Unless you have been living under a rock for the past 24 hours, then you have probably read countless reports regarding the US governments chilling, NSA PRISM program. The PRISM program was first made public after the UK’s Guardian newspaper managed to gain access to a copy of a top-secret court order that forced US telecoms provider Verizon, to handover the telephone records, metadata, of millions of its US customers for all its systems both within the US and between the US and other countries. The court order affects all US citizens regardless of whether or not they have been named as a threat to national security and does not require a warrant.
The order directs Verizon to “continue production on an ongoing daily basis thereafter for the duration of this order”. It specifies that the records to be produced include “session identifying information”, such as “originating and terminating number”, the duration of each call, telephone calling card numbers, trunk identifiers, International Mobile Subscriber Identity (IMSI) number, and “comprehensive communication routing information”.
The reason that a warrant is not required is down to the information being classified as metadata (or transactional information) therefore bypassing the need for a warrant.
The order was signed by Judge Roger Vinson – United States Foreign Intelligence Surveillance Court (FISC) to the FBI on 25th April 2013 and was not to be made public until 12th April 2038. The law on which the order explicitly relies is the so-called “business records” provision of the Patriot Act, 50 USC section 1861. That is the provision which Senators Wyden and Udall have repeatedly cited when warning the public of what they believe is the Obama administration’s extreme interpretation of the law to engage in excessive domestic surveillance.
However, this is not the first time that this kind of mass surveillance has been carried out on US citizens. Back in May 2006, USA Today broke the news that the NSA were secretly amassing a massive database on millions of Americans using data provided by AT&T, Verizon and BellSouth.
“It’s the largest database ever assembled in the world,” said one person, who, like the others who agreed to talk about the NSA’s activities, declined to be identified by name or affiliation. The agency’s goal is “to create a database of every call ever made” within the nation’s borders, this person added.
Since news broke regarding the recent secret court order between the NSA and Verizon, news also started emerge via the Guardian, about other facets of the PRISM program whereby it is alleged that many of the tech giants including, Apple, Microsoft, Facebook and Google to name a few, have also granted backdoor access to the NSA, allowing them to freely access the emails, data transfers, live chats (Skype etc) and search history of their customers. Below are a couple of the many slides that accompanied the leaked court order that the Guardian received when first breaking the news.
As you can see from the second image above, the kind of data that is made available to the NSA from these companies is scary to say the least. Information includes:
- Chat – Video and Voice
- Stored Data
- File Transfers
- Video Conferencing
- Notifications of target activity – logins etc
- Online Social Networking details
- Special Requests
Earlier this evening Google’s CEO Larry Page made an official statement regarding the accusations made against Google regarding their involvement with the NSA and PRISM, including what data they do sometimes handover to government agencies which they are required to by law under exceptional circumstances. The statement was made on Larry Page’s Google+ profile
Dear Google users—
You may be aware of press reports alleging that Internet companies have joined a secret U.S. government program called PRISM to give the National Security Agency direct access to our servers. As Google’s CEO and Chief Legal Officer, we wanted you to have the facts.
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
Finally, this episode confirms what we have long believed—there needs to be a more transparent approach. Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. We post this information on our Transparency Report whenever possible. We were the first company to do this. And, of course, we understand that the U.S. and other governments need to take action to protect their citizens’ safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.
Posted by Larry Page, CEO and David Drummond, Chief Legal Officer
Once news broke today that many of the biggest tech giants were also in collusion with this somewhat nefarious programme, the main five companies were quick to dismiss the accusations. Interestingly though, only Apple initially made mention of the programme by name, with the other companies merely reinforcing the fact that they all take their customers privacy seriously, and that any information given to the government is only done so when accompanied by a court order. Kurt Opsahl of the EFF, made an interesting statement to Ars Technica following some of the denials made by the tech giants with regards their alleged involvement with the PRISM program, saying:
“Whether they know the code name PRISM, they probably don’t,” he told Ars. “[Code names are] not routinely shared outside the agency. Saying they’ve never heard of PRISM doesn’t mean much. Generally what we’ve seen when there have been revelations is something like: ‘we can’t comment on matters of national security.’ The tech companies’ responses are unusual in that they’re not saying ‘we can’t comment.’ They’re designed to give the impression that they’re not participating in this.”
Below are some of the initial denial statements from the five main tech giants:
From Apple: “We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
From Facebook: “Protecting the privacy of our users and their data is a top priority for Facebook. We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”
From Yahoo: “Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.”
From Microsoft: “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
From Google: (statement made before Larry Page’s statement on Google+ earlier this evening) “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data.”
Here is a link to the original leaked document that the Guardian newspaper made public. I have also reconstructed the PDF below to make it easier for people to copy text from, as the original PDF has some transcribing errors when changed into plain text. I have corrected this as best I can.
[Update] James Clapper, the Director of US National Intelligence has released a statement saying that it did not try to target US citizens, but instead only targeted non-US persons outside the US
The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.
Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.
Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.
Section 702 was recently reauthorized by Congress after extensive hearings and debate.
Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats.
The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.