Image 01 Image 03

Company PRISM Reports Reveal Extent of NSA Requests

Company PRISM Reports Reveal Extent of NSA Requests

Last week, the Guardian and Washington Post published several slides from a leaked Powerpoint presentation in its stories about the NSA’s domestic surveillance policies and its PRISM program.  Separate from phone carriers, nine internet companies were named in the story as participants in the PRISM program, and it claimed that companies provided the NSA with “direct access” to their servers.  Many of those companies have since tried to set the record straight and, after corrections to some of the initial reports about the PRISM system, have published statistics on the requests for such data.

Google appealed directly to the Department of Justice, asking the agency to allow the company to disclose details about how it handles national security’s requests for its users’ data.

Assertions in the press that our compliance with these [Foreign Intelligence Surveillance Act (FISA)] requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

While the government ultimately approved release of these statistics, Google and Twitter both declined to publish any of their numbers, citing their disagreement with the government’s restriction on separating the statistics for FISA related requests from the other categories.

From The Verge:

Google is unsatisfied with the deal that Microsoft and Facebook have made with the US government with regard to publishing how many requests for user information they both receive. Facebook and Microsoft released reports tonight detailing how many requests they got from US government agencies in the second half of 2012 — including FISA requests. The deal, however, comes with strings that Google apparently doesn’t want to be tied to.

There were restrictions put on Facebook and Microsoft’s disclosures that make them fairly useless if you’re interested in determining how many FISA requests have come in. As Microsoft says, it can only include the number of FISA requests it receives so long as it is “aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; [and] only if the totals are presented in bands of 1,000.” The same rules appear to apply to Facebook, as well.

A Google spokesperson also told The Verge:

We have always believed that it’s important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.

Twitter followed in agreement with Google, by way of a tweet from its legal director.

Facebook and Microsoft both released statistics Friday.

From SKY News, Facebook’s numbers:

Facebook’s Ted Ullyot said the social networking site received between 9,000 and 10,000 requests from various “government entities” in the last six months of 2012, involving 18,000 to 19,000 of its users’ accounts.

The requests covered issues ranging from missing children to terrorist threats, Mr Ullyot added.

Microsoft said that for the same period it received between 6,000 and 7,000 “criminal and national security warrants, subpoenas and orders” affecting between 31,000 and 32,000 consumer accounts from local, state and federal governmental agencies.

From Softpedia, Microsoft’s numbers:

The Windows maker has been given the go-ahead to publish additional data on national security orders, revealing that it received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts during the last six months of 2012.

“This afternoon, the FBI and DOJ have given us permission to publish some additional data, and we are publishing it straight away. However, we continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues,” Microsoft explained in a statement.

“We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together,” it added.

No follow-up statements have been released yet by the other four companies – Yahoo, Apple, PalTalk and AOL – since the government announced that it would allow the companies to publish their statistics on data requests, with limitations.

Additional information however has emerged about one of the companies redacted in a public FISA court opinion, in which the company tried to fight the government’s request.  The New York Times now reports that company was Yahoo.

As did the other companies featured on the PRISM slide, Yahoo initially denied any involvement in the PRISM program when the story first broke.

“Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.”

Given that some of the initial claims reported about the PRISM system and the companies’ participation was misleading and confusing, it’s understandable that most of the companies denied the claim.  To start, PRISM is a term internal to the government and not something with which the companies would have been familiar.  Secondly, the companies do not provide “direct access” to their servers in the context that was implied in the initial reporting.  Rather, they provide access when compelled to do so by law, and they employ a process for doing so in which “direct access” or “directly from the servers” is a context that is much different from that in the news reports.

To help put some of the companies’ statements above into context, you’ll need to understand a few of those points that were misleading in the original reporting about the PRISM system. (I make these points in the context of data from the internet companies, not phone providers).

  • “Direct access to the servers” does not mean directly tapping into all of the companies’ user records.  Companies produce user data for the government when compelled to do so by court order.  To facilitate the process of transferring those records and maximize efficiency, standard procedures that permit direct transfer of that data from a server are typically employed – most commonly, File Transfer Protocol (FTP).  This is an extremely common process for any organization or company that has any need to interface with the machine(s) of another.  If you aren’t technical and don’t know what FTP is, Wikipedia is sufficient.
  • PRISM is the internal government system that handles foreign-intelligence data collected under the Foreign Intelligence Surveillance Act.  See the Director of National Intelligence fact sheet on what PRISM is (and isn’t).  While the word “program” is often used to describe the broader set of policies under which such a program operates, PRISM is not a computer program.  While its name was not commonly known externally, it is not a system that has been entirely withheld from public knowledge – it was conceived in 2007 and 2008 and falls under the review of judiciary, Congress, and the executive branch.
  • The process of minimization is applied to the records that are collected.  Minimization procedures are supposed to filter out any data of specific US citizens that is captured in those records.  There are of course controversial points in this, because minimization occurs after the data is already collected, and the search terms “are designed to produce at least 51 percent confidence in a target’s ‘foreignness’.”  Which leads many to ask: Is 51 percent is an acceptable rate?

