NSA

Why Are Big Tech Companies Denying Involvement in the NSA's Internet Data Mining Program?

|

credit: manfrys / Foter.com / CC BY-SA

Last night's chilling Washington Post report on the National Security Agency's Internet surveillance program, known as PRISM, said the NSA was collecting information by "directly tapping into the central servers" of nine big U.S. tech companies. It also said that the cooperation of those companies is "essential to PRISM operations."

But several of big companies in question have pushed back on reports of their involvement. "We do not provide any government organization with direct access to Facebook servers," the social network's chief security officer told The Post.

Google released a similar statement denying participation in PRISM earlier today. "We have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a "back door" to the information stored in our data centers. We had not heard of a program called PRISM until yesterday." The statement, which you can read in full on the company's blog, goes on to say that "we provide user data to governments only in accordance with the law."

Yahoo also released a statement saying it does not "provide the government with direct access" to its servers. And Microsoft said: "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis….If the government has a broader voluntary national security program to gather customer data we don't participate in it."

What's going on here? Why are these companies all denying involvement? The Post offers this possible explanation: "It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing 'collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers."

Obviously there's no way to know for sure right now, but I can think of several possibilities. 

The statements the companies have released so far are technically accurate—but the companies are involved anyway. Look at how similar and how carefully worded the responses are. Google, Facebook, and Yahoo all insist they do no provide the government with "direct access" to its servers. So maybe, as The Post suggests, there's sort of middleman (which wouldn't necessarily have to be a person)? Or some sort of mediation? Along these lines, it's worth considering that the companies might be using carefully chosen language because they have either agreed to not reveal the program's existence, or they are legally prohibited from doing so. Note that Microsoft's denial leans heavily on the insistence that it does not voluntarily provide customer information to the government. And Google's statement finishes by saying that "this episode confirms what we have long believed—there needs to be a more transparent approach" and a statement that the company "has worked hard, within the confines of the current laws, to be open about the data requests we receive." That could be a way of saying that the search company wants to reveal more than it has so far. 

The tech companies are involved in an NSA data gathering program, but only a very small number of people in each company knows about the involvement. Participation in a program like the one the PRISM reports describe would probably not be common knowledge within these companies, several of which have thousands of employees. The companies might be denying involvement at this stage because only a very small number of staffers actually know what's going on.

The tech companies are not telling the truth. Just as with the first possibility, it may be that if these are not telling the truth, it is because they have agreed not to, or are restricted (or believe they are restricted) from telling the truth in some way.

The NSA is accessing tech company servers without the knowledge of those companies. This would be somewhat out of character with what we know about the NSA's recent snooping history. We know from a leak earlier this week that the agency currently works with Verizon to collect data on phone records. Reporting from the Bush era indicated the agency worked with several other other telcos as well. As the Post notes, the agency is "accustomed to corporate partnerships that help it divert data traffic or sidestep barriers."

It's possible, of course, that there's some other explanation I haven't noted here. And obviously there are any number of details that might not have been revealed, or could have been overlooked so far that might help clear things up. This is, after all, still a very new story, and there's almost certainly lots more to learn. What we can be more sure of, however, is that even if there are details yet to be uncovered, the gist of the PRISM story is right: Last night, the administration offered a statement that implicitly confirmed the program's existence. We'll have to wait and see to find out if the tech companies reportedly involved ever do the same. 

NEXT: Legal Challenge May Decide Gay Marriage Issue in New Mexico

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. You know that their statements had to have been approved by the government… Which is while the words are so weaslely

    1. I think #3 is probably true: the secret orders contain language requiring secrecy. They may even go so far as to tell the companies what they can and must say.

      However, I think the phrasing suggests that #1 is the case: the NSA doesn’t have “direct access to the servers”, but it only needs to capture all the data channels going in and out. Of course, that means that they have all the information on the servers, since they capture all information sent to or from the servers.

      Finally, it should be noted that – because of a Supreme Court decision – the “tap and trace” data (who you called, when, and where) is NOT private and NO warrant is required to disclose them to government agencies (not just the NSA).

