I wasn’t going to talk about the current fuss around PRISM, but the speed with which conjecture, rumour and some (good) newspaper investigative work has turned into ‘fact’ and ‘truth’ online makes this worth addressing.
The conjecture may be correct. The NSA, the FBI, TLA and ETLA might be plugged right into the data centres of the internet’s giants, slurping down your messages, searches and calls. If they are, that’s potentially serious. But we don’t actually know that they are, yet. Until then, reporters, bloggers, analysts and pundits are speculating and considering implications. That’s a good and useful thing to do. But they really need to stop suggesting that they’re reporting facts.
Whether PRISM turns out to be as wide-ranging as suggested or not, a lot of confusion is being caused by misinformed, malicious or badly phrased speculation. There is rarely smoke without fire, but real damage is being done here. As David Meyer notes in a piece for GigaOM this morning,
“All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.
Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the two national clouds that they have under development.
Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon, which isn’t part of PRISM, you have a problem.” (my emphasis)
Most countries around the world have a legal means to access data stored on servers operating on their soil. The degree of judicial oversight – or evidence – required varies widely from one country to the next, but it is widely accepted that law enforcement agencies should be able to gain access to data under certain circumstances. It was also widely believed that this doesn’t actually happen terribly often.
Alleged information on PRISM obtained by The Guardian would suggest that this programme is able to go much further;
“Companies are legally obliged to comply with requests for users’ communications under US law, but the PRISM program allows the intelligence services direct access to the companies’ servers.”
The piece continues,
“The PRISM program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.
With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.”
Over in the States, the Washington Post makes even more extreme claims;
“The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.” (my emphasis)
Companies such as Google and Apple, originally accused of active cooperation, were quick to issue carefully worded denials, explicitly challenging the ”direct access to… servers” claim. The New York Times, at least, is being careful;
“The New York Times has not confirmed the authenticity of the documents, and several of the Internet companies issued statements strongly denying knowledge of or participation in the program.” (my emphasis)
Elsewhere, headlines, ‘news’ and editorials leap gleefully into the melee, proclaiming that government agencies are ‘lying,’ warning that data is being read by the NSA and FBI, accusing tech firms of collusion, and worse.
I don’t know the extent to which the powers attributed to PRISM are real. I also don’t know how often — if ever — they’ve actually been used. Nor do most of the others commenting so knowledgeably on this story. Just bear that in mind, as you read what they write.
- PRISM – US Gov. mining data from Google, y, msn, skype, youtube, and FB (washingtonpost.com)
- Google, Facebook And Apple Deny Participation In NSA PRISM Surveillance Program (techcrunch.com)
- PRISM program lets FBI, NSA secretly mine data from 9 U.S. tech companies (report) (venturebeat.com)
- How the NSA lied about not tracking Americans with PRISM (venturebeat.com)
- NSA spying scandal fallout: Expect big impact in Europe and elsewhere (Updated) (gigaom.com)
- How likely is the NSA PRISM program to catch a terrorist? (bayesianbiologist.com)
- How Congress unknowingly legalized PRISM in 2007 (washingtonpost.com)
- Secret program gives NSA, FBI backdoor access to Apple, Google, Facebook, Microsoft data (theverge.com)
- NSA has direct access to tech giants’ systems for user data, secret files reveal (guardian.co.uk)
- By the numbers: The NSA’s super-secret spy program, PRISM (foreignpolicy.com)