PRISM allows the NSA to collect material directly from the servers of major providers, including the contents of emails, file transfers, live video or voice chats, VoIP (such as Skype), videoconferencing, social media interactions, search history, etc. In November the Guardian published a large (41 slides) PowerPoint presentation that described PRISM program capabilities in detail and was apparently used to train intelligence personnel on the program.
The presentation states that these companies assisted with the operation of PRISM, but all of the companies denied knowing about the program at all. Google said, “Google does not have a back door for the government to access private user data” while Apple said it had “never heard of” PRISM. Senior executives of the tech companies insisted that if it was happening, it was being done without their knowledge.
But an article by Spencer Ackerman published in Wednesday’s Guardian argues that the companies did know all along.*
The senior lawyer for the National Security Agency stated unequivocally on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data, contradicting months of angry denials from the firms.
Rajesh De, the NSA’s General Counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called ‘upstream’ collection of communications moving across the internet.
The FISA Amendments Act passed in 2008, Title VII, section 702, allows the NSA’s foreign surveillance programs such as PRISM (and some earlier data collection activities previously authorized under the President’s 2001 Surveillance Program) to collect internet, phone, email, and other communications content when one party to the communication is reasonably believed to be a non-American outside the United States. The NSA stores PRISM data for five years, and communications taken directly from the internet for two years. Snowden’s leaked documents showed that the NSA has unmonitored blanket access to tech companies’ customer information. The secret FISA court (FISC) that oversees US surveillance activities renews authorizations annually for NSA targeted surveillance under Section 702. It isn’t clear what legal processes the government serves on a company to compel access to content and metadata under the PRISM program or upstream collection. Section 702 prohibits intentional targeting of Americans or US persons, known as “reverse targeting,” but the in the process of collection, large amounts of Americans’ phone calls and emails are swept up.
Section 702 also permits NSA analysts to search through the collected communications for identifying information about Americans, an amendment to so-called ‘minimisation’ rules revealed by the Guardian in August and termed the ‘backdoor search loophole’ by [Senate Intelligence Committee member Ron] Wyden.
De argued that once the Fisa court permits the collection annually, analysts ought to be free to comb through it, and stated that there were sufficient privacy safeguards for Americans after collection and querying had occurred. ‘That information is at the government’s disposal to review in the first instance,’ De said.
Other Snowden documents the Washington Post published revealed that the NSA also siphons data in transit between the Google and Yahoo data centers, including from fiber optic cables between servers at various locations around the world, an activity reportedly conducted under Executive Order 12333. While an individual user may have an encrypted connection to a website, the internal data flows are not encrypted and allow the NSA to gather millions of records each month, including both metadata and such content as video, audio, and text.
* Late update: Mike Masnick at Techdirt says, “Not so fast, buddy!” After kudos to Spencer Ackerman’s customary outstanding reporting, Masnick says,
Everything stated above [quoting Ackerman's 'they're lying' claim] is technically true, but misleading. The problem is that what the companies denied is not what [Rajesh] De is talking about. What they denied is what both the Washington Post and the Guardian initially implied: that the NSA had ‘direct access’ to the servers of the nine companies named under PRISM, with the clear implication of the stories being that direct access was to basically all servers. All of the companies denied that level of access (which was and remains true).
What they denied was the original reporting which suggested, incorrectly, that PRISM was a much broader program, that involved direct access to these companies systems, allowing them to suck out just about anything. That was never true, and that was what they were denying.
Ackerman’s Guardian article now contains this update:
This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders. Other minor clarifications were also made.
Image by National Security Agency, Federal government of the United States (original image | source) [Public domain], via Wikimedia Commons.