Last week, the Guardian and Washington Post published several slides from a leaked Powerpoint presentation in its stories about the NSA’s domestic surveillance policies and its PRISM program. Separate from phone carriers, nine internet companies were named in the story as participants in the PRISM program, and it claimed that companies provided the NSA with “direct access” to their servers. Many of those companies have since tried to set the record straight and, after corrections to some of the initial reports about the PRISM system, have published statistics on the requests for such data.
Google appealed directly to the Department of Justice, asking the agency to allow the company to disclose details about how it handles national security’s requests for its users’ data.
Assertions in the press that our compliance with these [Foreign Intelligence Surveillance Act (FISA)] requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures—in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.
While the government ultimately approved release of these statistics, Google and Twitter both declined to publish any of their numbers, citing their disagreement with the government’s restriction on separating the statistics for FISA related requests from the other categories.
From The Verge:
Google is unsatisfied with the deal that Microsoft and Facebook have made with the US government with regard to publishing how many requests for user information they both receive. Facebook and Microsoft released reports tonight detailing how many requests they got from US government agencies in the second half of 2012 — including FISA requests. The deal, however, comes with strings that Google apparently doesn’t want to be tied to.There were restrictions put on Facebook and Microsoft’s disclosures that make them fairly useless if you’re interested in determining how many FISA requests have come in. As Microsoft says, it can only include the number of FISA requests it receives so long as it is “aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; [and] only if the totals are presented in bands of 1,000.” The same rules appear to apply to Facebook, as well.
A Google spokesperson also told The Verge:
We have always believed that it’s important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.
Twitter followed in agreement with Google, by way of a tweet from its legal director.
Facebook and Microsoft both released statistics Friday.
From SKY News, Facebook’s numbers:
Facebook’s Ted Ullyot said the social networking site received between 9,000 and 10,000 requests from various “government entities” in the last six months of 2012, involving 18,000 to 19,000 of its users’ accounts.The requests covered issues ranging from missing children to terrorist threats, Mr Ullyot added.Microsoft said that for the same period it received between 6,000 and 7,000 “criminal and national security warrants, subpoenas and orders” affecting between 31,000 and 32,000 consumer accounts from local, state and federal governmental agencies.
From Softpedia, Microsoft’s numbers:
The Windows maker has been given the go-ahead to publish additional data on national security orders, revealing that it received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts during the last six months of 2012.“This afternoon, the FBI and DOJ have given us permission to publish some additional data, and we are publishing it straight away. However, we continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues,” Microsoft explained in a statement.“We are permitted to publish data on national security orders received (including, if any, FISA Orders and FISA Directives), but only if aggregated with law enforcement requests from all other U.S. local, state and federal law enforcement agencies; only for the six-month period of July 1, 2012 thru December 31, 2012; only if the totals are presented in bands of 1,000; and all Microsoft consumer services had to be reported together,” it added.
No follow-up statements have been released yet by the other four companies – Yahoo, Apple, PalTalk and AOL – since the government announced that it would allow the companies to publish their statistics on data requests, with limitations.
Additional information however has emerged about one of the companies redacted in a public FISA court opinion, in which the company tried to fight the government’s request. The New York Times now reports that company was Yahoo.
As did the other companies featured on the PRISM slide, Yahoo initially denied any involvement in the PRISM program when the story first broke.
“Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.”
Given that some of the initial claims reported about the PRISM system and the companies’ participation was misleading and confusing, it’s understandable that most of the companies denied the claim. To start, PRISM is a term internal to the government and not something with which the companies would have been familiar. Secondly, the companies do not provide “direct access” to their servers in the context that was implied in the initial reporting. Rather, they provide access when compelled to do so by law, and they employ a process for doing so in which “direct access” or “directly from the servers” is a context that is much different from that in the news reports.
To help put some of the companies’ statements above into context, you’ll need to understand a few of those points that were misleading in the original reporting about the PRISM system. (I make these points in the context of data from the internet companies, not phone providers).
In doing some of my own research, I stumbled on this Vanity Fair post that also explains quite a few other points that needed clarification from the original PRISM claims. If you can suspend suspicion for a moment that any explanations that differ from the original reporting on PRISM must be justifying the NSA’s policies, and instead simply process the basic facts, it’s a helpful post. (You’ll want to ignore the political swipe at the end of it as well…I did).
CLICK HERE FOR FULL VERSION OF THIS STORY