To Silicon Valley, Prism Doesn't Square
If you’re going to create an Internet super spy system, you might as well give it an intimidating name. A number of years ago, we had Total Information Awareness; now we get Prism. Stay tuned for the Eye of Sauron, arriving in 2016 with extra HTML 7 spook awesomeness.
In this case, the Prism name does seem apt. We don’t know for sure how the government’s technology works, but security experts have long explained that hardcore Internet snooping begins at the fiber lines hitting the U.S. shores. Basically, the overseas Web traffic arrives and then a beam splitter—aka a prism—cleaves off data packets for the National Security Agency’s perusal. There are specialized computing appliances that can sift through the packets, and companies such as Cisco make networking equipment that provides the government with the ability to “lawfully intercept” data.
What’s still perplexing engineers throughout Silicon Valley, though, is the contention that companies such as Google, Facebook, and Apple are helping the NSA in its quest. (The Washington Post, which broke the Prism story, seems to be walking back some of its initial reports of corporate cooperation with Prism.) The technology companies have just about universally denied hearing of a project called Prism and they have refuted the idea that they’ve provided the government with direct access to the servers in their data centers. (Cisco, by the way, was not among the companies mentioned as a supposed Prism participant.)
Facebook, for example, has three data centers and lets reporters visit them fairly regularly. If the NSA had tapped directly into its system, then there should be what’s known as a SCIF, or Sensitive Compartmented Information Facility, inside the data centers. This is a protected place where the NSA would place a specialized snooping computer appliance—a la the computing closets that became famous in the AT&T wiretapping case a few years back. If such a closet exists at Facebook, we haven’t seen it. (Facebook did not immediately respond to a request for comment on SCIFs.)
Facebook, Google, and other such tech companies are full of twentysomethings who aren’t aren’t exactly known for coloring inside the lines or taking orders from The Man. The idea that a secret tap leading from their servers to the NSA’s massive headquarters in Fort Meade, Md., wouldn’t have been leaked by an offended employee seems implausible.
The NSA slide deck going around also talks about Dropbox “coming soon,” meaning that the ability to snoop on Dropbox files was about to be added to Prism. This is a weird one because Dropbox stores its customers’ files on Amazon.com’s cloud computing service, yet Amazon appears nowhere in the Prism documents. In responding to an e-mail asking if Amazon.com is taking part in Prism, company spokeswoman Mary Osako replied: “Not cooperating.” Dropbox spokeswoman Hilary McQuaide says, “We’ve seen reports that Dropbox might be asked to participate in a government program called Prism. We are not part of any such program and remain committed to protecting our users’ privacy.”
There’s no reason to think Facebook, Apple, and Google aren’t telling the truth. They do provide government intelligence agencies with customer data in accordance with the law—not some direct connection that gives complete access to their servers, but data tailored to parameters provided by the NSA.
So far, government officials have said that Prism spies only on foreigners. And this is feasible. The NSA, for example, can set up its systems to look at traffic coming in from overseas and to ignore, for example, Google accounts tied to a person based in the U.S.
If the NSA’s surveillance targets are U.S. citizens or residents, that request has to be approved by a judge. If they are not, the NSA doesn’t need permission: Data exchanged between foreigners not residing in the U.S. is fair game for intelligence activities. President Barack Obama said as much when he defended Prism as a program that does not apply to American citizens or foreigners within our shores.
If netizens in Sweden or Mongolia didn’t realize that their communications on Skype or Facebook was fair game for NSA snoopers, they do now.
The real question foreigners using those companies’ platforms may want to ask is: “Are there any conditions under which you won’t give U.S. spies my data?” It’s possible the answer is “no.” And whatever limitations the companies do place on their participation with programs such as Prism, the NSA can still get the data as it moves through those fiber optic cables. Facebook requires the use of SSL decryption for all of its users. SSL is extremely difficult to crack, even for world-class code-breakers like the NSA. That means the NSA probably can’t see much when they grab Facebook data. Yahoo! does not require users to use SSL; the company offers it as a privacy option.
If you’re a bad guy doing bad things—or maybe even if you’re not one—you can pretty much bet the NSA would prefer you not opt for the SSL.