In doing some of my own research, I stumbled on this Vanity Fair post that also explains quite a few other points that needed clarification from the original PRISM claims.  If you can suspend suspicion for a moment that any explanations that differ from the original reporting on PRISM must be justifying the NSA’s policies, and instead simply process the basic facts, it’s a helpful post.  (You’ll want to ignore the political swipe at the end of it as well…I did).


Donations tax deductible
to the full extent allowed by law.


These are publicly traded companies and the failure to disclose this information prior to the NSA leaks should be reason enough for an SEC investigation. If stock prices go down there needs to be share holder law suits.

We therefore ask you to help make it possible for Google to publish in our Transparency Report … Their “transparency report?” Hahahahahaha!

Here’s all you need to know about Google: In 2012, Google executive chairman Eric Schmidt recruited, coached, and strategized technology for the Obama campaign. Businessweek says Schmidt is now “investing millions to fund a consulting firm for businesses staffed by Obama’s former data analytics team.”

In other words, Google feeds OFA at will, but is scrupulous about what it gives the NSA!

I can’t tell you what I do or who I do it for, but I have some background here:

How this often works is someone violates the terms of use for the company’s network (that thing you said you read and clicked through) and the company turns the perp into the FBI- and that is what is being referenced. Kiddie porn is a good example of this- and these companies work very closely with law enforcement to catch those sleeze balls.

So far as carte blanche access to servers…I’m dubious. While the NSA is very good at what they do, they are not good enough to avoid tripping the standard security protocols- also there are enough free thinking individuals who work at these companies, that you would hear about it.

What I think is more probable for domestic spying is tapping the fiber at various points in places that are not well protected or easily obfuscated and listening in- not unlike the guy climbing the telephone pole.

While fiber is hard to tap- that would be the point of weakness in my view. Also they can tap that w/out being on US soil and catch a lot of US data. Remember- your data can be in any server farm in the world.

If all this was true, then they wouldn’t need yottabytes of storage, maybe a few petabytes would be more than sufficient, but the storage equivilent of what a thousand internets just to store the data of a few thousand criminals? That doesn’t pass the laugh test. They have to be lying, just like when they lied to congress about storing “phone records”. There is no explanation for it other than Snowden is telling the truth and the NSA has gone rouge.

    Keep in mind, this post refers only to the data they’re collecting from internet companies. It doesn’t include the phone records – those are the ones with the blanket FISA orders for all customers, and that would be a lot of the data that factors into that storage you’re questioning.

      imfine in reply to Mandy Nagy. | June 16, 2013 at 10:57 pm

      I have done data warehousing for most of my professional career including telephone companies. I know for a fact that storing metadata for the entire world’s phone records would not take a yottabyte, I doubt an entire year would take a petabyte. This doesn’t get us anywhere near the storage capacity they have requisitioned. That’s how we know they are lying.

        Andy in reply to imfine. | June 17, 2013 at 12:51 am

        Agree. Americans need to rethink how much of their lives they willingly put on the grid, how many purchases they make with plastic, use of social networking and even club cards for grocery stores.

        Social programming vis a vis that data is just around the corner, and in many cases is already here.

        The sheeples will go along willingly and will ambitiously sell their liberty save 3 cents a gallon on every 10th tank of gas.

“If all this was true, then they wouldn’t need yottabytes of storage” They have never said they do. That is a number arrived at via rectal extraction by people making guesses and then extrapolating. It is all speculation. First an assumption was made that the building would be used purely for storage. Then an attempt was made to show how much storage would fit in there. Then you get yottabytes. Of course, that data center might not be dedicated at all to storage. Or it may not be dedicated to storage of anything that goes on in the US at all. The NSA is focused outward. They monitor communications globally. They are not focused on domestic communications, that is the responsibility of the FBI.

Who is to say that data center in Utah won’t be used by many different government agencies as a secure data center for government systems protected by NSA from intrusion? The computers in there might not even belong to NSA.

A lot of this hype is borne out of people building on urban legend and conventional wisdom that have no idea what they are talking about. Much of it comes from a Mr. William Binney who has an axe to grind.

Of those user accounts that had information requested, how many of them were US citizens? MSN and Facebook serve people globally. Terrorist organizations around the world are increasingly turning to social media to recruit and stay networked. Did anyone say those accounts were US citizens? No. People just jump to that conclusion.

Know how Twitter handles it? They simply turn over every single tweet people ever makes to the US government, even the ones you have deleted. Government has them all. Every single one. You make a public tweet, it is PUBLIC, baby.

BannedbytheGuardian | June 17, 2013 at 1:55 am

With the ‘revelations ‘ that NSA was tapping all the delegates at the 09 G20 especially Medvedev – the upcoming G8 is going to be wry.

Putin is gonna be ready for some dry quips . He is already saying David Cameron loves cannibals.