Since the Guardian and The Washington Post revealed the existence of the NSA's PRISM program last week, there's been a confusing debate about what exactly the program is and how it works. While the Obama administration has tacitly acknowledged the program's existence, tech companies have angrily denied that they had given the NSA "direct" or "unfettered" access to their servers. So what's going on? Let's try to separate the facts from the hype.
What do we know for sure about PRISM?
We know that PRISM is a system the NSA uses to gain access to the private communications of users of nine popular Internet services. We know that access is governed by Section 702 of the Foreign Intelligence Surveillance Act, which was enacted in 2008. Director of National Intelligence James Clapper tacitly admitted PRISM's existence in a blog post last Thursday. A classified PowerPoint presentation leaked by Edward Snowden states that PRISM enables "collection directly from the servers" of Microsoft, Yahoo, Google, Facebook and other online companies.
What do the Internet companies who allegedly participate in this program have to say about it?
In a Friday post titled "What the ...?" Google CEO Larry Page stated that "any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
In a weekend follow-up, Google chief architect Yonatan Zunger wrote that "the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals." He said that "it would have been challenging — not impossible, but definitely a major surprise — if something like this could have been done without my ever hearing of it." He said that even if he couldn't talk about such a program publicly, he would have quit Google rather than participate. "We didn't fight the Cold War just so we could rebuild the Stasi ourselves," he concluded.
"The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false," wrote Yahoo's Ron Bell on Saturday. "Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive."
Facebook CEO Mark Zuckerberg called media reports about PRISM "outrageous," stating that "Facebook is not and has never been part of any program to give the U.S. or any other government direct access to our servers."
"We only ever comply with orders for requests about specific accounts or identifiers," Microsoft said in a statement last Thursday. "If the government has a broader voluntary national security program to gather customer data, we don't participate in it."
“We have never heard of PRISM,” said Steve Dowling, a spokesman for Apple. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
Are the companies lying? Or using legalistic language to hide their participation?
It's hard to be sure, but the number of companies that have issued denials, and the vehemence of some of their statements, suggests that they may be sincere.
Initially, many people were suspicious of the fact that a number of companies only denied giving the NSA "direct access" to their servers, suggesting that the companies might be giving the agency access to the contents of their servers through some intermediary.
But the more recent statements, especially Zunger's and Bell's, seem to leave little wiggle room. Google's Zunger says that Google only responds to "specific orders about individuals." Yahoo's Bell says that only an "infinitesimal percentage" of Yahoo's customers will have their information turned over to the feds. That's in tension with initial reports about how PRISM operates. And Zunger's crack about the Stasi is very different from the careful, legalistic statements the firms released in the initial hours after news of PRISM broke.
If PRISM doesn't give the NSA unfettered access to our online information, what does it do?
Reporting by the New York Times and CNet offers some clues about how PRISM works.
The Times says that major tech companies have systems that "involve access to data under individual FISA requests. And in some cases, the data is transmitted to the government electronically, using a company’s servers."
Data is "shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk," the Times reports. The scheme is "a more secure and efficient way to hand over the data."
A source told CNet's Declan McCullagh that PRISM is "a very formalized legal process that companies are obliged to do." A source — perhaps the same one — says that "you can't say everyone in Pakistan who searched for 'X' ... It still has to be particularized."
Doesn't that contradict what the slides released by Snowden say?
Not necessarily. Here's the key slide from the PRISM presentation:
This slide draws a distinction between NSA surveillance programs that collect communications "as data flows past" on fiber optic cables and PRISM, which collects communications "directly from the servers" of U.S. Internet companies.
Some have interpreted this to mean that the NSA has "direct access" in a technical sense: automatic, unfettered access to the servers' contents. But in context, "direct" is more likely to mean that the NSA is receiving data sent to them deliberately by the tech companies, as opposed to intercepting communications as they're transmitted to some other destination. That's not inconsistent with tech company lawyers scrutinizing each request before complying with it.
Does that mean there's nothing to worry about?
While the NSA may not have unfettered access to tech companies' servers, there are still serious questions about the breadth of the information the government is collecting, and whether that information is subject to appropriate judicial oversight. FISA orders are not search warrants under the Fourth Amendment, and the FISA Amendments Act doesn't require the government to show probable cause to believe that the target of surveillance has committed a crime.
Defenders of the NSA's activities argue the Fourth Amendment doesn't apply because FISA orders only target non-Americans. Instead of showing probable cause to a judge, Section 702 of FISA allows senior Obama administration officials to "authorize" the "targeting of persons reasonably believed to be located outside the United States." The surveillance may not "intentionally target" an American, but the NSA can obtain the private communications of Americans as part of a request that officially "targets" a foreigner.
The Supreme Court has yet to rule on the constitutionality of these provisions. In February, the Supreme Court threw out a legal challenge to the law because the plaintiffs couldn't prove that they had personally been the target of surveillance. It's not clear whether any of the recent revelations will give FISA opponents enough evidence to convince a court to rule on the program's merits.
FISA only allows targeting of foreigners. That means it can't use FISA orders to read Americans' e-mails, right?
The "targeting" rule may not protect Americans as much as it might seem. Last week's revelation that the government used an obscure provision of the Patriot Act to obtain records of every phone call on Verizon's network with a single court order suggests that the government is willing to adopt permissive interpretations of the law.
According to the Times, "FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms." In one case, an NSA agent "installed government-developed software on the company’s server and remained at the site for several weeks to download data to an agency laptop." In other cases, the government has sought "real-time transmission of data, which companies send digitally."
So a FISA order might "target" a suspected terrorist, but also request access to the private data from all of the target's associates — some of whom might happen to live in the United States.
In its initial report on PRISM, The Washington Post said that NSA analysts use search queries "designed to produce at least 51 percent confidence in a target’s 'foreignness.' " Training materials advise new analysts that "it’s nothing to worry about" if they accidentally collect U.S. content.
And even if the NSA is only collecting foreigners' communications, that doesn't rule out abusive surveillance. For example, the environmental nonprofit organization Greenpeace has been targeted for surveillance by the NSA in the past. The organization is based outside the United States, but it has many U.S. members who might not appreciate having their government spy on its activities.