“When required to comply with these requests, we deliver that information to the U.S. government — generally through secure FTP transfers and in person,” Google said in a statement.
That could include putting data onto a memory disk or external hard drive, or printing out the requested information for a federal official, Google said. FTP, or file transfer protocol, is a popular method for exchanging information between servers with an extra layer of security.
The company’s disclosure of how it handles National Security Agency requests might skirt its obligations to keep data requests secret, experts said. So far in public, the company has fiercely maintained that it has never heard of a secret NSA Internet surveillance program called PRISM, first revealed last week by The Washington Post and the Guardian newspapers.
Those outlets reported on an NSA document that showed the agency has been tapping directly into the servers of nine major U.S. Internet companies in order to track foreign terrorism suspects.
Immediately after PRISM was publicly reported, Google, Facebook, Yahoo, Microsoft and others denied giving the government “direct access” to their servers.
Since then, The Post has reported that executives at some of the participating Silicon Valley companies, who spoke on the condition of anonymity, have acknowledged the program’s existence. According to a NSA inspector general’s report obtained by The Post, PRISM allowed “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations” rather than directly to company servers.
Cybersecurity experts said the news reports put Google and other tech companies in a difficult position because they might not be able to discuss dealings with the NSA.
“I think that the tech companies want to assure the American people that they are playing a role blocking excessive demands for their information,” said Susan Freiwald, a professor of cyber-law and information privacy at the University of San Francisco.
Google, Facebook, Microsoft and Yahoo this week called for the Justice Department to remove gag orders that prevent them from discussing orders under the Foreign Intelligence Surveillance Act. They fear that the secrecy of their involvement in government surveillance requests leads the public to imagine the worst, said Freiwald.
Revelations about Google’s participation are particularly bruising for a firm that has been touted for protecting users’ data.
On Wednesday, Google elaborated on what it is not allowing the government to do.
It says it does not allow the NSA to collect information through a secure portal nor does it put information into a “drop box” for government agents to access. It said it has a team of employees who review every FISA order.
“The US government does not have the ability to pull that data directly from our servers or network,” the Google statement said.
Some technology law experts scoffed at Google’s claims of delivering information by hand. While the government seems to employ various ways of obtaining data, it appears to seek a large amount of information in a format that is searchable, which suggests that its collection from Google, Facebook and others is vast, these experts said.
Officials and former staffers at the tech companies said it would be difficult for the government to place equipment on their servers or directly access them in secret. Too many engineers would know, they say.
“There is obviously a big disconnect between how the NSA is marketing this capability internally and how different companies respond,” said Alan Davidson, a former director of public policy at Google. “Less secrecy would help everyone.”