After the news broke yesterday about a secret government surveillance program called PRISM, the companies named in the news reports — led by Google, Apple, and Facebook — responded with denials. In effect, they were saying two things: We do not give the government direct access to our servers. And we’ve never heard of PRISM. Some added a third point: We want more sunlight on this issue, too.
Forgive me if I don’t think that’s saying much.
First, the context: Yesterday the Washington Post published a slide deck reportedly intended for an audience of top National Security Agency advisors, detailing the PRISM program. The slides named seven different companies, plus two subsidiaries of two of those companies, as targets for this data collection, which included user photos, videos, audio files, and more. In the aftermath of the news, public officials, including the director of national intelligence James R. Clapper, denounced the news reports — not by denying them, but by saying their publication was a security risk, thus indirectly confirming the existence of the PRISM program.
These denials of the report all seem oddly similar, with Facebook chiming in most recently to say it also hasn’t heard of PRISM.
Let’s look at each of the three denial points in turn.
They aren’t accessing our servers directly
This claim hinges on one word, “directly.” Just because the government isn’t accessing these companies’ servers “directly” doesn’t mean the data is completely inaccessible. If that was the case, we’d have nothing to worry about. But, as these companies have explained themselves, there is a transfer of data that occurs when compelled by law.
First, a company could nicely package the data up and give it to the government, on a DVD or, who knows, a Dropbox folder somewhere. That’s pretty simple, but if there’s a request to have a live feed of the data, I think Marc Ambinder at The Atlantic has a good explanation for how this might happen.
To summarize his tweets, the company could take the data in question — such as, for example, “All Yahoo, Gmail, iCloud accounts for specific individuals in Pakistan” — and move that information to an external server. The government could access these accounts and all their data through that server and have the live feed it desires. Technically, the government would not be directly accessing the company’s servers, and it would not be making a “bulk” request for data.
We have never heard of PRISM
While the server access is a question of semantics, this claim is obviously disingenuous. Just because these companies haven’t heard of PRISM doesn’t mean it doesn’t exist, nor does it mean they aren’t participating in it.
Imagine the following conversation:
NSA: Hey, Apple, please give us all the information requested below.
Apple: For real? I mean, if the law says we have to then we will, but why?
NSA: Well, we’re asking you, Google, Facebook, Yahoo, and a bunch of other tech companies for the same thing. By the way, it’s a program called PRISM. Oh, and you can’t say anything about it! Here’s a gag-order with no safe word!
Apple: Cool, cool.
This is not likely the case. If the FBI and NSA don’t identify their requests as “PRISM requests,” then the companies would never have heard of PRISM.
Facebook, however, made the extra point that it has not received any blanket requests for all customer data. (That the government is making these types of requests was revealed on Wednesday, with the publication of a court order asking Verizon to give the government “all call data” around calls originating in the U.S. and terminating in another country, or any calls wholly within the United States.) Of course, the PRISM program doesn’t seem to dictate that all requests be blanket requests. They could be specific requests that just happen to have a very wide scope.
We want more transparency
We appreciate that these companies want transparency. They, like us, are probably bruised to be included in a data collection program like this. But it’s important to realize that these statements don’t prove or disprove their involvement in a wider program like PRISM.
If we want real transparency, then these companies should start fighting the gag orders and include FISA orders in their transparency reports. So far, the only company that has done that, to our knowledge, is Google.