Thousands of firms reportedly swap data with U.S. agencies

Thousands of companies are providing intelligence organizations with data such as vulnerabilities and equipment specifications, sources tell Bloomberg.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Declan McCullagh

In a twist on recent revelations about classified U.S. intelligence gathering, thousands of companies are reportedly supplying national security agencies with sensitive information in exchange for classified intelligence.

U.S. Internet and telecommunications companies are providing government agencies with information such as vulnerabilities and equipment specifications rather than customers' private communications, sources tell Bloomberg.

Software makers, Internet security providers, and telecommunications providers, among others, have agreements with the National Security Agency, as well as the CIA, FBI, and U.S. military to provide information that could be used not only to defend the nation's infrastructure but to infiltrate its adversaries' networks, Bloomberg reported, saying:

Microsoft Corp., the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists or military foes. Redmond, Washington-based Microsoft and other software or Internet security companies have been aware that this type of early alert allowed the U.S. to exploit vulnerabilities in software sold to foreign governments, according to two U.S. officials.

In some cases, companies like Microsoft might tip off the government to bug in its software before publicly releasing a fix, a process a Microsoft spokesperson said was designed to be give government agencies "an early start" on assessing and mitigating the risk.

In other cases, Bloomberg reported that telecommunications companies provide access to offshore data and facilities, access that would normally require a judge's order in the U.S.

However, the report notes that the cooperation is legal and that no oversight under the Foreign Intelligence Surveillance Act is necessary.

Initial reports last week in the Guardian and Washington Post said U.S. Internet companies allegedly cooperated with an NSA's program called PRISM program. Since then, however, the reports have been shown to be incorrect and Post and the Guardian have backed away from their original claims.

In addition, it turned out that the so-called PRISM program is not the name of a spy program after all: It's the name of an internal NSA software tool that's used to collate data collected through a legal process created by Congress in 2008 and last renewed in December 2012. That "702" process, overseen by the Foreign Intelligence Surveillance Court, the Justice Department, and Congress, requires companies to comply with orders for information on non-U.S. citizens in investigations related to "prevention of terrorism, hostile cyberactivities, or nuclear proliferation."