While the nation’s intelligence agencies experience a moment of uncomfortable transparency, the role private industry played in the brewing U.S. surveillance programs remains opaque. It’s still unclear what companies like Google and Microsoft knew about the National Security Agency (NSA) and FBI’s program that tapped into their servers to troll through emails, video, and other items, much less what data they turned over to the NSA.
The Obama administration has acknowledged and defended the existence of two anti-terrorist programs revealed by media this week that involve accessing Americans’ phone records and emails and other online activities of non-U.S. citizens overseas. Civil liberties critics have expressed outrage at the potential overreach, while many members of Congress have sought to defend the use of such tactics in protecting citizens against terrorist threats.
The Washington Post and the Guardian reported Thursday night that the NSA had crafted a massive data-mining operation, code-named PRISM, designed to scrutinize information collected by nine of the United States’ biggest tech companies. Later that night, Director of National Intelligence James Clapper released a statement acknowledging the existence of the program, but suggesting there were errors in the report.
The government’s alleged partners have been less forthcoming. Several of the corporations purported to be feeding information into PRISM have issued public statements that look and sound like denials, but fail to answer any of the big questions about the case. For example, a few companies denied ever providing the government with “direct access” to its servers.
“Yahoo! takes users’ privacy very seriously,” said a Yahoo spokesperson in a typical statement. “We do not provide the government with direct access to our servers, systems or network.”
But that doesn’t tell us much. Denying that the NSA has “direct access” is akin to saying, “We don’t give the NSA a tube into our main servers and allow them to rifle around as they see fit,” said Electronic Frontier Foundation attorney Mark Rumold. But that does not mean the agency has no way of accessing any of the information on those servers.
A “direct access” denial from Apple seemed to tacitly admit as much by suggesting another avenue through which the NSA could have acquired information: Court orders.
“We have never heard of PRISM,” an Apple spokesperson told CNBC. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
Needless to say, whether or not Apple has ever heard the specific code name “PRISM” is irrelevant. Of more import is the observation that government agencies can use court orders to acquire private customer data. This is, in fact, how the NSA obtained the phone records of all Verizon customers in the United States.
Thus far, none of the implicated tech companies have confirmed or denied providing information to the NSA in response to a Foreign Intelligence Surveillance Court (FISC) order. That may be because the law bars any companies that receive a FISC order from publicly disclosing that information–but also because it might frighten a few customers over the safety of their personal communications.
“Even if they wanted to say, yes, we practiced in the program, but we did it because we received a valid court order … they can’t do that,” said Rumold. As a result, clarity will likely only come with official government disclosure; or, failing that, more leaks to the press.
Verizon said as much in a memo from its Chief Counsel Randy Milch to employees on Thursday after news of the program was revealed.
We have no comment on the accuracy of The Guardian newspaper story or the documents referenced, but a few items in these stories are important. The alleged court order that The Guardian published on its website contains language that:
- compels Verizon to respond;
- forbids Verizon from revealing the order’s existence; and
- excludes from production the “content of any communication … or the name, address, or financial information of a subscriber or customer.”
Verizon continually takes steps to safeguard its customers’ privacy. Nevertheless, the law authorizes the federal courts to order a company to provide information in certain circumstances, and if Verizon were to receive such an order, we would be required to comply.