Parsing Prism denials: How could everyone possibly be telling the truth?
UPDATE, Saturday June 8, 2pm Pacific time: Since this report was originally published Friday afternoon, new developments have added texture to the Prism saga. We have updated the story below with links to relevant material. Bottom line: The world still doesn't know exactly how Prism works, if the technology companies implicated in the program are issuing earnest denials, or if media outlets originally misinterpreted NSA documents. But piece by piece, relevant information is falling into place.
A day after The Washington Post and Guardian published bombshell revelations that America’s biggest tech companies are allowing the U.S. government to monitor customer data contained in their servers, the facts remain fuzzy and somewhat fluid—and the statements of the parties involved don’t add up.
All the tech companies have issued denials, saying they haven't given the government “direct” access or a “back door” to their servers under a surveillance program called Prism, as the Post and Guardian stories claim.
Google’s Larry Page repeated his company’s denials in a blog post Friday: “First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers."
UPDATE: Late Friday, the New York Times published an article explaining how Google and Facebook, both implicated in Prism surveillance efforts, negotiated with the government to build "separate, secure portals" to hand off user data requested by the NSA. The Times article never mentions Prism by name, but its overall thesis supports Big Tech's denial that it's been actively providing the NSA with blanket access to real-time user data. [End update.]
The National Security Administration is saying the news stories are “full of inaccuracies,” but isn’t saying what the inaccuracies are. Nor, however, is the NSA denying claims made in the stories—in other words, it hasn't said it's not working with Google, Facebook, Apple and all the other companies who've denied Prism cooperation. If anything, the NSA is stressing that the Prism program was never meant to spy on Americans.
UPDATE: Late Friday night, CNET posted an article stating that original reporting by The Washington Post and Guardian is incorrect, citing an anonymous former government official who said the now infamous Prism PowerPoint deck was misread. To quote directly from CNET: "It's not as described in the histrionics in The Washington Post or The Guardian," the person said. "None of it's true. It's a very formalized legal process that companies are obliged to do." [End update.]
So how do we square this disconnect? On one side, we have Big Tech saying it's not working with government spooks. On the other side, we have an NSA slide that lists exactly which big tech companies are working with Prism, even noting their start dates.
For its part, The Washington Post, which first broke the story Thursday, is making a slight modification today. This might explain some of the disconnect between its story and the staunch denials of the tech companies:
"It is possible that the conflict between the Prism slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.”
Is it possible that everyone’s telling the truth? Possibly, yes. But only if you allow for a wide breadth of interpretation and license in how you parse the words from everyone involved.
"If you read the denials coming from the tech companies, they are carefully worded and really amount to non-denials," EFF staff attorney Nate Cardozo told TechHive Thursday afternoon. "They all are saying that they didn't provide direct access to the servers, but what they are probably doing is providing access to the data via an API, which would be indirect."
Such an application programming interface (API) would have given the NSA a web-based window to certain data elements within the servers of the tech companies.
When I described the API method of availing the data in the servers to USC law professor and privacy expert Jack Lerner, he said it sounded very "direct" to him. However, Lerner says there are other ways the tech companies may have provided “indirect” access to the NSA.
“They could have meant ‘indirect’ to say ‘You can look at our data, but you can’t use our interface to do it, you’ll have to build your own.'” Lerner says.
And here's another way the conflicting stories might square: The tech companies may have hinged their denials on the locations where the NSA was tapping into the data from their servers. For example, the NSA may have been tapping in via a path somewhere in the Internet backbone that connects to the servers. “It’s conceivable that the NSA could have tapped into a major cable or fiber optic line through which the data was passing,” Lerner says. The update from The Post today seems to support this possibility.
UPDATE: On Saturday, The Guardian released a fifth slide from the NSA PowerPoint deck indicating that Prism data collection is separate from the upstream data collection Lerner describes. See slide below, and go here for the full Guardian story. [End update.]
Robert Graham, CEO of Atlanta-based cybersecurity firm Errata Security, says that the NSA could have installed taps in many different places within the tech companies, or in the telecommunications network connecting the servers. "The NSA is probably tapping into the undersea fiber optic lines connecting to other countries," Graham says.
Such line tapping is certainly nothing new to network administrators, Graham says. And the gear being used by the NSA is probably not much different than the gear used by the tech companies for their own network monitoring. “Companies use ‘sniffers’ all the time for intrusion detection,” he says. “They may install one to diagnose network problems, or they might install a sniffer to detect hackers.”
Graham also points out the possibility that the tech companies could be providing access to the NSA while never being aware of the specific Prism brand name. “It has a lot to do with the names they use,” Graham says. “Google only knows what they're doing for them [the NSA], but they may be totally unaware of the names the NSA uses.”
USC’s Lerner says there may be yet another, more legally motivated, explanation of the tech companies’ denials. “There may be a place in the law that requires them not to discuss it, so they would just be complying with the law," Lerner says. "For example, major service providers receive thousands of National Security Letters every year that they can’t can’t discuss.”
In the midst of the spinning and he-said she-said coming from all sides, it’s easy to lose sight of the real implications of the Prism program. That is, that real data privacy doesn't exist.
“I see this and see people saying 'there is no privacy anymore' and it reminds me of the end of 1984 where Winston has completely given up and has completely internalized the totalitarian nature of the regime," Lerner says. "We're in a very scary place.”
Top photo: Fort George G. Meade Public Affairs Office