The Internet, the country, and indeed the whole world is abuzz with the news of PRISM, the no-longer-secret program of the U.S. National Security Agency (NSA) through which the United States federal government is accessing and mining all sorts of user data from the major ISPs and possibly cell phone companies. Data which is potentially about just about anybody and everybody, even you. The list of companies and ISPs alleged to be involved with PRISM, by which we mean allowing the government to data mine their users’ data, is impressive (read as “scary”) indeed, although most of them are quick to deny it. However, we have evidence (see screenshots below) that even though they are denying it, Apple, Microsoft, Yahoo, Facebook, PalTalk, YouTube, Skype, and AOL are all involved. Verizon is also giving the Feds access to their user data. But as 1984 as this all is, we really only have one question: why is anybody surprised?
The program was first outed by Glenn Greenwald, a reporter with the British newspaper the Guardian.
While the mountains of information and evidence have been piling up online since the story first broke, here are the basic facts as we presently understand them to be, explained in plain English:
The NSA has a program called PRISM, through which they are data mining massive amounts of user data through the major ISPs and other Internet user-based companies. They also are accessing similar data from cell phone companies such as Verizon, although it may not be through PRISM. PRISM was very secret and hush-hush, until the Guardian broke the story. Now Anonymous has also piled on, releasing 13 related documents.
According to released documents, the list of companies that are working with the Feds as part of PRISM includes Apple, Microsoft, Yahoo, Facebook, PalTalk, YouTube, Skype and AOL (we’ll get to Verizon in a minute).
Now, these companies are hotly denying having even heard of PRISM, let alone being part of it. A statement from Apple says:
We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.
And Google states that:
Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a back door for the government to access private user data
However, here are slides that are purportedly from the Feds’ own presentation about PRISM, and which the Guardian has says that it has authenticated as genuine. Note in the first slide that the list in the aqua box on the left is headed “Current Providers” (note also the information that they are data mining).
The second slide shows in a prettier way the current providers, along with the date that they signed on to PRISM.
So, are these companies lying when they say that they are not part of it?
The department issuing each statement is probably not outright lying. This is for several reasons, including that in huge companies one department often doesn’t know what another department is doing. Sometimes this is by design (a so-called firewall, allowing for plausible deniability), sometimes it is by serendipity. There is no reason that a PR department would necessarily know what the legal department was doing with the Feds, especially if its participating in a secret program, and in large part companies like to keep it that way.
Also, if you read the wording closely in each statement, you will see that there are those wiggle (or as we call them, weasel) words. Meaning they are just ambiguous enough to be imply one thing, while actually meaning nearly another.
Here are some more statements from the implicated companies:
Yahoo! takes users privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.
See that term “direct access”? That could mean almost anything, including that they bundle all the data up and push it to a government server, if they are defining ‘direct access’ to mean “the Feds can log in to our servers.”
We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.
And DropBox, which is rumoured to be about to join PRISM, said that “We’ve seen reports that Dropbox might be asked to participate in a government program called PRISM. We are not part of any such program and remain committed to protecting our users’ privacy.”
As to those rumours about DropBox joining PRISM, we once again have to warn you about the privacy dangers of cloud-based storage.
The director of National Intelligence, James Clapper, responded last night that PRISM only targets Internet users outside of the United States, saying that “It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.”
Now, this could be comforting, but don’t let it be. First, note the wiggle term “intentionally”.
And now look at this slide:
Now, what about Verizon? Verizon is the subject of a recent Federal court order which requires Verizon to divulge all information regarding any communications (i.e. calls and texts) between the U.S. and abroad, and “wholly within the United States, including local telephone calls.”
There is no evidence that this is within the PRISM program itself (although the data is going to the NSA), but the story broke at about the same time, and so is being lumped together with the PRISM story in the press and on the Internet.
Here is the relevant portion of the court order (taken directly from the order):
IT IS HEREBY ORDERED that, the Custodian of Records shall produce to the National Security Agency (NSA) upon service of this Order, and continue production on an ongoing daily basis thereafter for the duration of this Order, unless otherwise
ordered by the Court, an electronic copy of the following tangible things: all call detail
records or “telephony metadata” created by Verizon for communications (i) between
the United States and abroad; or (ii) wholly within the United States, including local
telephone calls. This Order does not require Verizon to produce telephony metadata
for communications wholly originating and terminating in foreign countries.
Telephony metadata includes comprehensive communications routing information,.
including but not limited to session identifying information (e.g.,
originating and terminating telephone number, International Mobile Subscriber Identity (IMSI) number, International Mobile station Equipment Identity (IMEI) number, etc.), trunk identifier,
telephone calling card numbers, and time and duration of call. Telephony metadata
does not include the substantive content of any communication, as defined by 18 U.S.C.
§ 2510(8), or the name, address, or financial information of a subscriber or customer.
So here’s the bottom line: anything you do online or on your cell phone is fair game. Take heed.
|Get notified of new Internet Patrol articles!