On the heels of yesterday's revelation that the NSA is bulk collecting call logs from Verizon Business customers, the Washington Post is reporting tonight on another initiative, code named PRISM. According to the report, it gives the FBI and NSA access to "audio, video, photographs, e-mails, documents and connection logs" from the central servers of Microsoft, Yahoo, Google, Facebook, PalTalk, AOL (parent company of Engadget), Skype, YouTube and Apple. Another program called BLARNEY sniffs up metadata as it streams past "choke points" on the internet, continuing the theme of bulk scooping of data most would think is private. The Post's knowledge of these programs comes from PowerPoint slides (like the one shown above) provided by a "career intelligence officer" driven to expose how deep it goes.
So what can the project allegedly see? Analysts based at Fort Meade use search terms to determine at least 51 percent confidence in a subject's "foreignness" before pulling data, which can include that of people found in a suspect's inbox. On Facebook, they can utilize the service's built in search and surveillance capabilities, monitor audio, video, chat and file transfers or access activity on Google's mail, storage, photo and search services. So... are you still logged in?
Update 4: Now we've come full circle, as the original Washington Post article has been expanded to include the various company's responses and denials (listed after the break). Another element that has changed is the mention of another classified report that suggests these companies may not be knowingly participating, and the NSA's access may not be as direct as originally claimed. Claiming the difference may be the result of "imprecision" by the NSA author, the arrangement is now described as "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations."
Update (June 7th): Google has now issued a longer statement, signed by CEO Larry Page and Chief Legal Officer David Drummond, which reiterates its earlier comments and also calls for a "more transparent approach" from both other companies and governments alike.
Update 2 (June 7th): Facebook CEO Mark Zuckerberg has denied involvement on his personal page, stating "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers...We hadn't even heard of PRISM before yesterday." Like the others, he claimed Facebook only provides information "if it is required by law" and mirrored Page's call for more transparency regarding government programs.
Update: We've contacted several of the companies listed, and so far have heard directly from Facebook and Google. Both companies statements are available in full below, where Google reiterated its stance that it does not have or provide "back door" access to anyone, while Facebook Chief Security Officer Joel Sullivan states "We do not provide any government organization with direct access to Facebook servers." Apple has made a similar statement to CNBC denying any knowledge of or participation in such a program.We will add any other response or updates as we receive them.
Update 2: Microsoft has also responded, similarly claiming that it only provides customer data under specific requests such as subpoenas, and if there is any broader program then it does not participate in it.
Update 3: The latest to chime in is Director of National Intelligence James Clapper, stating "The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies." His response goes on to point out that such actions cannot be used to "intentionally" target American citizens. Finally, he calls the disclosure of information about the program "reprehensible," and a risk to the security of Americans.
Joel Sullivan, Chief Security Officer, Facebook:
Protecting the privacy of our users and their data is a top priority for Facebook. We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.
Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data.
We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it.
DNI Statement on Activities Authorized Under Section 702 of FISA
The Guardian and The Washington Post articles refer to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous inaccuracies.
Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.
Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.
Section 702 was recently reauthorized by Congress after extensive hearings and debate.
Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats.
The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.
James R. Clapper, Director of National Intelligence
DNI Statement on Recent Unauthorized Disclosures of Classified Information
The highest priority of the Intelligence Community is to work within the constraints of law to collect, analyze and understand information related to potential threats to our national security.
The unauthorized disclosure of a top secret U.S. court document threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.
The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties.
I believe it is important for the American people to understand the limits of this targeted counterterrorism program and the principles that govern its use. In order to provide a more thorough understanding of the program, I have directed that certain information related to the "business records" provision of the Foreign Intelligence Surveillance Act be declassified and immediately released to the public.
The following important facts explain the purpose and limitations of the program:
- The judicial order that was disclosed in the press is used to support a sensitive intelligence collection operation, on which members of Congress have been fully and repeatedly briefed. The classified program has been authorized by all three branches of the Government.
- Although this program has been properly classified, the leak of one order, without any context, has created a misleading impression of how it operates. Accordingly, we have determined to declassify certain limited information about this program.
- The program does not allow the Government to listen in on anyone's phone calls. The information acquired does not include the content of any communications or the identity of any subscriber. The only type of information acquired under the Court's order is telephony metadata, such as telephone numbers dialed and length of calls.
- The collection is broad in scope because more narrow collection would limit our ability to screen for and identify terrorism-related communications. Acquiring this information allows us to make connections related to terrorist activities over time. The FISA Court specifically approved this method of collection as lawful, subject to stringent restrictions.
- The information acquired has been part of an overall strategy to protect the nation from terrorist threats to the United States, as it may assist counterterrorism personnel to discover whether known or suspected terrorists have been in contact with other persons who may be engaged in terrorist activities.
- There is a robust legal regime in place governing all activities conducted pursuant to the Foreign Intelligence Surveillance Act, which ensures that those activities comply with the Constitution and laws and appropriately protect privacy and civil liberties. The program at issue here is conducted under authority granted by Congress and is authorized by the Foreign Intelligence Surveillance Court (FISC). By statute, the Court is empowered to determine the legality of the program.
- By order of the FISC, the Government is prohibited from indiscriminately sifting through the telephony metadata acquired under the program. All information that is acquired under this program is subject to strict, court-imposed restrictions on review and handling. The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization. Only specially cleared counterterrorism personnel specifically trained in the Court-approved procedures may even access the records.
- All information that is acquired under this order is subject to strict restrictions on handling and is overseen by the Department of Justice and the FISA Court. Only a very small fraction of the records are ever reviewed because the vast majority of the data is not responsive to any terrorism-related query.
- The Court reviews the program approximately every 90 days. DOJ conducts rigorous oversight of the handling of the data received to ensure the applicable restrictions are followed. In addition, DOJ and ODNI regularly review the program implementation to ensure it continues to comply with the law.
- The Patriot Act was signed into law in October 2001 and included authority to compel production of business records and other tangible things relevant to an authorized national security investigation with the approval of the FISC. This provision has subsequently been reauthorized over the course of two Administrations – in 2006 and in 2011. It has been an important investigative tool that has been used over the course of two Administrations, with the authorization and oversight of the FISC and the Congress.
Discussing programs like this publicly will have an impact on the behavior of our adversaries and make it more difficult for us to understand their intentions. Surveillance programs like this one are consistently subject to safeguards that are designed to strike the appropriate balance between national security interests and civil liberties and privacy concerns. I believe it is important to address the misleading impression left by the article and to reassure the American people that the Intelligence Community is committed to respecting the civil liberties and privacy of all American citizens.
James R. Clapper, Director of National Intelligence