As if news of the National Security Agency collecting phone records on millions of Americans wasn’t enough, a new report reveals that the NSA and FBI are directly tapped into central servers at nine U.S. internet firms, in order to provide constant monitoring of audio, video, photos, emails and documents as well as connection logs.
The companies whose servers are being mined are reportedly Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. The classified program, dubbed PRISM, has been in operation since 2007 and has been a leading source of intelligence fed to the president in his daily intelligence briefings, according to the Washington Post, which broke the story at the same time as the Guardian today.
The Post notes that PalTalk hosted significant traffic during the Arab Spring and during the ongoing Syrian civil war.
Microsoft was the first to cave into the requests in 2007, though Apple resisted for five years before joining the club last year.
Dropbox is on the government’s wishlist for other servers in its sights. Presentation slides describing the program indicate that surveillance of Dropbox is “coming soon,” according to the Post, which says the companies have been given immunity from lawsuits through a directive signed by the attorney general and the director of national intelligence.
But according to the Guardian the companies are unaware the program exists and are not cooperating. Several who responded to a Guardian request for comment denied knowledge of the program.
“Several senior tech executives insisted that they had no knowledge of PRISM or of any similar scheme,” the Guardian writes. “They said they would never have been involved in such a programme. ‘If they are doing this, they are doing it without our knowledge,’ one executive told the paper. The Guardian did not identify the source’s company.
Google’s vague response came in a denial that the company has provided a backdoor to the feds — a response that isn’t an outright denial about the program.
“Google cares deeply about the security of our users’ data,” a company spokesman told the Guardian. “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
The two news outlets learned of the program through a 41-slide PowerPoint presentation that was leaked to them. The top secret slides were apparently used to train intelligence operatives on the program.
According to the Post, the system is not a dragnet, per se, since the program doesn’t vacuum everything indiscriminately. But it allows NSA analysts at Ft. Meade to sit at their desks and fish the data stream for key terms.
The program is supposed to focus on data pertaining to foreigners. But search terms the analysts use to pull data are only designed to be at least 51 percent accurate in determining a target’s “foreignness.” This means a lot of U.S. content is bound to get caught in the net. But training materials obtained by the Post aren’t too concerned about accidental collections of U.S. content, calling it “nothing to worry about” and telling analysts to simply report those accidental collections in a quarterly report.
The program is a cousin to another bulk-collection program code-named BLARNEY, which collects internet “metadata” — address packets, device signatures and other information — that roars along the internet’s backbone.
BLARNEY, which the presentation slides illustrate with a shamrock and a leprechaun’s hat, is “an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks.”
The news comes in the wake of another report published yesterday by the Guardian revealing that the NSA and FBI have been collecting phone records for millions of Verizon customers with a court order. The phone records collection only pertained to metadata and did not involve the content of phone calls, but the new report about tapping internet companies would collect content as well as metadata.
[Editor’s Note: This story was based on an article originally published by the Washington Post indicating that the government had direct access to the servers of internet companies. The Post later revised its story after the companies acknowledged they provided the government with data requested under court order but did not give the government direct access to their servers.