CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

No evidence of NSA's 'direct access' to tech companies

Sources challenge reports alleging National Security Agency is "tapping directly into the central servers." Instead, they say, the spy agency is obtaining orders under process created by Congress.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
7 min read
Declan McCullagh

Update, June 8 at 2:45 p.m. PT: In response to outcry over PRISM, the U.S. director of national intelligence has released some details. Among other things, he says the government "does not unilaterally obtain information from the servers of U.S. electronic communication service providers" and that PRISM-related activities are conducted "under court supervision." More here.

The National Security Agency has not obtained direct access to the systems of Apple, Google, Facebook, and other major Internet companies, CNET has learned.

Recent reports in The Washington Post and The Guardian claimed a classified program called PRISM grants "intelligence services direct access to the companies' servers" and that "from inside a company's data stream the NSA is capable of pulling out anything it likes."

Those reports are incorrect and appear to be based on a misreading of a leaked Powerpoint document, according to a former government official who is intimately familiar with this process of data acquisition and spoke today on condition of anonymity.

"It's not as described in the histrionics in The Washington Post or The Guardian," the person said. "None of it's true. It's a very formalized legal process that companies are obliged to do."

That former official's account -- that the process was created by Congress six years ago and includes judicial oversight -- was independently confirmed by another person with direct knowledge of how this data collection happens at multiple companies. The leaked presentation slides say the program began in September 2007, only weeks after the foreign surveillance law was amended.

The legal process, the person said, is akin to how law enforcement requests information in criminal investigations: the government delivers an order to obtain account details about someone who's specifically identified as a non-U.S. individual, with a specific finding that they're involved in an activity related to international terrorism. Both the contents of communications and metadata, such as information about who's talking to whom, can be requested.

The Washington Post has backtracked from its initial report on PRISM. At first, the paper claimed the Silicon Valley firms "participate knowingly in PRISM operations." But then -- without explanation -- the newspaper quietly removed that language last night. It also abandoned its original claim to have confirmed that the NSA is "tapping directly into the central servers" of the companies.

In a separate article published today, The New York Times cited anonymous sources that cast additional doubt on the initial reports. Each of the tech companies, the Times said, "drew a bright line between giving the government wholesale access to its servers to collect user data and giving them specific data in response to individual court orders."

Google CEO Larry Page and Facebook CEO Mark Zuckerberg today gave blanket denials about participating in any such program. Page -- whose company is currently fighting the legality of secret court orders in two different federal courts -- said "press reports that suggest that Google is providing open-ended access to our users' data are false, period." Zuckerberg categorically denied as "outrageous" press reports claiming his company gave any "government direct access to our servers."

The reason the newspapers' allegations of "direct access" by the NSA to tech companies' systems were so explosive is that they appeared to confirm Americans' worst fears about government and corporate overreach, and came only a day after the Guardian disclosed a separate surveillance scheme that vacuums up Verizon customers' phone records. The Wall Street Journal subsequently reported that AT&T and Sprint were swept in as well.

Washington officials quickly confirmed that the leaked Verizon order was real. Dianne Feinstein, the California Democrat who heads the Senate Intelligence Committee, acknowledged that it was a surveillance program that "has been in place for the past seven years." And Sen. Ron Wyden (D-Oregon) said the program is the "one that I have been concerned about for years."

By contrast, James Clapper, the director of national intelligence, released a statement last night saying the Guardian and Post articles about PRISM "contain numerous inaccuracies." Clapper's statement didn't elaborate, however, saying only that the articles referred "to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act."

President Obama addressed the NSA's program during brief remarks in San Jose, Calif., this morning. But Obama's remarks merely offered a high-level summary of the Section 702 process: "With respect to the Internet and e-mails, this does not apply to U.S. citizens, and it does not apply to people living in the United States."

When the government delivers Section 702 orders, according to a former official, companies "implement them just as though they would implement a wiretap -- there's no direct access to servers." The order has to be for account information or an intercept directed at a specific foreign person, and "you can't say everyone in Pakistan who searched for 'X'... It still has to be particularized."

Surveillance law's Section 702
The origin of Section 702 can be traced back to President Bush's controversial warrantless surveillance starting in 2001. After the Foreign Intelligence Surveillance Court limited the program's scope, Congress enacted the FISA Amendments Act, which established a new procedure for foreign surveillance.

