Minutes after the Washington Post published a report detailing how the U.S. government tapped into the servers of nine companies to spy on communications, the denials began.
Apple Inc. (AAPL), Google Inc. (GOOG) and Microsoft Corp. (MSFT) led the charge, saying they don’t give the government access to servers where the data is kept. Some said yesterday they don’t hand over user information without a court order. Others said that they hadn’t even heard of the U.S. program, code-named PRISM.
Even without companies’ consent, academics and computer-security specialists say, there’s a broad range of ways the government can harness the systems of the largest technology providers to snoop on e-mail, photos and video chats coursing through the Web.
“It’s likely that the denials from these companies are literally true, but they don’t tell the whole story,” said Matthew Blaze, associate professor of computer and information science at the University of Pennsylvania.
The administration of President Barack Obama confirmed the existence of classified programs to collect data on U.S. residents’ telephone calls and foreign nationals’ Internet activity on June 6, a day after the U.K.’s Guardian newspaper reported on a secret court order compelling Verizon Communications Inc. (VZ) to provide the National Security Agency with data on customers’ phone use. The Washington Post article was also published on June 6.
Obama has defended the practice, saying the government’s efforts are “modest encroachments” on privacy legally authorized by Congress and important to thwarting terrorist attacks.
AOL Inc., Apple and Paltalk.com all released statements saying they’ve never heard of the PRISM program and don’t give the government direct access to servers without a court order.
“We have not joined any program that would give the U.S. government -- or any other government -- direct access to our servers,” Mountain View, California-based Google said in a blog posting. “Indeed, the U.S. government does not have direct access or a ‘back door’ to the information stored in our data centers.”
Facebook Inc (FB)., Yahoo! Inc. and Microsoft said they only hand over data to the government when required by law to do so.
“When companies like Yahoo or Apple say they do not provide ‘direct access,’ it is hard to know what they mean by ‘direct,’” said David Wagner, a computer-science professor at the University of California, Berkeley. “Maybe they just mean that they believe there are protocols to limit access, but who knows how effective or stringent those protocols are, or who administers those protocols -- is the NSA overseeing themselves?”
Even without companies knowingly participating, there are a number of ways the government could gather data.
Some scenarios are straightforward, including the NSA assembling a massive database that cross-references public information on social media accounts with government records from tax filings and driver’s licenses, according to Avi Rubin, professor of computer science at Johns Hopkins University.
“A lot of the pages on Facebook and LinkedIn and Google Plus are open and public,” he explained. “A likely theory is that the NSA is just comparing that data to other open data like people’s driver’s licenses -- that would actually be a difficult undertaking requiring a lot of computing power, which the NSA would be completely capable of doing.”
The NSA could also use readily available computer software and hardware to intercept electronic communications without the knowledge of Internet companies, Carl Herberger, a vice president for the network-security company Radware Ltd. (RDWR), said in an interview.
The technology, which Radware sells, can intercept communications or make copies of communications, as well as break encrypted messages, Herberger said.
“There’s no need to necessarily notify any of these Internet companies,” Herberger said. “Today, almost everything that’s being done on the Internet has the capacity to be archived and reviewed.”
Herberger said he had no direct knowledge of the PRISM program and that his company doesn’t sell the intercept technology to the U.S. government.
Mining data associated with people’s communications is hardly new for the government, said Michael Reiter, a professor of computer science at the University of North Carolina at Chapel Hill. The Patriot Act, which was passed in response to the terrorist acts of Sept. 11, 2001, authorized secret U.S. surveillance of phone calls and e-mails.
Still, a government hack of corporate servers to obtain that type of information is unlikely, Reiter said.
“It’s certainly more difficult to do that and far riskier to do that than it is to just go get the court order,” he said. “It doesn’t make sense to me that the government would try to do it.”
Direct NSA access to the servers of Google, Facebook or other companies would likely require a secured space in their data centers known as a SCIF, for Sensitive Compartmented Information Facility. When AT&T Inc. provided the NSA access to customer phone calls as part of a secret Bush administration phone-tapping program, technicians reported seeing a secure room being constructed to protect the NSA’s equipment, according to court documents.
At Facebook, owner of the largest social-networking service, no such SCIF exists, according to a person familiar with the company’s data centers who asked not to be identified because the person wasn’t authorized to speak on the matter.
Another point of entry for the government might be working with Internet-service providers that manage hardware and cables over which data flows, according to Aaron Massey, associate director of ThePrivacyPlace.org.
The NSA or another government agency could tap into the raw data feed running through these networks, with the cooperation of telecommunications providers.
In this way, it’s “possible for the companies not to be involved at all,” he explained. At the same time, this method makes it dramatically harder since the government “would have to decipher their data format,” he said.
To contact the reporters on this story: Danielle Kucera in San Francisco at firstname.lastname@example.org; Olga Kharif in Portland at email@example.com; Chris Strohm in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Tom Giles at email@example.com