      1. This is likely not true.

        The government doesn’t want to “capture all the data channels going in and out” because it is worthless to them. These companies encrypt all of their connections to the consumer, which means slurping the pipe between them and the user just gets them a bunch of gobbeldygook that they need to then decrypt- which is easy on for an individual, but not so much for billions of sessions.

        More likely these companies have each provided a “drop box” or similar server where data will be left for the gov to pickup. NOW the question is: are these companies dropping off entire swaths of data (like exports of their data stores) or just targeted information. We can be reasonably certain it is the latter, since an “everything” data dump would be so huge as to be prohibitively expensive.

        So I think what you have is a bunch of drop boxes mandated by the government with the companies implementing tech/processes to leave data on them. Now the real question is what initiates the provisioning of that data. NSLs? Court Orders?

        1. They don’t necessarily have to “slurp the pipe.” On each packet is a source and destination IP address. They can filter and decrypt certain subnets. And it’s pretty easy to decrypt if you have the destination’s (Google or Facebook’s) private key somehow. Makes you wonder if the government has actually infiltrated these companies.

        2. I was thinking they may just be dumping logs somewhere. One thing they could do is have a special log daemon for the company that dumps interesting logs off to the NSA, as well.

          Logs, and traces on particular people? If you’ve got logs, you can ramp it up to “people who had contact with x also should be included”

        3. No, it’s not certain targeted information. It’s every email and every phone call. Don’t be gullible.

  2. That’s a nice business you’ve got there. Be a shame if something happened to it. Now here’s what you’re going to say…

    1. Sums it up.

  3. Why Are Big Tech Companies Denying Involvement in the NSA’s Internet Data Mining Program?

    Because they are under orders to deny it?

    1. “Because they are under orders to deny it?”

      Now why use words like that?
      I mean no one is “ordering” you to do anything. We’re here to suggest how we can get a long without any difficulties between us, that’s all.

    2. Because they don’t want their customers to leave, and they don’t want the government to shut them down?

  4. Perhaps the best analysis to date is from Lauren Weinstein, who has been running a privacy mailing list since it was on the old ARPANET.
    http://lauren.vortex.com/archive/001040.html

    1. Isn’t that sort of like asking to be monitored, by signing up for a “privacy mailing list”?

  5. You know who else “leaned on” companies to get them to do the government’s bidding…

  6. Possibility 5: the companies are subject to prosecution and fines under the secret term of their participation contracts if they confirm involvement or issue any statement other than denial.

    1. Or what Aresen said.

  7. The tech companies are involved in an NSA data gathering program, but only a very small number of people in each company knows about the involvement. Participation in a program like the one the PRISM reports describe would probably not be common knowledge within these companies, several of which have thousands of employees. The companies might be denying involvement at this stage because only a very small number of staffers actually know what’s going on.

    This would be one in the same as “not telling the truth”.

    If I call a guy named Ned who works in Google’s AdSense department selling ad space, no he’s not going to know. But the people responsible for communicating with the media, or crafting or vetting the statements before they’re communicated with the media absolutely positively know, period, the end, no more discussion on that matter.

    1. I don’t know, I think PR could easily be intentionally in the dark over something like this. Of course, executives are making statements and I don’t think they are, but last night when it was just denials coming from flacks I didn’t give it much thought.

      1. PR doesn’t speak without top management approving or knowing what’s being said.

        You end with two choices: The top management actually is unaware of corroberation between his IT honchos and the government. If I were in top management and I found this to be true, someone would be fired loudly and publicly.

        Top management do know and let the PR hacks speak without correcting their communication, which = lying.

        I vote A.

        1. Last night I voted lying. Today I’m voting carefully worded weasel statements.

          1. Yeah, it took the lawyers a few hours to approve the wording.

        2. If they’re public companies, making public statements on material matters is kind of a big deal. I too would be very surprised if any official statement was going out from Google et al, without an army of senior executives and outside counsel going over it.

          1. I’m surprised they didn’t just refuse to comment.

  8. The NSA is accessing tech company servers without the knowledge of those companies.

    Not bloody likely.

    The private sector IT space is actually more capable and knowledgeable than the public sector IT space. I guaran-fucking-tee you that if the government were “directly accessing” my servers without telling me, I would know and shut it down.

    If you’re curious about the disparity of knowledge between the private and public sector expertise, there was a book written about the Conficker virus in which a consortium of industry experts got together to discuss a pan-industry strategy to fight the spread of the virus.

