“What the …?”
That’s the headline on a blog post by Google CEO Larry Page and legal chief David Drummond today, denying involvement in a government program called PRISM that allegedly gave the U.S. government broad access to tech company servers for purposes of U.S. intelligence gathering. They wrote, in part …
“First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
“Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.”
Facebook CEO Mark Zuckerberg addressed the issue in a post a short time ago on the social network, calling the press reports about Facebook’s involvement “outrageous.”
“Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn’t even heard of PRISM before yesterday.”
Microsoft, which was reportedly the first to join the program, also stood by its statement from yesterday:
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
President Obama today addressed questions about the program, saying that it collects information about communications — commonly known as metadata — but still requires court approval to go further. “Nobody is listening to your telephone calls,” without approval from a federal judge, he said.
This commentary by ACLU officials on the Reuters news service explains how metadata is still a rich vein of information.
Obama also said the program focuses on foreign communications passing through U.S. service providers, and doesn’t target U.S. citizens or people who live in the country. The program is subject to Congressional and judicial oversight, he said, noting that it has been repeatedly approved by members of both parties in Congress.
At this point it’s tough to square the denials with the reports by the Washington Post and the Guardian that uncovered the program.
[Update: The New York Times has more on this topic, detailing talks between government officials and many of the tech companies. From the piece …
In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said. …
The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.
The Post cited confidential documents showing that the NSA and FBI “are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.”
The documents described the process as, “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”
One possibility is that the people issuing the statements at these companies have been kept in the dark by key executives involved in the program, to give them plausible deniability. But the public statements by Page and Zuckerberg work against that theory. Certainly the CEOs would know about a program such as this … wouldn’t they?
ABC News has more on the topic, quoting experts who say the companies’ statements may be carefully worded to, for example, deny “back door” access but not other forms of data sharing. But that would be a highly risky move for the companies, and the latest statements from Google and Facebook come off as categorical denials.
In any event, there’s no question that it’s unsettling.
“I think all of us are experiencing this huge holy crap moment,” said Christopher Budd of security firm Trend Micro, a GeekWire contributor who worked for a decade on Microsoft’s Security Response team. “It’s like there was nothing there, nothing there, and then overnight this giant intelligence gathering apparatus appeared in our front yard.
Once the shock passes, he said, the public view of the situation will probably depend on two things: 1) The level of protections in place, and the degree of transparency from here on out; and 2) whether or not this previously secret program has actually been effective.
