NSA Reportedly Mines Servers of U.S. Internet Firms for Data
By Bill Chappell
For six years, the National Security Agency has been able to pluck data — including e-mails, videos, pictures, and connection logs — from the main servers of Microsoft, Google, Apple, and other leading U.S. tech companies, according to reports by The Washington Post and The Guardian.
News of the alleged data-mining that allows the U.S. agency to closely track web users' activity comes a day after revelations that the NSA collects the Verizon phone records of millions of Americans.
The newly disclosed U.S. program, which The Post says is "highly classified," is named PRISM. It is described in a government Powerpoint presentation whose 41 slides bear the "Top Secret" label. Both The Guardian and The Post say the file they reviewed, dated April 2013, is used to brief intelligence analysts on PRISM.
The program has grown rapidly since it was begun in 2007, The Post reports, with the NSA using PRISM "as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports."
Update at 10:30 p.m. ET. Leaks 'Reprehensible'
James Clapper, the director of National Intelligence, has released a statement, which, in part, says: "The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans."
The statement notes that the two newspaper reports "contain numerous inaccuracies," adding that the "only non-U.S. persons outside the U.S. are targeted." It says the procedures used ensure that the "acquisition, retention and dissemination of incidentally acquired information about U.S. persons" are minimized.
Update at 8:35 p.m. ET. Companies Deny Involvement:
Tech firms named in the two reports that emerged this evening are denying that they provided the NSA with direct access to their servers. We initially added some denials at 8 p.m. ET; we're now adding more, from Microsoft and Yahoo.
Apple says, "We have never heard of PRISM. We do not provide any government agency with direct access to our servers," CNBC reports in a tweet.
Facebook tells The Next Web, "We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law."
Microsoft says, "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it," according to The Verge.
The Verge also cites a tweet from Financial Times reporter Tim Bradshaw, who quotes part of Yahoo's statement: "Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers..."
We'll also pass along The Washington Post's brief description of how the process allegedly takes place.
"Formally, in exchange for immunity from lawsuits, companies like Yahoo and AOL are obliged to accept a 'directive' from the attorney general and the director of national intelligence to open their servers to the FBI's Data Intercept Technology Unit," The Post says.
Our original post continues:
None of the companies who allegedly provide that data commented on PRISM, with The Guardian reporting that those responding to a "request for comment on Thursday denied any knowledge of any such program."
Government officials also refused to comment, according to The Post.
A chart in the slideshow reportedly identifies the high-profile companies that provide data for PRISM, along with the dates they began giving U.S. agencies the information. Notably, Twitter is not on the list, which includes most of the biggest players in web communications, search, and social media:
- Microsoft - 2007
- Yahoo - 2008
- Google - 2009
- Facebook - 2009
- PalTalk - 2009
- YouTube - 2010
- Skype - 2011
- AOL - 2011
- Apple - 2012
Both newspapers printed a statement from Google in which the search giant maintains it has no "back door" for government agencies to access private data:
"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."
In addition to the NSA, the FBI also reportedly participates in the program, with The Guardian calling the agency "an intermediary between other agencies and the tech companies."
The presentation's introductory slide cites the usefulness to intelligence analysts that stems from the United States' role as a "backbone" in the world's telecommunications systems.
"A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path," the slide states. It adds, "Your target's communications could easily be flowing into and through the U.S."
Another slide identifies PRISM by its full name, PRISM/US-984XN.
As Scott reported earlier today, data-mining by intelligence agencies is at the heart of America's ongoing debate over how to balance personal privacy with public security.
Discussing the earlier revelations about the Verizon phone records, constitutional law professor Kent Greenfield of Boston College tells Scott that he sees it as "surveillance creep."
"We are becoming more and more used to having our data surveilled for public and private activities," Greenfield said. "It's hard for any individual to know if their data is swept up in it."