PRISM data transfers done conservatively

Byron Acohido | USA TODAY

SEATTLE – The disclosure of details about how marquee U.S. tech companies co-operated with PRISM, the clandestine national security program to ferret out terrorists, shows how methodically and conservatively the program is being carried out.

Google, Microsoft, Yahoo, Facebook, Apple, AOL and Paltalk erected what the New York Times describes as "locked mailboxes" in which to place data on suspicious persons requested by the government under the Foreign Intelligence Surveillance Act, or FISA. The Times' description, published Saturday, used unnamed sources.

The tech companies have said they obeyed the law of the land while participating in the PRISM program. The specific data requests, as well as the data transfers, were blessed by a federal judge and vetted by corporate attorneys.

And use of a highly secure digital storage location to make the data hand off is a tried-and-true methodology used on Wall Street for more than 20 years.

When putting together merger and acquisition deals, the principals involved typically agree to place proprietary business information that has been encrypted into a secure "data room," where the timing of who has access to specific data is strictly controlled, says Gant Redmon, a privacy expert and general counsel at Co3 Systems.

"Data rooms have become the most secure way to assure strong end-to-end encryption, authorization and accountability of access," Redmon says. "When you're doing due diligence involving massive amounts of critical information, and you want to make sure the information doesn't fall into the wrong hands, that's what data rooms are used for."

The fact that tech companies have said they obeyed the law of the land while participating in the PRISM program may be beside the point, as this story develops.

Joel Reidenberg, a law professor at Fordham Law School, notes that France, Spain, Germany and other European national governments have long been adamant about being involved in controlling any U.S. law enforcement efforts to access to any data about any European individual.

"The exposure of this data grab on all foreign traffic is likely to inflame US vs. Europe data privacy wars," says Reidenberg

At play in the U.S. and Europe are new rules that could hinder how Google, Facebook and even Microsoft tracks consumers' Internet behaviors to sell ads. European don't like to be tracked, as the case of Max Schrems, the Austrian law student who has bedeviled Facebook, shows.

Meanwhile, as a media manhunt unfolded this morning in Hong Kong for Edward Snowden – the man claiming responsibility for a series of sensational leaks about U.S. spying programs – the debate over whether U.S. surveillance, under the Patriot Act, has gone too far is heating up.

Senators Mark Udall and Ron Wyden, members of the U.S. Senate Select Committee on Intelligence, took aim at the systematic collection of phone data, calling for more public disclosure of details of how that' surveillance program is run.

"Now that the fact of bulk collection has been declassified, we believe that more information about the scale of the collection, and specifically whether it involves the records of 'millions of Americans' should be declassified as well," Wyden and Udall said in a statement issued Friday. "The American people must be given the opportunity to evaluate the facts about this program and its broad scope for themselves, so that this debate can begin in earnest."

In the digital age, it is technically feasible to quickly assemble a rich dossier of anyone's phone calls or Internet usage. But the debate is just getting underway about how much public transparency there needs to be about the methodology and execution of phone and Internet surveillance.

"The public disclosure of the PRISM program is sure to ignite a heated debate as to whether or not the current process for FISA requests, while legal, has pushed information gathering too far for the appetite of an increasingly skeptical American public," says Michael Sutton, VP of Security Research at Zscaler

Privacy expert Redmon makes the point that that use of a secure data room to carry out data transfers approved by a judge and reviewed by corporate counsels represents a pretty high security standard. Doing so quietly, while in pursuit of terrorists, is probably justifiable.

"People are confusing the methodology, thinking, 'here's an open door,'" Redmon observes. "A data room is a secure place to put data. It doesn't mean they are putting everything in the data room."

Redmon makes the comparison to police getting a search warrant for a suspected criminal. "In criminal proceedings, the accused isn't given a heads up," Redmon says. "People don't get a phone call before a raid on their house."

Chris Bronk, a fellow in information technology policy at Rice's Baker Institute for Public Policy, says, at the moment, transparency is lacking. "I don't have an understanding of how the NSA distinguishes between me as an American citizen and a foreign actor. I can't say whether these are acceptable programs or not. We don't have enough good information in the public domain yet to make a decision, one way or the other, as an educated populace."