Get ready for a whole heap of news coming on the National Security Agency's PRISM program, because it looks like Verizon may have just been the tip
of the iceberg. A new report from The Washington Post
is saying that a number of other high profile companies all allowing the government direct access to their data, including Google, Apple, Microsoft, Facebook, and Yahoo. Although, all of those companies have already come out to deny the allegations.
If you missed the earlier news, it turns out that back in 2007 under President Bush, the National Security Agency (NSA) set up a highly classified program code-named PRISM. The program started slowly, but has grown exponentially under President Obama since then. The claim of the Washington Post report is that a number of tech companies are allowing the US government to tap “directly into [their] central servers... extracting audio, video, photographs, e-mails, documents and connection logs
" that can then be used to track people. Nine companies are listed in briefing slides as being part of the program's data collection, but at least three are already pushing back against the report.
The briefing slides show companies in order of when they joined the program, starting with Microsoft on September 11, 2007, and continuing with Yahoo, Google, Facebook, PalTalk (a service that was big during the Arab Spring), YouTube, Skype, AOL, and lastly Apple. The report says that back in 2008, Congress gave the Justice Department authority to compel a reluctant company “to comply” with the program, but Apple was still able to resist being pulled in until October of last year, mostly because no one wanted the news of this program to become public.
Of course, most of the companies named have all come out in various degrees to deny involvement, including Google, Apple, Facebook, Microsoft, Yahoo, and even Dropbox, which was named as a company that was "coming soon" to the program and not currently involved.
said it doesn't know about the program and isn't participating at all, and that it does not provide any government agency with a "back door" to company servers and user data. Google went on to tell The Next Web
that it does not allow government agencies access to its servers, and has tried to be very clear that it doesn't allow the government API access and is not involved in this program or any similar program, adding in a statement:
Google cares deeply about the security of our users’ data.
We disclose user data to government in accordance with the law, and we review all such requests carefully.
From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.
has been quoted as telling CNBC
We have never heard of PRISM. We do not provide any government agency with direct access to our servers.
We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.
Microsoft has said to in a statement:
We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.
Yahoo hasn't commented directly about PRISM, but said in a statement:
Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.
And, a Dropbox
spokesman released a statement to The Verge
We've seen reports that Dropbox might be asked to participate in a government program called PRISM. We are not part of any such program and remain committed to protecting our users' privacy.
Whether or not these companies do or do not give data to the government, it is fairly clear that PRISM does exist, and The Washington Post report explains more about what the program is and some on how it works. Supposedly, the NSA is capable of getting just about any data that it wants, but it does have certain criteria that must be met for the data collected.
The aim of the NSA is not to spy on American citizens, but to gather and analyze foreign communications and foreign signals intelligence. It is this that sets apart PRISM from the Verizon call logging we heard about earlier, which is specifically targeting Americans. With PRISM, the NSA has a set of criteria used to determine that the program is at least 51% confident of an individual's "foreignness" before pulling any data from that person's logs on various services. Unfortunately, this is only for the top-level data that is pulled in, and there is a ton of "incidental" data, meaning data on anyone in a suspect's inbox, that is also collected and this often contains data on Americans.
While the program only has a $20 million budget, it has apparently grown to an enormous level, and is said to be the largest contributor to the President's Daily Brief. Apparently, PRISM was referenced "in 1,477 articles last year" and now accounts for "nearly 1 in 7 intelligence reports", which is pretty crazy since the NSA counts the number of communications it sifts through in the trillions. And, while Facebook denies that it allows "direct access" to government agencies, the slides gathered by The Washington Post say that Facebook and Skype have become huge resources for PRISM, and once "the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an analyst obtains full access to Facebook’s 'extensive search and surveillance capabilities against the variety of online social networking services.'"
Of course, none of this actually answers the question as to what data has been gathered. We don't know how sensitive the information gathered has been, or who has been involved in the data collection.
More undoubtedly to come
It feels silly to try putting a "conclusion" on an article like this, because this is undoubtedly just the beginning of the news that we're going to hear about PRISM, the companies involved, and what kind of data is being processed by the NSA and the FBI. From what we have learned, it sounds like the program is real, and quite large, but the question remains as to what the involvement is from various companies, and what data is being accessed. Unfortunately, right now, we're stuck in the spot where The Washington Post is claiming one thing, and almost every company named in the report has denied involvement. We may find out more in time, but we can't say for sure right now what's going on. But, we will certainly stay on top of this story and bring you the latest as it comes in.
*Update* The Director of National Intelligence has come out saying that the report from The Washington Post, and the report by The Guardian "contain numerous inaccuracies
". He has confirmed that there is data collection happening, but insists that the public's civil liberties are being protected.