Risk

8/23/2013
01:38 PM
50%
50%

NSA Paid Tech Companies Millions For Prism

Leaked documents show taxpayer cost of involving Google, Microsoft and other tech companies in Prism digital dragnet.

Who paid the cost of giving the National Security Agency direct access to the systems of nine technology companies, including Facebook, Google, Microsoft and Yahoo?

The answer arrived Friday: U.S. taxpayers.

Furthermore, the bill wasn't cheap. The U.S. Foreign Intelligence Surveillance Act (FISA) Court, which is charged with monitoring the NSA's surveillance programs, ruled in 2011 that the agency violated section 702 of FISA as well as the Fourth Amendment. Accordingly, the court ordered the programs to cease within 30 days unless specific "upstream collection" practice problems were fixed.

"Upstream collection is when the NSA gets a copy of Internet traffic as it flows through major telecommunications hubs and searches through for 'selectors,' like an email address or a keyword," Parker Higgins, an activist at Electronic Frontier Foundation, said in a blog post.

[ IT pros can offer valuable insight on the balance between security and privacy. Read NSA Surveillance: IT Pro Survey Says What? ]

That FISA Court ruling triggered a period of successive 30-day extensions, each of which required corresponding changes from the technology companies that were legally compelled to give the NSA access to their systems. Those extensions and the surveillance program certifications they included came at quite a cost, according to a December 2012 NSA newsletter marked "top secret," which was published Friday by the Guardian and presumably provided by former NSA employee-turned-whistleblower Edward Snowden.

"Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension -- costs covered by Special Source Operations," read the NSA newsletter.

Yahoo confirmed to the Guardian that it had been reimbursed for costs related to responding to data requests from the U.S. government. "Federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government," said a Yahoo official. "We have requested reimbursement consistent with this law."

Special Source Operations -- described by Snowden as the NSA's "crown jewel" -- administers the agency's surveillance programs that involve service providers, telecommunications companies and corporate partnership arrangements with technology firms that give the agency direct access to the data they handle.

But according to three rulings declassified this week by director of National Intelligence James Clapper -- as ordered by President Obama -- the FISA Court in 2011 ruled that the agency had broken the FISA law and violated the Fourth Amendment thousands of times due to its data interception practices. That document disclosure was made in response to a Freedom of Information Act request from EFF.

In one of those declassified documents, FISA Court judge John Bates wrote in an 86-page opinion that the "volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe." Furthermore, he said that the NSA's so-called minimization procedures for intercepting multi-communication transaction (MCT) data "tend to maximize, rather than minimize, the retention of non-target information, including information of or concerning United States persons," thus violating the Fourth Amendment.

Accordingly, rather than renewing the requested annual legal certifications the agency is required to obtain from the FISA Court for its FISA surveillance programs, he instructed the NSA to fix specific problems or cease its related surveillance efforts.

In a cover letter published with the declassified court rulings, Clapper characterized those problems as involving "highly technical reasons concerning the matter in which the collection occurred," rather than involving questions of civil liberties. In particular, the problem appeared to center on the capture of MCT data, which might bundle multiple messages in a single communication.

"In large-scale enterprises as technologically sophisticated and operationally complex as the 702 program, mistakes and errors can and will happen," said Clapper. He said that after the court ruling, the agency proactively deleted all upstream communications it had intercepted in violation of FISA.

Clapper emphasized, however, that the agency reports all such errors both to the FISA Court and Congress. That included reporting earlier "unintended misrepresentations in the way the collections were described to the FISA Court" that resulted in part from "gaps in technical understanding" between different groups at NSA. In the wake of those discoveries and reporting the problems to the FISA Court and Congress, Clapper said that part of the solution entailed making not just technical changes, but also related structural, managerial and training changes at NSA.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:57:58 PM
re: NSA Paid Tech Companies Millions For Prism
Do we know the cost basis of the provider charges? Was it labor or more like telecom/storage charges? Was there some formula for determining a fair charge?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/23/2013 | 10:19:59 PM
re: NSA Paid Tech Companies Millions For Prism
I wonder if any of these companies got paid twice--first to help the NSA build its systems, and then the compensation for the extra costs of enabling NSA access to data.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.