, it became quite clear that "PRISM" was merely orders under Section 702 of the FISA Amendments Act -- which is what eventually lead a bunch of those same companies to sue the government
, saying they wanted to reveal the details of the Section 702 orders that they got, including how many orders they received and how many user accounts were impacted by those orders. The very reason they filed that lawsuit was in an attempt to prove
that PRISM/Section 702 orders were never about full access to everything, but rather more targeted requests approved of by the FISA court (it's fair to point out that the NSA's definition of "targeted" is more broad than you and I would like, but that's a separate issue).
In January, that lawsuit was settled
, with the DOJ giving companies (for the first time) the ability to reveal (in quite a limited way) how many FISA orders they received and how many "customer selectors targeted." And, in fact, a bunch of companies have done so. Here, for example, we wrote about Yahoo and Google's reporting
of those requests. For example, from January to June of 2013, Google received between 0 and 999 FISA orders, including 9000-9999 user accounts targeted. During the same period, Yahoo received between 0 and 999 such orders, targeting between 30,000 and 30,999 accounts. Much of that is PRISM -- and no one has ever denied that. It's unfortunately obfuscated
, because the "FISA orders" lump together the Section 702 "PRISM" orders with separate Section 107 orders, and (worse) because the companies can't really reveal users impacted
, just customer selectors targeted
. That obfuscation is a big problem, but is entirely unrelated from the original reporting on PRISM and the companies' response.
So, yes, of course companies were aware of the Section 702 orders they get. That's the only possible way they can comply with Section 702 orders. And, certainly, the only way they could report on how many such orders they got. What they denied
was the original reporting which suggested, incorrectly, that PRISM was a much broader program, that involved direct access to these companies systems, allowing them to suck out just about anything. That was never true, and that was what they were denying. The lawsuit and the transparency reports were all about (attempting to) clear up that confusion, showing that these companies simply comply with Section 702 orders, rather than grant broad access to all accounts, as the original reports implied. And, in fact, the release of those transparency reports provided at least a little transparency (tragically muddied by the DOJ's requirements). There are separate issues about other
ways that the NSA got access to these companies information, such as hacking into datacenters connections
, but that's unrelated to PRISM.
Ackerman has been following all of this, so I'm both confused and surprised for why he'd fall for De's attempt to suggest that the companies were lying. Even more bizarre is his claim that De's comments were "contradicting the tech companies about the firms' knowledge of Prism." But that's not true. De is saying the companies knew about Section 702 orders, which of course they did. Otherwise, why would they have been fighting to reveal the details -- and why else would they have posted the details to their transparency reports
? I find it hard to believe that Ackerman doesn't know about the very transparency reports from the companies that show that the companies were (of course) aware of the Section 702 orders he says in the article they denied. They never denied such orders.
If anything, this feels a lot more like the NSA (as the NSA does) using careful language choices to attack-by-false-implication the tech companies who have recently been fighting hard to encrypt more data to make it harder for the NSA to crack into their systems (not under PRISM, but under Executive Order 12333). In the end, De's claim is a non-story, turned into a misleading story.