The Washington Post has published four additional slides from the NSA PowerPoint demonstration leaked by IT contractor Edward Snowden, which outline more information about the PRISM program. The slides, which are annotated by the Post, seem to directly contradict claims from a number of Internet tech companies that they did not have government hardware installed on-premises and used to gather data on suspects.
According to the just-released slides, the FBI, which apparently handles much of the actual data-gathering before handing the data over to the NSA, will used pre-approved search term, known as “selectors,” to search companies’ data stores.
THe FBI uses government equipment on private company property to retrieve matching information from a participating company, such as Microsoft or Yahoo and pass it without further review to the NSA.
If true, this would fly in the face of denials from all of named PRISM participants, which include—beyond Microsoft and Yahoo—Google, Facebook, PalTalk, YouTube, Skype, AOL and Apple. Since the initial leaking of the PRISM documents by former Booz Allen Hamilton contractor Snowden in early June to the Post and the UK Guardian news organizations, these companies have categorically denied that any such installed equipment is in place.
It is not clear where the Post came up with the conclusion of this annotation, since on-premise assets are not explicitly noted in the original content of the slides.
Instead, the implicated companies have all described a scenario that are variations of the same theme: when a proper Foreign Intelligence Surveillance Act (FISA) court request for information is received, the requested data is handed off to government officials either via portable media or a special FTP server that intelligence services can log into and download the data.
The new slides published this weekend would seem to challenge that notion. Not only is equipment being installed on-site at these companies, the slides also assert that there are no individual search warrants or requests going out to the companies … PRISM participants are working under a blanket FISA order that allows the gathering of information.
Since spying on U.S. citizens deliberately is illegal, the PRISM slides also outline ways in which U.S. intelligence services try to prevent the inclusion of Americans’ data in the net of surveillance and monitoring operations. From the beginning of the selection process to several stages were U.S. citizen data is supposed to shake out, the NSA and FBI put some effort into targeting only foreign nationals in the PRISM program.
How much good that effort does remains to be seen. At the beginning of the process, a supervisor in the NSA must review the selectors for a new target. “The supervisor must endorse the analyst’s ‘reasonable belief,’ defined as 51 percent confidence, that the specified target is a foreign national who is overseas at the time of collection,” the Post reported.
51 percent is just a hair better than flipping a coin.
Even if the intelligence services are successful in filtering out information on American citizen’s, that will be cold comfort to non-U.S. citizens using any of these online services. particularly in light of the reporting of government assets installed on-site within these companies’ firewalls.
If true, this information could prove devastating to cloud-based services offered by Google, Microsoft or Apple. Non-U.S. users could conceivably start abandoning such services in droves.
Given the level of anger currently rising in the halls of power in the EU, European users may not have a choice in leaving U.S.-based cloud services. According to the Guardian today, “German chancellor, Angela Merkel, and French president, François Hollande, described the disclosures of massive US spying and snooping in Europe as unacceptable, with the Germans suggesting there had to be mutual trust if the trade talks were to go ahead in Washington on Monday.”
While some of this shock and dismay may be a public show for gain some leverage in the aforementioned trade talks, there could be some real and lasting damage to cloud-based services based here in the U.S.
Germany, for instance, already has strict data privacy laws for corporations that prevent the storage of corporate data of any kind out in the public cloud. How long would it be for other EU nations to adopt similar policies? Or extend those prohibitions to consumer users?
There are lots of details to sort out, not the least of which are the veracity of claims from the government and the named PRISM technology companies. As PRISM continues to unfold in the light of day, a lot of cloud customers are going to be asking some hard questions … and maybe not liking the answers they hear.
Image courtesy of Wikipedia.