Risk
6/7/2013
11:07 AM
50%
50%

NSA PRISM Creates Stir, But Appears Legal

Massive information-sharing program involves Google, Facebook and other technology heavyweights, top secret document details. But NSA looks to have acted inside the law.

Has the National Security Agency been illegally spying on Americans?

The Guardian newspaper in Britain Thursday published a top-secret document, dated April 2013, outlining an information-sharing program -- code-named PRISM -- that counts seven of the country's biggest technology giants as participants, including Apple, Facebook and Google.

Run by the NSA, the program reportedly provides the agency with access to real-time information as well as stored data from the businesses' systems. According to a chart included in the NSA document, the agency has direct access to servers, and is able to access email, voice and video chat, videos, photos, stored data, VoIP, file transfers, video conference, login activity, social network details as well as "special requests." The current providers of such data are listed as Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple. But the document said that the program is continuing to expand, naming Dropbox as an upcoming provider of data.

Those revelations came in the wake of a report released earlier this week that detailed a secret U.S. court order that compelled Verizon to share all of its customers' call records, as well as details relating to subscribers' emails, Web searches and credit card activity. Similar programs count AT&T and Sprint as information providers, The Wall Street Journal reported Friday.

[ Where is the balance between security and civil liberties? See Boston Bombers Can't Elude City's Tech Infrastructure. ]

Responding to the outing of the PRISM program, James R. Clapper, the U.S. director of National Intelligence, issued a statement "on recent unauthorized disclosures of classified information" Thursday, saying that "the article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties."

Clapper continued, "I believe it is important for the American people to understand the limits of this targeted counterterrorism program and the principles that govern its use." To that end, he said that he'd directed that some information relating to the "business records" accessed be the program "be declassified and immediately released to the public."

Friday, the Guardian reported that the NSA's British equivalent, known as the Government Communications Headquarters (GCHQ), has enjoyed access to PRISM since 2010, and last year generated 197 intelligence reports using the program.

PRISM began in 2007. The first participant was Microsoft, followed by Yahoo (2008); Google, Facebook and PalTalk (2009); YouTube (2010); Skype and AOL (2011); and Apple (2012), reported the Guardian.

In response to questions about their PRISM participation, all of the technology companies named in the PRISM document issued curiously similar statements that largely included legal and technical hedges, saying they complied with court orders, but never gave the government "direct access" or a "back door" into their systems.

A statement issued by Google reads, "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."

While some businesses, including Apple, said they'd never heard of PRISM, none of the businesses denied being part of such a program. Then again, they may be subject to a gag order.

"My read on PRISM: named [companies] provide an API to specific content and 'target activity' under FISA. Think of it as push notification for NSA," tweeted security researcher Ashkan Soltani. "This isn't 'direct access' nor is it a 'backdoor' which is why the talking points are all similar. It's a targeted API."

But is PRISM legal? The short answer appears to be -- no matter how unpalatable a massive domestic Internet surveillance program might sound -- yes.

"From what I've seen so far, it sounds like the program is the way the government is implementing the FISA Amendments Act of 2008 and the Protect America Act of 2007, which were enacted in response to the 2005 disclosure of the Bush Administration's warrantless wiretapping program," said George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, in a blog post.

Even so, the scale of the domestic surveillance programs, launched by President George W. Bush and reauthorized by President Barack Obama, has drawn criticism from a number of civil rights and privacy groups. "Many lawmakers, like Senators Wyden and Udall, warned that the Executive Branch's interpretations of the Patriot Act and the FISA Amendments Act were dangerously broad," said Center for Democracy and Technology (CDT) senior counsel Greg Nojeim, in a statement. "Now we know just how right they were, and just how badly Congress needs to reform those laws."

Based on the leaked PRISM materials, however, the takeaway from the program doesn't appear to differ significantly from previously used law enforcement data-gathering techniques. "There's less difference between this 'collection-first' program and the usual law enforcement data search than first meets the eye," said attorney Stewart A. Baker, who served as NSA general counsel from 1992 to 1994. "In the standard law enforcement search, the government establishes the relevance of its inquiry and is then allowed to collect the data. In the new collection-first model, the government collects the data and then must establish the relevance of each inquiry before it's allowed to conduct a search."

"If you trust the government to follow the rules, both models end up in much the same place," Baker said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
zunguri
50%
50%
zunguri,
User Rank: Apprentice
6/7/2013 | 5:41:50 PM
re: NSA PRISM Creates Stir, But Appears Legal
This is what the Patriot Act has brought us.
humberger972
50%
50%
humberger972,
User Rank: Apprentice
6/7/2013 | 5:36:03 PM
re: NSA PRISM Creates Stir, But Appears Legal
It is legal for congress to take bribes now -- because they changed the law. It is now illegal to report illegal activites in food processing sites now - because the industry paid alot of money to congress and wrote the law - ie whistle blowing that benefits the pubic is now illegal. Several industries have put in laws that name them or their industry directly to make them excempt from laws the rest of us follow, all perfectly "legal". If they pass a law that it is ok for the goverment to hold US citizens without trail forever, and make it illegal to talk about it or challange it in court. Then it is perfectly legal -- but it is still wrong.
Jed Davis
50%
50%
Jed Davis,
User Rank: Apprentice
6/7/2013 | 5:35:39 PM
re: NSA PRISM Creates Stir, But Appears Legal
Here's my vote. Probable cause. Anything else is a direct goose step toward totalitarianism.
Jed Davis
50%
50%
Jed Davis,
User Rank: Apprentice
6/7/2013 | 5:33:02 PM
re: NSA PRISM Creates Stir, But Appears Legal
"If you trust the government to follow the rules, both models end up in much the same place," Baker said. Yep, IF......
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Ninja
6/7/2013 | 5:25:14 PM
re: NSA PRISM Creates Stir, But Appears Legal
Many of the media outlets yelling about this are the same ones asking why the FBI didn't stop the Tsarnaev brothers before the Boston bombings. The phrase "damned if you do, damned if you don't" comes to mind. A discussion is needed over how much monitoring Americans will accept in return for disruption of terrorist plots.
ANON1238069211759
50%
50%
ANON1238069211759,
User Rank: Apprentice
6/7/2013 | 5:11:22 PM
re: NSA PRISM Creates Stir, But Appears Legal
It is only "legal" because the people who created the secrect laws, courts and warrents say they are legal. Of course everything is labled top secrect so no one can look at them anyways. It is only "legal" because no one has or can stopped them.

No one will be tried, no one will be convicted because they were all following the "law". Only the Supreme court can say it is illegal and they can only do that once someone has been tried and convicted using these nefarious methods.

This is not a Republican vs Democrat issue. This is an American vs the Government issue. An Us vs Them issue. This affects us all. When the FBI, NSA and IRS can arrogantly target individual Americans, we are right back to King Gerorge III.
JoeBlowZCUI
50%
50%
JoeBlowZCUI,
User Rank: Apprentice
6/7/2013 | 3:45:46 PM
re: NSA PRISM Creates Stir, But Appears Legal
Legality is, to a large extent, irrelevant.
.
This is a level of government surveillance unseen in the history of humanity. A vast majority of the cell phone-using population of the United States are monitored. A vast majority of the the earth's internet users are being monitored.
.
To be melodramatic to make a point: this is the kind of thing that would justify burning down Congress. Americans should be in the streets. And every globally concerned citizen should be writing to their government representatives, imploring them to complain to the Americans for this highly immoral and secretive global surveillance.
.
I believe this behavior should be considered a crime against humanity. It is a violation of basic human decency, and is obscene. Many heads should roll.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?