Image: NSA

The Guardian newspaper revealed exclusively on Wednesday that the U.S. National Security Agency (NSA) has and continues to vacuum up millions of Verizon customer details, including information on phone calls both within the U.S. and between the U.S. and other countries.

Under the order, Verizon is ordered on an "ongoing, daily basis" to hand the NSA information on all of the call data in its systems.

On Thursday, ZDNet obtained a copy of a note sent by Verizon chief counsel Randy Milch to employees. In the note, he did not confirm or deny the story, but in describing it as an "alleged" court order, he stressed that the text "forbids Verizon from revealing the order’s existence."

"If Verizon were to receive such an order, we would be required to comply," just as any other company would be forced to.

Milch added that the company "continually takes steps to safeguard its customers' privacy," but warned that the "law authorizes the federal courts to order a company to provide information in certain circumstances."

A Verizon spokesperson declined to comment when ZDNet contacted the company by phone on Thursday.

This is a developing story, and will be updated with notes below, when appropriate.

What is the deal here? Is the U.S. government spying on U.S. residents?

A "top secret" order by a U.S. secret court — known as the Foreign Intelligence Surveillance Court (FISC), which was set up in the Foreign Intelligence Surveillance Act (FISA) in 1978 following the Watergate scandal — forced Verizon to send the U.S. National Security Agency the records relating to tens of millions, if not all, of its customers' phone calls and text messages.

FISA has been amended numerous times since then, including the Patriot Act in 2001, following the September 11 terrorist attacks in New York City, and in 2008, with the FISA Amendments Act, following the NSA's widespread unwarranted wiretapping campaign.

This order, published by The Guardian, applies to all calls created by Verizon between the U.S. and abroad, or within the U.S., including local calls. Only Verizon calls that are located outside the U.S. and connected with a non-U.S. number are excluded from the order.

There is no doubt that this is a massive domestic spying campaign by the U.S. government — it's clear from the document — through its intelligence services. But unlike previous cases involving the NSA and AT&T, this time around it has been warranted by the aforementioned secret court.

Why has this order been issued?

That isn't clear. The FISC order itself does not state why. For good reason: If the document is leaked, at least it doesn't dish out any more secret intelligence than is necessary.

The White House said, via a Reuters wire, that the "ability to gather information has been critical tool in preventing terrorist threats." Officials also said there is a "need to balance security with civil liberties."

There may be something going on that we don't know about. An imminent terrorist threat, potentially something on a scale that requires everyone's civil liberties to be halted or diminished to save lives? It's speculative. That said, the U.K. government is actively pushing through this kind of surveillance into law — rather than using Patriot Act-like laws that it currently doesn't possess (see below).

What does the order actually say?

It says a number of things, most of which are described in this FAQ. Verizon is forced to hand over "on an ongoing daily basis", an electronic copy of "tangible things." This is a provision given to the FISC under Section 215 of the Patriot Act, otherwise known as 50 U.S.C. § 1861, which is commonly known as the "business records" section.

Verizon is also gagged from disclosing "to any other person that the FBI or NSA has sought or obtained tangible things" under the order. The order only permits Verizon to seek legal advice or assistance "with respect to the production of [tangible] things."

This is why Verizon is neither confirming nor denying the order, and is not commenting on the record. It simply isn't allowed to.

The cellular giant is not allowed to appeal. Such appeals are rare, anyway. The first appeal was in 2002, more than two decades after the introduction of the FISC.

What is Section 215 of the Patriot Act?

Section 215 of the Patriot Act relates to "business records." It also removes the normal requirement to meet the legal standard of what is known as "probable cause," according to the American Civil Liberties Union (ACLU) in a fact sheet [PDF].

Read this Microsoft admits Patriot Act can access EU-based cloud data Microsoft's U.K. head admitted today that no cloud data is safe from the Patriot Act, and the company can be forced to hand EU-stored data over to U.S. authorities. Read More

Section 215 supersedes any legally binding privacy guarantees between businesses and their clients or customers, such as a privacy policy or a contract. If a company is served with a court order under Section 215, they are not allowed to contest the order, or even disclose the order to a lawyer — unless legal counsel is used to help hand over the "things" that the U.S. government wants.

Such things are anything "tangible." This includes business, financial, and even medical records, as well as papers, documents, and books — or anything you can physically hold.

But "tangible" is a broad term that has been interpreted by the U.S. government, which now allows it to include company databases, computers, hard drives, and, in some cases, cloud-stored files.

How long has this been going on for? Is the Verizon order indicative of an ongoing practice?

According to the Associated Press, the Senate Intelligence committee chairperson Senator Dianne Feinstein (D-CA) said the "top secret" court order for telephone records of millions of U.S. customers of Verizon is a three-month renewal of an "ongoing practice."

