Risk
8/23/2013
01:38 PM
Connect Directly
RSS
E-Mail
50%
50%

NSA Paid Tech Companies Millions For Prism

Leaked documents show taxpayer cost of involving Google, Microsoft and other tech companies in Prism digital dragnet.

Who paid the cost of giving the National Security Agency direct access to the systems of nine technology companies, including Facebook, Google, Microsoft and Yahoo?

The answer arrived Friday: U.S. taxpayers.

Furthermore, the bill wasn't cheap. The U.S. Foreign Intelligence Surveillance Act (FISA) Court, which is charged with monitoring the NSA's surveillance programs, ruled in 2011 that the agency violated section 702 of FISA as well as the Fourth Amendment. Accordingly, the court ordered the programs to cease within 30 days unless specific "upstream collection" practice problems were fixed.

"Upstream collection is when the NSA gets a copy of Internet traffic as it flows through major telecommunications hubs and searches through for 'selectors,' like an email address or a keyword," Parker Higgins, an activist at Electronic Frontier Foundation, said in a blog post.

[ IT pros can offer valuable insight on the balance between security and privacy. Read NSA Surveillance: IT Pro Survey Says What? ]

That FISA Court ruling triggered a period of successive 30-day extensions, each of which required corresponding changes from the technology companies that were legally compelled to give the NSA access to their systems. Those extensions and the surveillance program certifications they included came at quite a cost, according to a December 2012 NSA newsletter marked "top secret," which was published Friday by the Guardian and presumably provided by former NSA employee-turned-whistleblower Edward Snowden.

"Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension -- costs covered by Special Source Operations," read the NSA newsletter.

Yahoo confirmed to the Guardian that it had been reimbursed for costs related to responding to data requests from the U.S. government. "Federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government," said a Yahoo official. "We have requested reimbursement consistent with this law."

Special Source Operations -- described by Snowden as the NSA's "crown jewel" -- administers the agency's surveillance programs that involve service providers, telecommunications companies and corporate partnership arrangements with technology firms that give the agency direct access to the data they handle.

But according to three rulings declassified this week by director of National Intelligence James Clapper -- as ordered by President Obama -- the FISA Court in 2011 ruled that the agency had broken the FISA law and violated the Fourth Amendment thousands of times due to its data interception practices. That document disclosure was made in response to a Freedom of Information Act request from EFF.

In one of those declassified documents, FISA Court judge John Bates wrote in an 86-page opinion that the "volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe." Furthermore, he said that the NSA's so-called minimization procedures for intercepting multi-communication transaction (MCT) data "tend to maximize, rather than minimize, the retention of non-target information, including information of or concerning United States persons," thus violating the Fourth Amendment.

Accordingly, rather than renewing the requested annual legal certifications the agency is required to obtain from the FISA Court for its FISA surveillance programs, he instructed the NSA to fix specific problems or cease its related surveillance efforts.

In a cover letter published with the declassified court rulings, Clapper characterized those problems as involving "highly technical reasons concerning the matter in which the collection occurred," rather than involving questions of civil liberties. In particular, the problem appeared to center on the capture of MCT data, which might bundle multiple messages in a single communication.

"In large-scale enterprises as technologically sophisticated and operationally complex as the 702 program, mistakes and errors can and will happen," said Clapper. He said that after the court ruling, the agency proactively deleted all upstream communications it had intercepted in violation of FISA.

Clapper emphasized, however, that the agency reports all such errors both to the FISA Court and Congress. That included reporting earlier "unintended misrepresentations in the way the collections were described to the FISA Court" that resulted in part from "gaps in technical understanding" between different groups at NSA. In the wake of those discoveries and reporting the problems to the FISA Court and Congress, Clapper said that part of the solution entailed making not just technical changes, but also related structural, managerial and training changes at NSA.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:57:58 PM
re: NSA Paid Tech Companies Millions For Prism
Do we know the cost basis of the provider charges? Was it labor or more like telecom/storage charges? Was there some formula for determining a fair charge?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/23/2013 | 10:19:59 PM
re: NSA Paid Tech Companies Millions For Prism
I wonder if any of these companies got paid twice--first to help the NSA build its systems, and then the compensation for the extra costs of enabling NSA access to data.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.