Why Are Big Tech Companies Denying Involvement in the NSA's Internet Data Mining Program?


credit: manfrys / Foter.com / CC BY-SA

Last night's chilling Washington Post report on the National Security Agency's Internet surveillance program, known as PRISM, said the NSA was collecting information by "directly tapping into the central servers" of nine big U.S. tech companies. It also said that the cooperation of those companies is "essential to PRISM operations."

But several of big companies in question have pushed back on reports of their involvement. "We do not provide any government organization with direct access to Facebook servers," the social network's chief security officer told The Post.

Google released a similar statement denying participation in PRISM earlier today. "We have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a "back door" to the information stored in our data centers. We had not heard of a program called PRISM until yesterday." The statement, which you can read in full on the company's blog, goes on to say that "we provide user data to governments only in accordance with the law."

Yahoo also released a statement saying it does not "provide the government with direct access" to its servers. And Microsoft said: "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis….If the government has a broader voluntary national security program to gather customer data we don't participate in it."

What's going on here? Why are these companies all denying involvement? The Post offers this possible explanation: "It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing 'collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers."

Obviously there's no way to know for sure right now, but I can think of several possibilities. 

The statements the companies have released so far are technically accurate—but the companies are involved anyway. Look at how similar and how carefully worded the responses are. Google, Facebook, and Yahoo all insist they do no provide the government with "direct access" to its servers. So maybe, as The Post suggests, there's sort of middleman (which wouldn't necessarily have to be a person)? Or some sort of mediation? Along these lines, it's worth considering that the companies might be using carefully chosen language because they have either agreed to not reveal the program's existence, or they are legally prohibited from doing so. Note that Microsoft's denial leans heavily on the insistence that it does not voluntarily provide customer information to the government. And Google's statement finishes by saying that "this episode confirms what we have long believed—there needs to be a more transparent approach" and a statement that the company "has worked hard, within the confines of the current laws, to be open about the data requests we receive." That could be a way of saying that the search company wants to reveal more than it has so far. 

The tech companies are involved in an NSA data gathering program, but only a very small number of people in each company knows about the involvement. Participation in a program like the one the PRISM reports describe would probably not be common knowledge within these companies, several of which have thousands of employees. The companies might be denying involvement at this stage because only a very small number of staffers actually know what's going on.

The tech companies are not telling the truth. Just as with the first possibility, it may be that if these are not telling the truth, it is because they have agreed not to, or are restricted (or believe they are restricted) from telling the truth in some way.

The NSA is accessing tech company servers without the knowledge of those companies. This would be somewhat out of character with what we know about the NSA's recent snooping history. We know from a leak earlier this week that the agency currently works with Verizon to collect data on phone records. Reporting from the Bush era indicated the agency worked with several other other telcos as well. As the Post notes, the agency is "accustomed to corporate partnerships that help it divert data traffic or sidestep barriers."

It's possible, of course, that there's some other explanation I haven't noted here. And obviously there are any number of details that might not have been revealed, or could have been overlooked so far that might help clear things up. This is, after all, still a very new story, and there's almost certainly lots more to learn. What we can be more sure of, however, is that even if there are details yet to be uncovered, the gist of the PRISM story is right: Last night, the administration offered a statement that implicitly confirmed the program's existence. We'll have to wait and see to find out if the tech companies reportedly involved ever do the same.