Just a day after respected UK newspaper The Guardian
reported that a leaked secret US court order
showed that the National Security Agency (NSA) was harvesting millions of phone records and "telephony metadata" from Verizon customers, a new report from The Guardian
and the Washington Post
has charged that the NSA is further using a secret program called PRISM to harvest usage data
from the internal servers
of most of America's major tech companies -- including Apple, Google, Microsoft and many others.
The reports are based on a leaked 41-slide security presentation
, and the slideshow was provided by a "career intelligence officer" who was horrified by the capability of the program and wanted to expose the "gross intrusion on privacy." The program, allegedly highly classified, has been in operation since the last year of the Bush administration (but was supposedly renewed by the Obama administration) and is considered a vital part of the US's intelligence-gathering operations. A later report from Reuters quotes an anonymous but "senior US official" as saying that the program is only used to target people outside the United States
, as required by NSA mandates. According to the report, the program was secretly reauthorized by Congress after "extensive hearings and debate."
The Washington Post
report says that the PRISM program goes "above and beyond" existing laws that require tech companies to comply with court orders and government requests for data on users, and gives the NSA direct access to the internal servers of US tech companies including Facebook, Microsoft, Yahoo, Google, AOL, Apple, PalTalk, Microsoft-owned Skype and Google subsidiary YouTube. The tech companies in question have all denied that they are providing the government any "back door" or direct access to their servers.
Google, in its statement, said bluntly that despite previous reports that it had forged a "back door" for the government, it had never provided any such access to user data. Microsoft, allegedly the first tech company to join the secret program, said it does not voluntarily participate in any government data collection and "only complies with requests for specific accounts or identifiers. Apple spokesman Steve Dowling said that the company has "never heard of PRISM" and that the iPhone maker does not "provide any government agency with direct access to our servers -- and any government agency requesting customer data must get a court order." According to the Post
, Apple fought being included in the PRISM program for five years before finally joining. Notable by its absence on the government list of major tech partners was Twitter and Dropbox, though the latter is said to be in the process of joining the program.
Facebook Chief Security Officer Joe Sullivan said in a statement that the social network "carefully scrutinizes" any request for compliance with all applicable laws, and "provides information only to the extent required by that law." Yahoo added that it "takes users' privacy very seriously" and that it does not "provide the government with direct access to our servers, systems or network." It must be noted, however, that the US operates an entire legal secret legal system apart from the public one under the Foreign Intelligence Surveillance Act (FISA).
It was the FISA courts that granted the Bush administration the authority to create programs like PRISM, and in 2007 allowed the government to redefine a restrictive word "facilities" (as in the program was allowed to probe the records facilities) to apply to "massive data sets" such as the records collected by the PRISM program -- thus allowing the government to examine the data without any evidence of a direct connection to terrorism or espionage. The FISA courts, under four new orders that remain classified, have agreed to "periodically" certify that the government had reasonable procedures in place to prevent accidental collection of data on "US persons" without a warrant.
The leaked slideshow contradicts the denials from both the tech companies and the government, saying the NSA collects a large amount of data on Americans through the PRISM program -- but that data collected is not necessarily examined. Only if a specific target is being investigated does the program "intercept" (which is defined as having a human being examine records) complete inbox and outbox records, along with anyone connected to the account.
Director of National Intelligence James R. Clapper said there were "numerous inaccuracies" in the Post
reports about the PRISM program, but didn't specify any examples. He said that "information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats" and that "the unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans."
The revelation that the government has been collecting electronic data on Americans and others is not particularly surprising to most people, but PRISM represents a (some would say logical) extension of the efforts of early programs such as the Echelon satellite transmission monitoring program of the 60s or "the program," a Bush administration-led effort to intercept email communications using AT&T's infrastructure following the 9/11 terrorist attacks. The US government is said to have a data center in Utah
capable of handling a yottabyte (one trillion terrabytes) of data.
One US Senator, Diane Feinstein (D-CA), dismissed
the previously-revealed NSA collection of Verizon phone records by saying "it's called defending America," and stressing that the program had privacy safeguards. A colleague, Senator Saxby Chambliss (R-GA), backed Feinstein's assertions that the program only tracked "metadata" and not the content of calls unless a subject was targeted.
According to the leaked NSA slideshow's presenter notes, "98 percent" of the information gathered in PRISM comes from Microsoft, Google and Yahoo. The document as well as government officials interviewed by the Post
made it clear that the names of the private partners were one of the PRISM program's most sensitive secrets, fearing that companies would withdraw from the program if their identities were exposed. The newspaper notes that the presentation itself refers to the PRISM program as being "the most prolific contributor" to the President's Daily Briefing, citing 1,477 items last year. The report says that the NSA is "increasingly relying" on PRISM as its leading source of raw material, with data from it showing up in nearly one out of every seven intelligence reports.
The Obama administration, for its part, reiterates that its intelligence-gathering programs -- a number of which were criticized by Obama before taking office -- has "extensive procedures, specifically approved by the court, to ensure that only non-US persons outside of the US are targeted, and that minimize the acquisition, retention and dissemination of incidentally-acquired information about US persons." Allegedly, analysts using a web portal at NSA headquarters in Fort Meade MD only key in "selectors" (search terms) that are designed to "produce at least 51 percent confidence in a target's 'foreignness.'" Accidental collection of US content is said to be reported only every quarter.
The private tech firms that are said to be participants in the PRISM program are obliged to accept a "directive" from the Attorney General and the Director of National Intelligence to open their servers to the FBI's Data Intercept Technology Unit, according to the Post
, in exchange for immunity from lawsuits. According to the report, Congress gave the Justice Department authority for a secret FISA order to compel reluctant companies to comply in 2008. The paper says that NSA analysts can collect extensive information on a subject "with a few clicks and an affirmation that the suspect is believed to be engaged in terrorism, espionage or nuclear proliferation," giving agents (who, according to the slideshow presentation, are seeing "exponential growth" in Facebook and Skype "tasking") far more extensive access to the activities of the subject than is available even to marketers.
Skype users, according to supplementary materials related to the program obtained by the Post
, can be monitored for audio if one end of the call goes to a conventional telephone or cell phone, and for any combination of "audio, video, chat and file transfers" when users connect computer-to-computer. Similar monitoring can be obtained for any of Google's services, including GMail, voice or video chat, Google Drive files, Picasa photo libraries and other such services from the search engine giant.
The unnamed source of the slideshow and related materials told the paper that the capabilities of the program, along with "firsthand experience" filled them with "horror" and drove them to expose the program. "They quite literally can watch your ideas form as you type," the source told the paper.