America, here's hoping you've had enough time to come to terms with the National Security Agency scooping up all of your metadata pertaining to all of the phone calls you've been making with Verizon, because here comes the next fun news about the government's far-reaching panopticon of total information surveillance, courtesy of Barton Gellman and Laura Poitras of The Washington Post:
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.
The highly classified program, code-named PRISM, has not been disclosed publicly before. Its establishment in 2007 and six years of exponential growth took place beneath the surface of a roiling debate over the boundaries of surveillance and privacy. Even late last year, when critics of the foreign intelligence statute argued for changes, the only members of Congress who know about PRISM were bound by oaths of office to hold their tongues.
The Washington Post obtained "briefing slides" from an "internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate," from a "career intelligence officer" who cited "firsthand experience with these systems, and horror at their capabilities," as the reason for the disclosure. These materials described PRISM as "the most prolific contributor to the President's Daily Brief" and the NSA's "leading source of raw material, accounting for nearly 1 in 7 intelligence reports." The Post goes on to report that while PRISM allows the NSA to collect "anything it likes" from the available data, it is in practice not utilized as a "dragnet" per se:
Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”
One may nevertheless worry about this thing that is "nothing to worry about."
Gellman and Poitras include a detailed history of the PRISM program, along with an explanation of how the system works and the extent to which the technology companies involved offer "resistance" to the data mining, so go read the whole thing.
The Guardian, which broke the story Wednesday about the NSA's relationship with Verizon, follows upon the Washington Post Thursday evening with a report "verifiy[ing] the authenticity" of the slides presentation. The Guardian reports that "several senior tech executives" have "insisted that they had no knowledge of PRISM or of any similar scheme." According to one: "If they are doing this, they are doing it without our knowledge."
Some of the world's largest internet brands are claimed to be part of the information-sharing program since its introduction in 2007. Microsoft -– which is currently running an advertising campaign with the slogan "Your privacy is our priority" -– was the first, with collection beginning in December 2007.
It was followed by Yahoo in 2008; Google, Facebook and PalTalk in 2009; YouTube in 2010; Skype and AOL in 2011; and finally Apple, which joined the program in 2012. The program is continuing to expand, with other providers due to come online.
Many of the tech companies have, predictably, offered denials. An Apple spokesperson told CNBC's Eamon Javers, "We have never heard of PRISM," adding, "We do not provide any government agency with direct access to our servers."
Javers reported a similar (by which I mean the exact same) denial from Facebook: "We do not provide any government organization with direct access to Facebook servers."
Facebook continues: "When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law."
Google's denial was given to both The Guardian and The Washington Post: "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data."
Valleywag editor Sam Biddle counters thusly:
Yo, everyone: if a tech PR flack replies to your emailing saying they don't know about PRISM, that doesn't mean shit.
— Sam Biddle (@samfbiddle) June 6, 2013
When the White House was asked to respond to Wednesday's disclosure, pertaining to the seizure of telecom metadata, officials defended "the practice as a critical tool for preventing terrorist attacks." That is presumably the explanation that will be given in support of this data mining program, in which many well-known technology companies "knowingly participate." The Post said participants include “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, [and] Apple.” (The Huffington Post is owned by AOL.)
In a 2008 position paper, then-candidate Barack Obama wrote: “There is no reason we cannot fight terrorism while maintaining our civil liberties. ... As president, Barack Obama would revisit the Patriot Act to ensure that there is real and robust oversight of tools like National Security Letters, sneak-and-peek searches, and the use of the material witness provision.”
Three years ago, the editors of The New York Times -- recalling that promise after Obama's White House seeking to obtain the broadest possible application of these national security letters, which allowed the FBI to obtain "electronic communication transactional records" from Internet service providers upon request and without judicial oversight -- were inspired to ask, "Where is the 'robust oversight' that voters were promised?" As it turns out, the "oversight" was far more "robust" than the Times' editors imagined, though obviously not in the way they intended.
Meanwhile, I think my colleague Craig Kanalley put it best when he said, "Is the Internet over? It was a good run, right?"
ADDENDUM: A 2007 Washington Post article (reposted here at The Seattle Times website) describes the experiences that a former AT&T technician, Mark Klein, had with the National Security Agency (emphasis mine):
In summer 2002, Klein was working in an office responsible for Internet equipment when an NSA representative arrived to interview a management-level technician for a special, secret job.
The job entailed building a "secret room" in another AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office. He asked a technician about the secret room on the sixth floor, and the technician told him it was connected to the Internet room a floor above. The technician handed him wiring diagrams.
"That was my 'aha' moment," Klein said. "They're sending the entire Internet to the secret room."
The diagram showed splitters glass prisms that split signals from each network into two identical copies. One copy fed into the secret room. The other proceeded to its destination, he said.
"This splitter was sweeping up everything, vacuum-cleaner-style," he said. "The NSA is getting everything. These are major pipes that carry not just AT&T's customers, but everybody's."
One of Klein's documents listed links to 16 entities, including Global Crossing, a large provider of voice and data services in the United States and abroad; UUNet, a large Internet provider now owned by Verizon; Level 3 Communications, which provides local, long-distance and data transmission in the United States and overseas; and more familiar names, such as Sprint and Qwest. It also included data exchanges MAE-West and PAIX, or Palo Alto Internet Exchange, facilities where telecom carriers hand off Internet traffic to each other.
"I flipped out," he said. "They're copying the whole Internet. There's no selection going on here. Maybe they select out later, but at the point of handoff to the government, they get everything."
UPDATE: 10:06 p.m. -- We have comments from the American Civil Liberties Union:
ACLU Washington Legislative Office Director Laura Murphy: “The secrecy surrounding the government’s extraordinary surveillance powers has stymied our system of checks and balances. Congress must initiate an investigation to fully uncover the scope of these powers and their constraints, and it must enact reforms that protect Americans’ right to privacy and that enable effective public oversight of our government. There is a time and a place for government secrecy, but true democracy demands that the governed be informed of the rules of play so as to hold elected officials to account.”
ACLU Deputy Legal Director Jameel Jaffer: “The stories published over the last two days make clear that the NSA – part of the military – now has direct access to every corner of Americans’ digital lives. Unchecked government surveillance presents a grave threat to democratic freedoms. These revelations are a reminder that Congress has given the executive branch far too much power to invade individual privacy, that existing civil liberties safeguards are grossly inadequate, and that powers exercised entirely in secret, without public accountability of any kind, will certainly be abused.”
READ THE WHOLE THING:
U.S. intelligence mining data from nine U.S. Internet companies in broad secret program [Washington Post]
NSA taps in to internet giants' systems to mine user data, secret files reveal [Guardian]
AT&T gave feds access to all Web, phone traffic, ex-tech says (Hat tip: @dannysullivan)
[Would you like to follow me on Twitter? Because why not?]
How will Trump’s administration impact you? Learn more