

There has been an uproar over the past 36 hours after two news organizations reported that nine of the country's biggest technology companies are partnering with the government in a massive spying program in which the FBI and National Security Agency have been given "direct access" to the companies' "central servers" and allowed to monitor any user at any time.

This direct access, the initial reports implied, allows the government to follow the communications of any of the companies' hundreds of millions of users in real time, with no legal oversight.

One of the stories quoted a career intelligence officer as saying that this surveillance program was so powerful that, “They quite literally can watch your ideas form as you type.”



The impression these stories created was that Google, Facebook, Apple, Yahoo, Microsoft, and other companies had voluntarily opened their servers to government spies and allowed the intelligence agencies to do whatever they wanted.

Importantly, every company in the stories immediately denied that they had given the government "direct access" to their servers.

The companies confirmed, as they have many times in the past, that they provide specific information to government investigators in response to specific requests — when they are required to do so by law. But they emphatically denied that they they had opened their servers to the government. Most of the companies also said that they had never heard of the spying program, PRISM, that they were supposedly partnered with.

Such is the general fear of privacy violations by the big tech companies that, upon hearing these denials, many people accused the companies of lying. Others parsed their denials, looking for ways to square the carefully worded language with the assertions in the news stories. Still others focused their skepticism on the document upon which the assertion that the NSA had direct access to the companies' servers was based, which struck many people as misleading.

And now, finally, thanks to a New York Times article by Claire Cain Miller, we have some more details on what is actually going on between the government and the tech companies.

These details explain where the "direct access to servers" assertion came from. And at the same time, the details vindicate the tech companies' vehement denials.

Importantly, the details also make clear that the government does NOT have the ability to snoop on any Facebook, Google, etc. user in real time with no legal oversight.

To understand how the government and the tech companies are actually working together, you first need to understand how any basic data request works.

To wit:

The government requests a bunch of data from a company (telephone company, Internet company, etc.). The company's lawyers review the request, pushing back if they think it's unlawful or overly broad. If/when the lawyers determine that the request is legal, they decide how to give the data to the government.

This transfer of information can happen in one of three basic ways:

1) Paper, which is manually delivered.

2) Electronic files like PDFs or spreadsheets, which are sent electronically.

3) Electronic files that are stored on a server, to which access is provided.

Importantly, all three of these methods of information transfer are used in the civilian world, too. And in recent years, with the rise of "cloud storage," the third method has become convenient and popular. (Think Dropbox — the company that allows you to save files to the cloud and give your friends access to them.)

Even narrow requests for electronic communications (email, instant messages, file transfers, etc.) tend to produce massive amounts of data. So delivering this data electronically is vastly more convenient than printing it out on paper — for both the company fulfilling the request AND the government investigators. And "delivering" it by storing it on a server and giving the government access instead of sending the files via email or FTP is even more convenient. (The data is going to live on a "server" somewhere anyway. It doesn't really matter where the server is.)

According to Claire Cain Miller's article, what is going on between the government and the technology companies is basically discussions about how the companies will provide the specific information the government requests.

Importantly, the transfer of this information appears to follow the normal procedure:

The government requests specific information.

The companies' lawyers review the request.

The companies lawyers approve the information transfer.

The companies make the information available to the government electronically.

According to Miller, in deciding how to facilitate the fulfillment of these requests, some of the companies have had discussions with the government about creating a storage server that the government has access to — a "dropbox" of sorts.

Importantly, any information placed on this server would still be reviewed by the companies' lawyers. And the information placed on these servers is not, say, "all the information generated by all Facebook users every day" (Facebook has explicitly said this.) Rather, it is likely much narrower requests for information about specific users, all of which have to be legal under the Foreign Intelligence Surveillance Act (FISA).

Given the nature of the communications that take place on Facebook, Google, etc., it's easy to imagine that sometimes the government will request real-time access to the activity streams of specific users. This would be analogous to requesting a tap on someone's phone line. And the companies have presumably had discussions with the government about how best to provide this information.

So that's what appears to be going on between the government and the tech companies.

The companies are fulfilling their legal obligations to provide data to the government in response to legal requests. They are also discussing with the government how best to fulfill these requests while also protecting the privacy of their users.

The companies are "cooperating" with the government, but only in the sense that a person asked to do something by a police officer is "cooperating" with the police officer.

What the companies are NOT doing is:

Giving the government direct access to their central servers so the government can spy on any user at any time with no oversight.

"Partnering" with the government in a global spying program.

Given the recent revelations about how much data the government is collecting under its intelligence programs, it certainly makes sense to discuss the whether current laws are striking the right balance between privacy and security.

But that's a very different discussion than whether the big tech companies have sold out billions of users by voluntarily participating in a global spying program.