Last week, the Guardian and Washington Post published several slides from a leaked Powerpoint presentation in its stories about the NSA’s domestic surveillance policies and its PRISM program.  Separate from phone carriers, nine internet companies were named in the story as participants in the PRISM program, and it claimed that companies provided the NSA with “direct access” to their servers.  Many of those companies have since tried to set the record straight and, after corrections to some of the initial reports about the PRISM system, have published statistics on the requests for such data.

Google appealed directly to the Department of Justice, asking the agency to allow the company to disclose details about how it handles national security’s requests for its users’ data.

Assertions in the press that our compliance with these [Foreign Intelligence Surveillance Act (FISA)] requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

While the government ultimately approved release of these statistics, Google and Twitter both declined to publish any of their numbers, citing their disagreement with the government’s restriction on separating the statistics for FISA related requests from the other categories.

From The Verge:

Google is unsatisfied with the deal that Microsoft and Facebook have made with the US government with regard to publishing how many requests for user information they both receive. Facebook and Microsoft released reports tonight detailing how many requests they got from US government agencies in the second half of 2012 — including FISA requests. The deal, however, comes with strings that Google apparently doesn’t want to be tied to.

There were restrictions put on Facebook and Microsoft’s disclosures that make them fairly useless if you’re interested in determining how many FISA requests have come in. As Microsoft says, it can only include the number of FISA requests it receives so long as it is “aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; [and] only if the totals are presented in bands of 1,000.” The same rules appear to apply to Facebook, as well.

A Google spokesperson also told The Verge:

We have always believed that it’s important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.

Twitter followed in agreement with Google, by way of a tweet from its legal director.

Facebook and Microsoft both released statistics Friday.

From SKY News, Facebook’s numbers:

Facebook’s Ted Ullyot said the social networking site received between 9,000 and 10,000 requests from various “government entities” in the last six months of 2012, involving 18,000 to 19,000 of its users’ accounts.

The requests covered issues ranging from missing children to terrorist threats, Mr Ullyot added.

Microsoft said that for the same period it received between 6,000 and 7,000 “criminal and national security warrants, subpoenas and orders” affecting between 31,000 and 32,000 consumer accounts from local, state and federal governmental agencies.

From Softpedia, Microsoft’s numbers:

The Windows maker has been given the go-ahead to publish additional data on national security orders, revealing that it received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts during the last six months of 2012.

“This afternoon, the FBI and DOJ have given us permission to publish some additional data, and we are publishing it straight away. However, we continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues,” Microsoft explained in a statement.

“We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together,” it added.

No follow-up statements have been released yet by the other four companies – Yahoo, Apple, PalTalk and AOL – since the government announced that it would allow the companies to publish their statistics on data requests, with limitations.

Additional information however has emerged about one of the companies redacted in a public FISA court opinion, in which the company tried to fight the government’s request.  The New York Times now reports that company was Yahoo.

As did the other companies featured on the PRISM slide, Yahoo initially denied any involvement in the PRISM program when the story first broke.

“Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.”

Given that some of the initial claims reported about the PRISM system and the companies’ participation was misleading and confusing, it’s understandable that most of the companies denied the claim.  To start, PRISM is a term internal to the government and not something with which the companies would have been familiar.  Secondly, the companies do not provide “direct access” to their servers in the context that was implied in the initial reporting.  Rather, they provide access when compelled to do so by law, and they employ a process for doing so in which “direct access” or “directly from the servers” is a context that is much different from that in the news reports.

To help put some of the companies’ statements above into context, you’ll need to understand a few of those points that were misleading in the original reporting about the PRISM system. (I make these points in the context of data from the internet companies, not phone providers).

  • “Direct access to the servers” does not mean directly tapping into all of the companies’ user records.  Companies produce user data for the government when compelled to do so by court order.  To facilitate the process of transferring those records and maximize efficiency, standard procedures that permit direct transfer of that data from a server are typically employed – most commonly, File Transfer Protocol (FTP).  This is an extremely common process for any organization or company that has any need to interface with the machine(s) of another.  If you aren’t technical and don’t know what FTP is, Wikipedia is sufficient.
  • PRISM is the internal government system that handles foreign-intelligence data collected under the Foreign Intelligence Surveillance Act.  See the Director of National Intelligence fact sheet on what PRISM is (and isn’t).  While the word “program” is often used to describe the broader set of policies under which such a program operates, PRISM is not a computer program.  While its name was not commonly known externally, it is not a system that has been entirely withheld from public knowledge – it was conceived in 2007 and 2008 and falls under the review of judiciary, Congress, and the executive branch.
  • The process of minimization is applied to the records that are collected.  Minimization procedures are supposed to filter out any data of specific US citizens that is captured in those records.  There are of course controversial points in this, because minimization occurs after the data is already collected, and the search terms “are designed to produce at least 51 percent confidence in a target’s ‘foreignness’.”  Which leads many to ask: Is 51 percent is an acceptable rate?

In doing some of my own research, I stumbled on this Vanity Fair post that also explains quite a few other points that needed clarification from the original PRISM claims.  If you can suspend suspicion for a moment that any explanations that differ from the original reporting on PRISM must be justifying the NSA’s policies, and instead simply process the basic facts, it’s a helpful post.  (You’ll want to ignore the political swipe at the end of it as well…I did).