What can be collected under the order?

Communications data, dubbed "metadata," can be collected under the order. The actual contents of the calls are not available to the U.S. government — that would require a different warrant that enables wiretapping. That uses a different section of the law.

The sort of data collected includes "call data," such as the caller's and the recipient's phone number. Also, routing data, such as the IMEI unique device identifier and the IMSI number used to identify calls on cell networks, will be recorded. The time, date, and duration of the call is also recorded.

It's also possible for the NSA to collect location data of Verizon customers, following a 2005 court ruling that determined that cell site location is also considered as being "metadata."

This effectively means that foreign nationals and non-U.S. residents are being specifically targeted for widespread warranted domestic surveillance.

Is this order in breach of Fourth Amendment rights to "unreasonable" searches?

This one is tricky. Arguably, yes, but also perhaps not. The Fourth Amendment protects U.S. residents from the U.S. government — not private companies — conducting "unreasonable" searches.

However, the FISC has ruled before that similar NSA surveillance violated the Fourth Amendment. According to Senator Ron Wyden (D-OR), the court ruled that the intelligence it collected was "unreasonable" under the law.

Despite being held in secret, the FISC is accountable, albeit to a small number of select politicians on the Senate Intelligence Committee. No records are kept, and the ones that are will be treated with the highest security classification possible.

Can the U.S. government use the order to listen in on calls, or read my text messages?

Communications data does not include the contents of phone calls or text messages , such as emails or the recordings of phone conversations; rather, it instead includes all of the details about everything that's sent and received online.

Names, addresses, and financial data are also not collected. With inter-agency cooperation, it would not be difficult for the NSA or the FBI to work out who is who.

Are consumers affected, or businesses, or both?

A person familiar with the matter, who declined to be named, told ZDNet on Thursday that business and enterprise customers are the most affected. Consumers are also affected, because the division of Verizon, known as Verizon Business Network Services, serves residential and business customers, as well as local, state, and federal government entities.

What can the NSA do with this collected "metadata"?

The U.S. government doesn't believe metadata, the collected information, is private or sensitive in nature. The U.K. government used a similar analogy, which explained that while the contents of such communications are the "letter," the metadata is the "envelope."

The NSA could do almost anything it likes with the data it receives. It can work out who you're contacting, when you're likely to contact them, links with other people, and a "social networking analysis" that determines who may know other people via a mutual friend. The government agency can also determine where you've been.

Above all else, it can be used to spot what the NSA would consider "suspicious" activity. Considering it's already used the law to scrap the legal standard of what is considered "probable cause," it could probably widen the scope of what it would consider "suspicious" in the first place.

A specific Verizon division is named in the order. What is Verizon Business Network Services?

When Verizon acquired MCI Network Services in May 2007, the company was spun into the telecoms giant's business unit. It was renamed Verizon Business Network Services. It provides local and long-distance voice and messaging services, as well as Internet and data access.

For business clients, Verizon offers virtual private network (VPN) services and firewall technology. According to Bloomberg, the division also provides "network infrastructure, including network design, implementation, and customer management solutions; and data, dial, asynchronous transfer mode, digital subscriber line, and dedicated and bundled services, as well as security products."

If Verizon has been slapped with a "top secret" order, have others also?

AT&T, Sprint, and T-Mobile may have been hit with the same order, or one with almost exactly the same wording. It's possible and likely, but we cannot confirm that. It's safer to assume that if the U.S. government has forced Verizon to hand over the data of more than 98 million wireless customers and around 21 million residential and commercial lines — if not more — then other cellular firms may have been, as well.

What does "top secret" actually mean?

The document markings at the top of the document say: "TOP SECRET//SI//NOFOR," which likely means very little to the vast majority of readers.

Breaking this down, it means that the document is of the highest level of security clearance in the U.S., and also fellow allied countries, such as the U.K.

The term "SI" relates to sensitive compartmented information relating to communications intercepts, such as wiretapping.

"NOFORN" essentially means "no foreign nationals" are allowed to view the document, such as allied nations with which the U.S. government shares intelligence.

For this reason, The Guardian, based in London, U.K., may evade U.S. sanctions or prosecution as a result. It's certainly safer for a U.K.-based publication than a U.S.-based one.

Isn't this "communications data" collection similar to what the U.K. government is currently trying to push into law?

Very much so. The U.K. government is struggling to get this into a debate stage, let alone law and signed by Royal Assent, due to opposition in the Cabinet of the Conservative-led coalition government .

The government wants its intelligence agencies to be able to tap into, in near-real time, the communications data of any given person in the U.K. at any time. This involves forcing the Internet providers in the country to install "black boxes" to enable the server-side data collection.