    I have not personally read the book, but someone who did described a passage in the book where the leading industry experts had noticed that the government experts were remarkably quiet and provided little input during the meetings. Over time, they came to realize that everything being discussed was so far over their head, they couldn’t contribute anything meaningful to the meetings.

    I believe the book was called Worm by Mark Bowden.

    1. ^^^This.

      I work for a company that has a variety of IT services, and one of the services we provide is to assist businesses with determining where and when and who accessed their servers illegally, and how to close that hole to prevent further problems in the future.

      There are a variety of companies that provide these services. The bigger tech companies already have on staff IT people who can perform this service on their own, and it would be hard to believe a company like Google isn’t one of them.

      There is no WAY these companies aren’t aware if someone is accessing their servers. That’s just not how these businesses work. If they didn’t, they would be quickly out of business.

      1. One of the root problems in the media portrayal of network security (or cyber-security as they frustratingly insist on calling it) is that there is no government standard or central control. Therefore, it is perceived, we are nationally vulnerable to an attack because there’s no central gatekeeper.

        The reality is everyone takes their network security very seriously and its decentralized nature actually makes it stronger.

        Anyone who thinks that modern IT departments don’t sit around thinking of security is woefully ignorant of how this industry works.

        In fact, I always feel we spend too much time thinking about obscure, highly technical security holes, and not enough time thinking about human security.

        What the media never tells you is that when ‘x’ company was ‘hacked’, they weren’t hacked at all. A stranger walked in (either physically or virtually) and asked them for the password, and the hapless dipshit at the front desk gave it to them.

        In fact, now I’m angry. We need to create a new phrase for this phenomenon. I propose we don’t call it ‘getting hacked’, I propose we call it ‘getting dumbassed’.

        Guy 1: Man, what happened to the network last week?

        Guy 1: Oh, a stranger I’ve never met sent me an email asking me for the administrator password, and I gave it to them.

        Guy 2: Dude… you got dumbassed!

        1. Swap guy 1 with guy 2 and.. .you get the idea.

          1. It’s already called “social engineering” in hacker circles. And it’s the first weapon in their arsenal. Why fuck around with brute force hacking when you can just pull a post-it from under someone’s keyboard?

            1. I know, but the media doesn’t understand that term. We used that term back in the 80s. But it hasn’t translated. We need something more punchy. I stand by my suggestion.

              1. You got socked? The so of social and the cked of hacked?

        2. Yep. When we provide server breach remediation 9 times out of 10 the “breach” is simply some dumbass who left his laptop at the airport.

          Very rarely is it due to a server vulnerability.

          1. I always felt that if you could eliminate:

            Marketing/Sales
            Administration/Management

            from all corporate entities, everything IT would run like a top.

            Me back in the 90s: Jesus fuck, what in shit’s name did you do to this laptop? Not only is the screen completely cracked in seven places, but the corner of the base is gone, and eleven keys are missing?

            Sales guy: Huh, didn’t notice that.

            1. Yeah, I have a special loathing for meetings that involve marketing.

              Marketing:”So we want to talk about increasing the synergy between our networks in order to utilize the highest degree of cross-platform opportunities.”

              Me:”You just want me to make you another powerpoint presentation. Just fucking tell me to do it. Why are we having this meeting?”

          2. Paul, Tman,

            Do either of you know what ever became of the SecureID warning from a few years ago? I was reading something like RSA got hacked and lost some data, which may or may not have included tokens + the companies and users associated with them. I read of the brouhaha at the time, then poof! nothing. Just wondering if anything further happened or they dodged a bullet.

        3. “Guy 2: Dude… you got dumbassed!”

          This seems to be a subset of social engineering.

          1. Has a better ring than “You got socially engineered” and it’s more accurate than “You got hacked!”

        4. It’s called phishing.

          1. Kind of. To me, and old IT dinosaur who was using the term “social engineering” I think… as far back as 1986? Anyhoo, ‘phishing’ to me is more of a subset of social engineering.

        5. In fairness, Paul. I don’t think that either the public or private sectors are homogeneous in terms of capability.

          There are more than a few very popular “business” online service providers who have taken VC money, launched services and don’t demonstrate any appreciate of even the basis of good(or even passable) information security practices.

