Risk
8/23/2013
01:38 PM
Connect Directly
RSS
E-Mail
50%
50%

NSA Paid Tech Companies Millions For Prism

Leaked documents show taxpayer cost of involving Google, Microsoft and other tech companies in Prism digital dragnet.

Who paid the cost of giving the National Security Agency direct access to the systems of nine technology companies, including Facebook, Google, Microsoft and Yahoo?

The answer arrived Friday: U.S. taxpayers.

Furthermore, the bill wasn't cheap. The U.S. Foreign Intelligence Surveillance Act (FISA) Court, which is charged with monitoring the NSA's surveillance programs, ruled in 2011 that the agency violated section 702 of FISA as well as the Fourth Amendment. Accordingly, the court ordered the programs to cease within 30 days unless specific "upstream collection" practice problems were fixed.

"Upstream collection is when the NSA gets a copy of Internet traffic as it flows through major telecommunications hubs and searches through for 'selectors,' like an email address or a keyword," Parker Higgins, an activist at Electronic Frontier Foundation, said in a blog post.

[ IT pros can offer valuable insight on the balance between security and privacy. Read NSA Surveillance: IT Pro Survey Says What? ]

That FISA Court ruling triggered a period of successive 30-day extensions, each of which required corresponding changes from the technology companies that were legally compelled to give the NSA access to their systems. Those extensions and the surveillance program certifications they included came at quite a cost, according to a December 2012 NSA newsletter marked "top secret," which was published Friday by the Guardian and presumably provided by former NSA employee-turned-whistleblower Edward Snowden.

"Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension -- costs covered by Special Source Operations," read the NSA newsletter.

Yahoo confirmed to the Guardian that it had been reimbursed for costs related to responding to data requests from the U.S. government. "Federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government," said a Yahoo official. "We have requested reimbursement consistent with this law."

Special Source Operations -- described by Snowden as the NSA's "crown jewel" -- administers the agency's surveillance programs that involve service providers, telecommunications companies and corporate partnership arrangements with technology firms that give the agency direct access to the data they handle.

But according to three rulings declassified this week by director of National Intelligence James Clapper -- as ordered by President Obama -- the FISA Court in 2011 ruled that the agency had broken the FISA law and violated the Fourth Amendment thousands of times due to its data interception practices. That document disclosure was made in response to a Freedom of Information Act request from EFF.

In one of those declassified documents, FISA Court judge John Bates wrote in an 86-page opinion that the "volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe." Furthermore, he said that the NSA's so-called minimization procedures for intercepting multi-communication transaction (MCT) data "tend to maximize, rather than minimize, the retention of non-target information, including information of or concerning United States persons," thus violating the Fourth Amendment.

Accordingly, rather than renewing the requested annual legal certifications the agency is required to obtain from the FISA Court for its FISA surveillance programs, he instructed the NSA to fix specific problems or cease its related surveillance efforts.

In a cover letter published with the declassified court rulings, Clapper characterized those problems as involving "highly technical reasons concerning the matter in which the collection occurred," rather than involving questions of civil liberties. In particular, the problem appeared to center on the capture of MCT data, which might bundle multiple messages in a single communication.

"In large-scale enterprises as technologically sophisticated and operationally complex as the 702 program, mistakes and errors can and will happen," said Clapper. He said that after the court ruling, the agency proactively deleted all upstream communications it had intercepted in violation of FISA.

Clapper emphasized, however, that the agency reports all such errors both to the FISA Court and Congress. That included reporting earlier "unintended misrepresentations in the way the collections were described to the FISA Court" that resulted in part from "gaps in technical understanding" between different groups at NSA. In the wake of those discoveries and reporting the problems to the FISA Court and Congress, Clapper said that part of the solution entailed making not just technical changes, but also related structural, managerial and training changes at NSA.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/26/2013 | 1:57:58 PM
re: NSA Paid Tech Companies Millions For Prism
Do we know the cost basis of the provider charges? Was it labor or more like telecom/storage charges? Was there some formula for determining a fair charge?
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
8/23/2013 | 10:19:59 PM
re: NSA Paid Tech Companies Millions For Prism
I wonder if any of these companies got paid twice--first to help the NSA build its systems, and then the compensation for the extra costs of enabling NSA access to data.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.