For the last several years, the National Security Agency has been reportedly spying on the searches, emails, and file transfers of Americans using a program called Prism—which tapped directly into the servers used by Apple, Google, Microsoft, and others.
The program was revealed Thursday in separate stories from the Washington Post and The Guardian, which earlier revealed that the NSA had worked with Verizon to monitor the metadata of millions of phone calls made by Americans.
The news stories brought to light a top-secret 41-page PowerPoint document detailing the Prism surveillance program and the tech companies involved. The program has grown rapidly larger over the last several years and is still growing, according to The Guardian’s report.
The list of companies that the paper alleges participated in the Prism program reads like a Who’s Who of Silicon Valley: in 2007, the document alleges, Microsoft was the first to participate. Yahoo joined in 2008. Others followed in quick succession: Google in 2009, then AOL, Apple, Facebook, PalTalk, Skype, and YouTube in October 2012.
Infographic: Which tech companies are looking out for your privacy?
Some of the tech companies named in the Guardian and Washington Post stories are denying the allegations. Google denied involvement with the Prism program in the Guardian report.
“We disclose user data to government in accordance with the law, and we review all such requests carefully,” a Google spokesperson wrote in a note to us Thursday afternoon. “From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
Facebook and Apple have also stated that they did not provide the government with direct access to their servers.
Update: The Guardian later on Thursday published a story that reported that “senior executives from the internet companies expressed surprise and shock and insisted that no direct access to servers had been offered to any government agency.”
The Electronic Freedom Foundation (EFF) says the tech companies are playing word games. “If you read the denials coming from the tech companies, they are carefully worded and really amount to non-denials,” EFF staff attorney Nate Cardozo told us Thursday afternoon. “They all are saying that they didn’t provide direct access to the servers, but what they are probably doing is providing access to the data via an API, which would be indirect.”
“Somebody somewhere in these companies knew that this was going on,” Cardozo says.
Data that could be examined
The amount of data the NSA can access includes email, video and voice chat, videos, photos, voice-over-IP (Skype, for example) chats, file transfers, social networking details, and more, the paper reported.
Perhaps the most important aspect of the report, however, is the fact that the NSA reportedly tapped into the servers of the providers themselves—with or without their knowledge, if the Washington Post and Guardian reports are true.
The Guardian also reported that no court orders were needed, and that the agency could dip into the servers of Google and others both to monitor real-time communication as well as to pull out archived data.
“The presentation claims Prism was introduced to overcome what the NSA regarded as shortcomings of FISA warrants in tracking suspected foreign terrorists,” the report said.
The surveillance activities used in the Prism program may be based on provisions in the FISA Amendments Act of 2008, which authorizes the government to monitor electronic communications if one of the communicating parties is believed to be outside the U.S. Critics say the law allows for the warrantless surveillance of electronic communications such as email and phone calls, of not only foreigners but U.S. citizens. An ACLU lawsuit challenging the law’s constitutionality was dismissed 5-4 by the Supreme Court last February.
“If the Washington Post story checks out, what they [the NSA and FBI] did is illegal,” EFF’s Cardozo says. “The FISA Amendments Act was not meant to authorize anything of this scope.”
The Guardian’s report also noted that the U.S. has a “home-field advantage” due to housing much of the internet’s architecture. But the presentation claimed that “FISA constraints restricted our home-field advantage” because the law required individual warrants and confirmations that both the sender and receiver of a communication were outside the U.S.”