The Washington Post has published a massive investigative report revealing a secret state-run program called PRISM, which allows the National Security Agency to legally extract "audio and video chats, photographs, emails, documents, and connection logs that enable analysts to track foreign targets" from the servers of nine U.S. internet companies. According to the document obtained by The Post, the official roster includes Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. (Here's everything we know about PRISM so far.)
The Post has since backtracked on its original stance that the companies "participated knowingly" in the program, and has added this hedging paragraph:
It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing 'collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers. [Washington Post]
Here are statements from the firms that have so far denied involvement with the program. Remember: Skype is owned by Microsoft, and YouTube is owned by Google. AOL has yet to respond, but we'll update this list when or if it does:
We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it. [Microsoft]
Yahoo! takes users privacy very seriously. We do not provide the government with direct access to our servers, systems, or network. [TechCrunch]
Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a backdoor for the government to access private user data. [TechCrunch]
We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law. [All Things D]
No comment. [VentureBeat]
We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order. [All Things D]
We've seen reports that Dropbox might be asked to participate in a government program called PRISM. We are not part of any such program and remain committed to protecting our users' privacy. [TechCrunch]
So what's going on? A few early possibilities:
1. The Washington Post is wrong. At this point, that doesn't look likely.
2. The companies are being less than forthright. They could be phrasing their denials in such a way that they're technically telling the truth. "Comparing denials from tech companies, a clear pattern emerges," writes Andrea Peterson at ThinkProgress:
Apple denied ever hearing of the program and notes they "do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order;" Facebook claimed they "do not provide any government organization with direct access to Facebook servers;" Google said it "does not have a 'back door' for the government to access private user data"; And Yahoo said they "do not provide the government with direct access to our servers, systems, or network." Most also note that they only release user information as the law compels them to. [ThinkProgress]
3. PRISM is simply a very, very closely guarded secret. It could be that the NSA's arrangements with the companies "are kept so tightly compartmentalized that very few people know about it," writes TheWeek.com's Marc Ambinder. "Those who do probably have security clearances and are bound by law not to reveal the arrangement." Security expert Robert David Graham puts it another way:
Internal code names are often not shared with the counterparty. Just because NSA calls it PRISM doesn't mean Apple/Google knows that name.— Robert David Graham (@ErrataRob) June 6, 2013
THE WEEK'S AUDIOPHILE PODCASTS: LISTEN SMARTER
- Why you shouldn't eat dog. Not even once.
- Why Israel can no longer let the Palestinian Authority be responsible for security in the West Bank
- How U.S. special forces are preparing for the worst-case scenario in North Korea
- Why you should really take a nap this afternoon, according to science
- Grammar quiz: Do you know the passive voice?
- Here's the schedule very successful people follow every day
- How social conservatives became a minority in need of protection
- What would a U.S.-Russia war look like?
- The real story behind Deliver Us From Evil
- The 11 worst fast food restaurants in America
Subscribe to the Week