The conflict between the PRISM document and the company statements could be the result of imprecision by the author of the NSA documents. Another classified report obtained by The Post described the arrangement as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than direct access to company servers.
Technology and security experts offered other explanations, with some arguing that the firms had carefully crafted their denials to leave open the possibility that they had participated in PRISM in some way. Several noted the similarity in the language of the company statements.
Nearly all of the companies cited in the NSA documents said the government does not have “direct access” to their servers. But that leaves open the possibility that the government has indirect access to their technology, security experts said.
In response to such comments, Yahoo elaborated on its earlier stance in a statement Friday.
“We also want to reassure you that we do not provide the government with access — direct or indirect — to our servers,” a Yahoo spokesperson wrote in an e-mail.
Facebook said that it carefully scrutinizes information requests by the federal authorities and would “provide information only to the extent required by law,” language that was echoed by Google, Microsoft and Apple. That could include the PRISM program, which was likely authorized under the FISA Amendments Act, passed by Congress in 2008.
Apple stated that “we have never heard of PRISM,” and several other firms made nearly identical statements. Yet the analysts said the fact that companies haven’t heard the name PRISM does not mean much. The NSA may have used a different code name in its interactions with participating companies.
In addition, if the NSA asked for data from a company, it is likely only a few officials would know of the request — and those employees would be barred from disclosing that information.
Other technology experts said the government could be scooping up the data after it leaves a company’s servers and travels across Internet networks.
When traveling across those pipes, the data is often encrypted, and a company could fulfill a government request by handing over the encryption keys to that data, said Peter Eckersley, the technology projects director at the privacy advocacy group Electronic Frontier Foundation.
“The companies’ denials are all deniable denials because each one of them contains loopholes of various cleverness that don’t address how they might have a transform mechanism for large amounts of user data to the NSA,” he said.
But the existence of PRISM appeared to baffle senior executives at the companies.
Google chief executive Larry Page wrote a blog post Friday titled “What the . . .?” He wrote that the world’s biggest search engine and e-mail provider has “not joined any program that would give the U.S. government — or any other government — direct access to our servers . . . or a ‘back door’ to the information stored in our data centers.”
He added: “We understand that the U.S. and other governments need to take action to protect their citizens’ safety — including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.”
Facebook chief executive Mark Zuckerberg on Friday called reports of the company’s participation in PRISM “outrageous.” (Washington Post Chairman Donald Graham is a member of Facebook’s board).
“I want to respond personally to the outrageous press reports about PRISM,” Zuckerberg wrote on his Facebook page. “We have never received a blanket request or court order from any government agency asking for information or metadata in bulk,” he added.
The strong response by Silicon Valley firms highlighted their often contentious relationships with federal officials. Much is at stake for U.S. Internet firms who are counting on future growth from overseas markets.
“We still don’t know exactly how data is being collected, and the details will matter a lot,” said Alan Davidson, a visiting scholar at MIT’s Sloan School of Management and former head of Google public policy for the Americas.
Davidson added that Google was keenly aware of the importance of privacy to its users. When it received court-ordered requests from the authorities for data, the company often fought back and successfully reduced what it would hand over, he said.
“Trust is essential to the brand, and broad government access raises serious trust issues globally,” Davidson said.
Timothy Lee contributed to this report.