NSA collection of e-mail and other communication data and corporate denials of same

It’s been 1 scandal after another for the Obama administration over the past 6-8 months and there remain several serious, unanswered questions about literally every one of them. The bombshell-du-jour centers around the collection by the National Security Agency (NSA) of phone call metadata of all of Verizon Wireless’ customers, suspected of any illegal activity or not. Now, just to be sure we’re all on the same page, “metadata” refers to information that describes a phone call that was made but does not include the content of the call. So, in other words, the information regarding that phone call you made to your Mom last week on Verizon Wireless that the NSA collected would include her phone number, your phone number, the time of day you called, the length of the call, and physical locations of both parties. (Or, at the least, what cell tower you were attached to for the call when made.) It doesn’t include – they claim – an audio recording of the call.

All of this was made possible under the Patriot Act where a secret court was empowered to issue secret orders mandating that communications providers turn over such data without any advisement made to the participants of the call. When the Bush Administration was granted this power under the Patriot Act, widespread alarm was raised in the media and elsewhere about it because of the opportunity for abuse of that power. The public was assured that this power would only be applied to US citizens if they were engaged in a phone call with an international destination or with someone under current investigation for terrorist activity. Assurances were made that US citizens would not be subject to random or widespread data collection under the Patriot Act. Not, mind you, that the Act explicitly prohibited such activity on the part of the government, just that the government would never do such a thing. And, to all knowledge available, the Bush administration never did. The Obama administration, on the other had, has.

On the virtual heels of that little announcement comes the discovery that the NSA has also been collecting virtually every e-mail being sent by Americans regardless of whether they’re under an investigation or not. The program, called PRISM, supposedly connected the NSA’s systems with those of 9 major Internet service providers to allow the government to scan through and record e-mails, pictures, and other documents.

The U.S. director of national intelligence confirmed the existence of a secret program in which the government has tapped into the central servers of nine leading Internet companies to search for data potentially linked to terrorism, espionage or nuclear proliferation.

Under the 6-year-old program, code-named PRISM, the FBI and National Security Agency have searched for emails, videos, photographs and other documents.

The program’s participants, the Washington Post reported, include most of the dominant global players of Silicon Valley: Microsoft Corp, Yahoo Inc, Google Inc, Facebook Inc, PalTalk, AOL Inc, Skype, YouTube and Apple Inc.

This is a very different circumstance from the phone metadata I referenced above. In PRISM, the content of the communication is explicitly included in what’s being collected and scanned. So, in the example case of your call to your Mom that I mentioned above, the NSA wasn’t recording your conversation for future use and review. Under PRISM, the e-mail you sent to your Mom most assuredly is. Those tech companies mentioned in the story did everything they could to get out there and deny involvement.

Last night’s chilling Washington Post report on the National Security Agency’s Internet surveillance program, known as PRISM, said the NSA was collecting information by “directly tapping into the central servers” of nine big U.S. tech companies. It also said that the cooperation of those companies is “essential to PRISM operations."

But several of big companies in question have pushed back on reports of their involvement. “We do not provide any government organization with direct access to Facebook servers,” the social network’s chief security officer told The Post.

Google released a similar statement denying participation in PRISM earlier today. “We have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.” The statement, which you can read in full on the company’s blog, goes on to say that “we provide user data to governments only in accordance with the law.”

Yahoo also released a statement saying it does not “provide the government with direct access” to its servers. And Microsoft said: “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis….If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”

See? Denied involvement… or did they? I’m an information technology professional and have been for years. I took immediate note of the terminology used in the WaPo report and that used in the “denials” of Google, Facebook, Yahoo, and the like. The WaPo report states that PRISM collects the information by “directly tapping into the central servers” of the companies in question. Note Facebook’s response that they “do not provide any government organization with direct access” to their servers. Google: they haven’t “joined” any effort that “would give the U.S. government—or any other government—direct access to our servers.” Yahoo: they do not “provide the government with direct access” to their servers. That’s very specific and it means something very specific in my industry. “Direct access” to a server means that you are in direct, one-on-one communication with that asset. If, however, you are in direct communication with a clone of that asset – in our industry language that would be a “replicated server” – they you are not being granted direct access.

Replication is a process by which data stored on 1 server is copied in near-real-time to another one. It’s used for failover purposes, mostly. But what it essentially does is take a single data stream and copy it so as to send that data onward to another location. Note that splitting a beam of light in 2 is one of the functions of a prism. So, can the companies say, truthfully, that they are not providing direct access to their central servers if what they’re doing is providing direct access to a replication server? Sure. Technically, it’s completely accurate. Does it also serve the function WaPo described? Absolutely.

I understand complete
ly the legalese involved that says sending e-mail over what amounts to a public system technically removes the expectation of privacy. I think, however, that this violates the spirit of privacy laws in favor of splitting hairs, legally. I said years ago that the act was too prone to abuse and even if we believed that the administration it was passed under was completely trustworthy, coming administrations would not be. That view has been borne out. This administration has proven itself to be anything but trustworthy and the ability of the federal government to simply set aside the rights of American citizens so that agencies can do whatever makes their job easier should be seriously curtailed. I only hope there’s still time left to do so.