NSA has backdoor access to Internet companies' databases
Apple, Microsoft, Yahoo, Facebook, and other large tech companies let the National Security Agency search through confidential customer data, according to the Washington Post.
Declan McCullaghFormer Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Update, June 7, 2013:The National Security Agency has not obtained direct access to the companies' systems, contrary to earlier claims, CNET is reporting.
A top-secret surveillance program gives the National Security Agency surreptitious access to customer information held by Microsoft, Yahoo, Apple, Google, Facebook, and other Internet companies, according to a pair of new reports.
The program, code-named PRISM, reportedly allows NSA analysts to peruse exabytes of confidential user data held by Silicon Valley firms by typing in search terms. PRISM reports have been used in 1,477 items in President Obama's daily briefing last year, according to an internal presentation to the NSA's Signals Intelligence Directorate obtained by the Washington Post and the Guardian newspapers.
This afternoon's disclosure of PRISM follows another report yesterday that revealed the existence of another top-secret NSA program that vacuums up records of millions of phone calls made inside the United States.
Other services that are reportedly part of PRISM include PalTalk, Skype, and AOL. Dropbox is listed in the presentation as "coming soon."
Some of the companies named in the pair of news reports responded this afternoon with statements indicating they did not provide direct server access, or PRISM was not as described. Apple said: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."
Joe Sullivan, Facebook's chief security officer, said: "We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinise any such request for compliance with all applicable laws, and provide information only to the extent required by law." A Google spokesman said: "We disclose user data to government in accordance with the law, and we review all such requests carefully."
Microsoft's statement is probably the most detailed:
We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it.
The carefully-worded statements leave open the possibility, however, that the NSA would be given indirect access to company servers that would still permit queries for user information to be submitted. NBC News confirmed from two sources this afternoon that a data collection program called PRISM exists.
Separately, the Wall Street Journal reported this evening that the NSA's monitoring includes AT&T and Sprint -- not only Verizon -- and extends to credit card companies. The story also said the spy agency "obtains access to data from Internet service providers on Internet use such as e-mail or Web site visits," citing former government officials, without elaborating.
The spy agency's apparent direct access -- the FBI is used as an intermediary, but NSA analysts perform the searches -- appears to be the result of Section 215 of the Patriot Act, which authorizes secret court orders that force U.S. companies to turn over business records. That sweeps in metadata and also the content of confidential communications, including e-mail, video and voice chat, videos, and photos, the leaked presentation says.
The Washington Post said it received the classified PowerPoint slides about PRISM and other supporting documents from a "career intelligence officer" who wanted to "expose what he believes to be a gross intrusion on privacy." The documents are recent, with dates as recent as April 2013.
PRISM access appears intended to be used primarily for NSA agents to monitor the activities non-U.S. citizens (the majority of Facebook and Gmail users, for instance, live in other countries). But without oversight and other checks, such a powerful capability could be abused.
The PRISM slides suggest the program started one month after Congress approved a controversial wiretapping law in August 2007 that opened the networks of telecommunications companies to the NSA. A CNET FAQ at the time said: "The new law effectively expands the National Security Agency's power to eavesdrop on phone calls, e-mail messages and other Internet traffic with limited court oversight. Telecommunications companies can be required to comply with government demands, and if they do so they are immune from all lawsuits."
The U.S. national intelligence chief responds
National intelligence director James Clapper released two statements this evening addressing both sets of disclosures. Talking about the Internet companies, he said there are "extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons."
Clapper also addressed the revelations about Verizon and the other phone companies. "All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling," he said.
Yesterday's disclosure of the Verizon surveillance offers hints of how the phone companies may be forced to comply. That secret order, issued by the Foreign Intelligence Surveillance Court, relies on Section 215 of the Patriot Act, 50 USC 1861, better known as the "business records" portion. It allows the government to obtain any "tangible thing," including "books, records, papers, documents, and other items," a broad term that includes dumps from private-sector computer databases with limited judicial oversight.
The Justice Department's secret interpretation of Section 215 was what alarmed Sens. Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) when the Patriot Act was up for renewal two years ago. Both senators served on the intelligence committee and were briefed on the NSA's activities.
FBI Director Robert Mueller hinted during a 2011 congressional hearing that there was a secret legal memorandum prepared by the Justice Department's Office of Legal Counsel that authorized a broader use of Section 215 than is publicly known.
Wyden, who was present at that hearing, told Mueller that he was "increasingly troubled" that intelligence agencies are "relying on a secret interpretation" of the Patriot Act. "I believe that the American people would be absolutely stunned," Wyden said, if they knew what was actually going on.
Here's more from the Post's report:
Analysts who use the system from a Web portal at Fort Meade key in "selectors," or search terms, that are designed to produce at least 51 percent confidence in a target's "foreignness." That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, "but it's nothing to worry about." ...
Like market researchers, but with far more privileged access, collection managers in the NSA's Special Source Operations group, which oversees the PRISM program, are drawn to the wealth of information about their subjects in online accounts. For much the same reason, civil libertarians and some ordinary users may be troubled by the menu available to analysts who hold the required clearances to "task" the PRISM system.
There has been "continued exponential growth in tasking to Facebook and Skype," according to the 41 PRISM slides. With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook's "extensive search and surveillance capabilities against the variety of online social networking services."