That Section 702 procedure works like this: The Justice Department must demonstrate that its surveillance will not intentionally target anyone present in the United States or any American who's overseas. And the surveillance process must comply with the Fourth Amendment.

Section 702 also requires that the government obtain the secret Foreign Intelligence Surveillance Court's approval of "targeting" and "minimization" procedures, and that the court review the agencies' certification describing how proposed surveillance techniques will comply with the law. Judges must consider whether the targeting procedures are "reasonably designed" to exclude Americans and purely domestic surveillance.

Any company that receives a Section 702 order to assist in surveillance may challenge its legality before the Foreign Intelligence Surveillance Court. One unnamed company did just that, albeit under a slightly different earlier version of the law. The Foreign Intelligence Surveillance Court of Review ruled against the company in 2009 (PDF), concluding there are "several layers of serviceable safeguards to protect individuals against unwarranted harms and to minimize incidental intrusions."

Amnesty International and journalists launched a separate legal challenge to Section 702 (which is sometimes called 1881a, for its location in the law books). They argued their confidential communications with foreign correspondents would be intercepted under Section 702 in violation of the Fourth Amendment. But in February 2013, the U.S. Supreme Court rejected their challenge by a 5-4 vote, with Justice Samuel Alito writing that their allegations were too "speculative" and the Section 702 process is subject to ongoing "oversight" and "review."

How much oversight and review the Foreign Intelligence Surveillance Court actually provides is less than clear. U.S. District Judge Roger Vinson granted the administration an order allowing Verizon's records to be vacuumed up under the Patriot Act in a way the law's drafters never intended. The Electronic Privacy Information Center today said Vinson's order was illegal.

A person who has worked at multiple Silicon Valley companies and helped them comply with Section 702 orders told CNET the requests to companies use wiretapping interfaces set up as part of a 1994 law called CALEA if available:

Someone shows up with a legal document that says "thou shall." There's no discretion. Then you implement it according to the order... There are CALEA-covered entities that would use a CALEA interface. The ones that aren't currently covered by CALEA, they still have an obligation to produce materials under the wiretap or FISA statute.

One benefit, from the government's perspective, is that CALEA standardizes the process of complying with wiretap requests -- but it currently applies only to telephone companies and broadband providers. Apple, Google, Yahoo, and Facebook aren't currently regulated.

The intelligence agency's desire to have a standardized interface for Section 702 orders might explain why the FBI has been so insistent that CALEA be extended to encompass Silicon Valley companies too.

PRISM: Unclassified Web tool, not spy program
Page and Zuckerberg aren't the only Silicon Valley notables to cast doubt on claims of NSA's "direct access" to servers.

Mike Yang, Google's deputy general counsel until less than a year ago, said the allegations of the company's involvement were not credible. Yang, now at Pinterest, previously oversaw the Google products that the NSA would have been most interested in and said on Twitter yesterday: "I don't believe it."

Yonatan Zunger, the chief architect of Google+, wrote in a Google+ post today that: "I can tell you that the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals -- things like search warrants."

Marc Ambinder, author of "Deep State: Inside The Government Secrecy Industry," wrote this evening that PRISM is an unclassified "data processing tool" used by many NSA components. It's not, he said, the name of a secret surveillance program.

PRISM is also the name of a data processing tool used for other intelligence purposes, meaning it may be the same utility. It stands for "Planning Tool for Resource Integration, Synchronization, and Management," and it's long been in common military use. An Air Force-commissioned report that predates the FISA Amendments, for instance, describes PRISM (PDF) as "Web-based collection management software." It's not unusual to see PRISM experience required in job postings at government contractors as well.

Stewart Baker, the NSA's general counsel in the 1990s and now an attorney at Steptoe and Johnson, said he was not familiar with PRISM or similar government activity, but the leaked Powerpoint presentation sounds "flaky," as do the initial reports.

"The Powerpoint is suffused with a kind of hype that makes it sound more like a marketing pitch than a briefing -- we don't know what its provenance is and we don't know the full context," Baker said. He added, referring to the Post's coverage: "It looks rushed and it looks wrong."