          In general, though I do think the private sector does a better job on average.

  9. What do Feinstein, Rogers, and Shriek have in common? They are all statist pieces of shit. In to the furnace with these cocksuckers.

    1. All three are eternally sworn to the statist ideal of “a boot stamping on a human face, forever”…?

  10. Another possibility is that tech companies (like other private enterprises) are more responsive to and care more about their customers’ interests than any government agency ever will.

    Send a letter to the manager at your local neighborhood McDonalds complaining about the service and send another letter to your local DMV complaining about the service, and I guarantee the response you get from McDonalds will be a lot better than the one you get from the DMV.

    This may just be another example of the same principle. Tech companies profits depend on serving their customers interests, and it’s a distinct possibility–possibility, mind you–that Google, et. al. don’t want to alienate their customers and made it clear they would fight something like that. We know how it was important to the Obama Administration, apparently, to keep this all secret.

    It’s the regulated telcos that look like they’d be the weak link, here.

    1. Telcos and ISPs might be the more useful “back door” to have, anyway, if the government truly wants to capture everything.

      However, my vote is that the companies are technically telling the truth, but not disclosing everything.

    2. It’s the regulated telcos that look like they’d be the weak link, here.

      That’s why the solution is to get everyone else regulated.

      1. As I said above, catching the telco doesn’t help as much as people think.

        When your computer sends most personal (i.e. interesting) stuff to google, it is encrypted. The government can intercept it but have to decrypt in order to use it. That is doable on an individual basis. But billions of connections is prohibitive. They want to get the data where it is stored, unencrypted.

        1. But billions of connections is prohibitive. They want to get the data where it is stored, unencrypted.

          Right click facebook pics – save as.

        2. Monitor port from internal switches leading to NSA closet at hosting providers? What if the dates on the graph aren’t when the company signed on, but when they got sufficient ports on internal switches to monitor most of what they wanted?

      2. It does seem to be Obama’s standard proposal for everything, doesn’t it?

        Obvious! Google and Yahoo need some regulatin’!

        Us free people thinkin’ we can just call and talk to whomever we want, and there’s no reason for the government to ever get involved?

        We’re no different from Google and Yahoo either. We’re no different from the investment banks. We’re no different from the healthcare industry. Anything and everything is better with a little ObamaRegulation, and more is better.

        Everybody that doesn’t think so is a stupid Tea Party redneck, who probably needs the IRS to pay some special attention to ’em. Do a little regulatin’!

        But you people just go ahead with your phone conversations. It’s just the Obama watchin’ He’s just doin’ a little regulatin’.

  11. I doubt it’s the “small number of people at the company know” excuse, because the people doing the public denials are pretty high up.

    1. That seems to be a big difference between private industry and government, too:

      When somebody screws up in a company, the CEO is usually quick to step up and take responsibility–sometimes even when it wasn’t really his fault.

      When a government entity like the IRS screws up, they always seem to blame it on the people at the bottom or the periphery, somewhere, claiming that the guy at the top of the pyramid can’t possibly be responsible.

      It was coming out of the Cincinnati office! I just run this organization; I don’t actually know what’s going on!

      If the CEO of a private company said something like that, the stock would immediately take a hit, and within ten minutes, the Board of Directors would be on the horn to the executive search firm.

      1. The first rule of the private industry is that as you climb the ladder, you delegate tasks, not responsibility. This is not true in government.

  12. US POlitics, best politics money can buy lol.

    http://www.AnonStuff.tk

  13. Another, related possibility. The NSA operates pretty much like a Bond villain. People are scared of the NSA. You can go to court to fight with the IRS. The NSA? Not so much.

    It is an extremely secretive organization, and it has no accountability to anything or anyone but the Executive and his whims, and that’s not clear, either.

    Now what they do probably has to be done in secret. But that leaves the problem of accountability. I don’t know whether these can ever be reconciled.

  14. Why Are Big Tech Companies Denying Involvement in the NSA’s Internet Data Mining Program?

    Because Obama is so dreamy! I mean, what he’s requiring us to do couldn’t be bad, now. Couldn’t it be?

Please to post comments

Comments are closed.