Don't Fall For Misleading Story Being Spread By NSA Suggesting Tech Companies Lied About PRISM

from the bogus dept

This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders.

Asked during at a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.” When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook, Paltalk, AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

I'm seeing a bunch of folks passing around a story by Spencer Ackerman at The Guardian, claiming that tech companies lied about their "denials" of PRISM . The story is incredibly misleading. Ackerman is one of the best reporters out there on the intelligence community, and I can't recall ever seeing a story that I think he got wrong, but this is one. But the storyline is so juicy, lots of folks, including the usual suspects are quick to pile on without bothering to actually look at the details, insisting that this is somehow evidence of the tech companies lying.So, let's look at what actually happened. The report is based on statements by Rajesh De, the NSA general counsel, who was testifying before the US's Privacy and Civil Liberties Oversight Board (PCLOB). Here's the part that's catching everyone's attention:Everything stated above is technically true, but misleading. The problem is that what the companies denied is not what De is talking about. What they denied is what both the Washington Post and the Guardian initially implied: that the NSA had "direct access" to the servers of the nine companies named under PRISM, with the clear implication of the stories being that direct access was to basically all servers. All of the companies denied that level of access (which was and remains true). They also (as Ackerman does mention) denied knowing what PRISM was. Within a day or so, it became quite clear that "PRISM" was merely orders under Section 702 of the FISA Amendments Act -- which is what eventually lead a bunch of those same companies to sue the government , saying they wanted to reveal the details of the Section 702 orders that they got, including how many orders they received and how many user accounts were impacted by those orders. The very reason they filed that lawsuit was in an attempt tothat PRISM/Section 702 orders were never about full access to everything, but rather more targeted requests approved of by the FISA court (it's fair to point out that the NSA's definition of "targeted" is more broad than you and I would like, but that's a separate issue).In January, that lawsuit was settled , with the DOJ giving companies (for the first time) the ability to reveal (in quite a limited way) how many FISA orders they received and how many "customer selectors targeted." And, in fact, a bunch of companies have done so. Here, for example, we wrote about Yahoo and Google's reporting of those requests. For example, from January to June of 2013, Google received between 0 and 999 FISA orders, including 9000-9999 user accounts targeted. During the same period, Yahoo received between 0 and 999 such orders, targeting between 30,000 and 30,999 accounts. Much of that is PRISM -- and no one has ever denied that. It's unfortunately obfuscated , because the "FISA orders" lump together the Section 702 "PRISM" orders with separate Section 107 orders, and (worse) because the companies can't really reveal users, just. That obfuscation is a big problem, but is entirely unrelated from the original reporting on PRISM and the companies' response.So, yes, of course companies were aware of the Section 702 orders they get. That's the only possible way they can comply with Section 702 orders. And, certainly, the only way they could report on how many such orders they got. What theywas the original reporting which suggested, incorrectly, that PRISM was a much broader program, that involved direct access to these companies systems, allowing them to suck out just about anything. That was never true, and that was what they were denying. The lawsuit and the transparency reports were all about (attempting to) clear up that confusion, showing that these companies simply comply with Section 702 orders, rather than grant broad access to all accounts, as the original reports implied. And, in fact, the release of those transparency reports provided at least a little transparency (tragically muddied by the DOJ's requirements). There are separate issues aboutways that the NSA got access to these companies information, such as hacking into datacenters connections , but that's unrelated to PRISM.Ackerman has been following all of this, so I'm both confused and surprised for why he'd fall for De's attempt to suggest that the companies were lying. Even more bizarre is his claim that De's comments were "contradicting the tech companies about the firms' knowledge of Prism." But that's not true. De is saying the companies knew about Section 702 orders, which of course they did. Otherwise, why would they have been fighting to reveal the details -- and why else would they have? I find it hard to believe that Ackerman doesn't know about the very transparency reports from the companies that show that the companies were (of course) aware of the Section 702 orders he says in the article they denied. They never denied such orders.If anything, this feels a lot more like the NSA (as the NSA does) using careful language choices to attack-by-false-implication the tech companies who have recently been fighting hard to encrypt more data to make it harder for the NSA to crack into their systems (not under PRISM, but under Executive Order 12333). In the end, De's claim is a non-story, turned into a misleading story.

Filed Under: nsa, pclob, prism, rajesh de, section 702, spencer ackerman, surveillance, transparency