Confusion surrounding the secret NSA surveillance program PRISM continues. Can the NSA really access Internet companies' user data directly, like the initial reports about PRISM suggested?
On Friday, both Google's Larry Page and Facebook's Mark Zuckerberg strongly denied that, using almost identical wording.
"Facebook is not and has never been part of any program to give the U.S. or any other government direct access to our servers," Zuckerberg wrote. Page, in his statement, wrote that Google has not "joined any program that would give the U.S. government or any other government direct access to our servers."
Despite their claims, two different stories published late Friday by The New York Times and The Wall Street Journal seemed to suggest that both companies have been collaborating with the government.
Whether companies have given direct access or indirect access, though, is still unclear.
According to Times sources, both Google and Facebook have discussed setting up separate portals where the companies deposit data when they receive requests from the U.S. government. And U.S. officials who talked to the Journal said the NSA receives copies of Google's data through a separate system set up following a court order. And Facebook was one of the companies that implemented this separate server system.
In short, there are no back doors, but perhaps there are side doors although these might very well be standard procedures in cases of wiretap requests.
As reported by CNET on Saturday, these systems might not actually give direct access to the NSA.
"It's not as described in the histrionics in the Washington Post or The Guardian," a former government official who has knowledge of the program told CNET. "None of it's true. It's a very formalized legal process that companies are obliged to do."
The official explained that when the companies receive Section 702 orders, they basically follow the same procedure they follow with regular wiretap orders. Section 702 orders, as explained before, are part of the Foreign Intelligence Surveillance Act, or FISA, created by the FISA Amendments Act (FAA) of 2008. This is used to acquire information such as metadata or content created by foreign targets.
Companies implement these orders "just as though they would implement a wiretap there's no direct access to servers," CNET's source said. And these orders, the source explains, are not dragnet orders: "You can't say everyone in Pakistan who searched for 'X'... It still has to be particularized."
For Ashkan Soltani, an independent privacy researcher and technologist, this is "a process for submitting [Section] 702 requests and getting responses in a machine-readable form."
The 41-page PRISM Powerpoint presentation "could be seen as a business development deck indicating all the various providers that they currently have 'relationships with,'" he told Mashable.
The system is "basically a data-ingestion API," he said.
Soltani speculated that based on what we know now, PRISM is a "streamlined way" to submit Section 702 orders to the companies for them to review the requests, and it gives the NSA the ability to handle and process the response "in an automated fashion," just like an app like TripIt, which automatically parses information from your flight reservations.
Marc Ambinder, a reporter who has written extensively about secrecy and national security, wrote in The Week that "PRISM is a kick-ass GUI [graphic user interface] that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States."
Asked if they had ever received a Section 702 order and what was their answer in case they had Google spokesman Chris Gaither told Mashable that "due to U.S. legal constraints, we're not allowed to discuss any legal requests issued under the national security laws, including provisions in the Foreign Intelligence Surveillance Act (FISA)."
Meanwhile, The Guardian on Saturday afternoon published another slide from the 41-page PRISM presentation. In the slide, under "PRISM," a paragraph explains that the system does its "collection directly from the servers" of the nine Internet companies previously reported.
Perhaps, as Washington Post reporter Timothy B. Lee wrote on Twitter, the author of that slide deck just wasn't using "direct access" correctly. That's a view that Soltani also shares.
"I don't think [the NSA] is doing DPI [Deep Packet Inspection] at the 'servers of the providers,'" he said in an online chat with Mashable. "That's really hard. [...] If they can do it for $20 million I think we should hire the NSA to do hosting for most of the companies in the valley."
Image courtesy of YouTube, Google
No hay comentarios:
Publicar un comentario