NSA PRISM Creates Stir, But Appears Legal

Massive information-sharing program involves Google, Facebook and other technology heavyweights, top secret document details. But NSA looks to have acted inside the law.

Mathew J. Schwartz, Contributor

June 7, 2013

5 Min Read

Has the National Security Agency been illegally spying on Americans?

The Guardian newspaper in Britain Thursday published a top-secret document, dated April 2013, outlining an information-sharing program -- code-named PRISM -- that counts seven of the country's biggest technology giants as participants, including Apple, Facebook and Google.

Run by the NSA, the program reportedly provides the agency with access to real-time information as well as stored data from the businesses' systems. According to a chart included in the NSA document, the agency has direct access to servers, and is able to access email, voice and video chat, videos, photos, stored data, VoIP, file transfers, video conference, login activity, social network details as well as "special requests." The current providers of such data are listed as Microsoft, Google, Yahoo, Facebook, PalTalk, YouTube, Skype, AOL and Apple. But the document said that the program is continuing to expand, naming Dropbox as an upcoming provider of data.

Those revelations came in the wake of a report released earlier this week that detailed a secret U.S. court order that compelled Verizon to share all of its customers' call records, as well as details relating to subscribers' emails, Web searches and credit card activity. Similar programs count AT&T and Sprint as information providers, The Wall Street Journal reported Friday.

[ Where is the balance between security and civil liberties? See Boston Bombers Can't Elude City's Tech Infrastructure. ]

Responding to the outing of the PRISM program, James R. Clapper, the U.S. director of National Intelligence, issued a statement "on recent unauthorized disclosures of classified information" Thursday, saying that "the article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties."

Clapper continued, "I believe it is important for the American people to understand the limits of this targeted counterterrorism program and the principles that govern its use." To that end, he said that he'd directed that some information relating to the "business records" accessed be the program "be declassified and immediately released to the public."

Friday, the Guardian reported that the NSA's British equivalent, known as the Government Communications Headquarters (GCHQ), has enjoyed access to PRISM since 2010, and last year generated 197 intelligence reports using the program.

PRISM began in 2007. The first participant was Microsoft, followed by Yahoo (2008); Google, Facebook and PalTalk (2009); YouTube (2010); Skype and AOL (2011); and Apple (2012), reported the Guardian.

In response to questions about their PRISM participation, all of the technology companies named in the PRISM document issued curiously similar statements that largely included legal and technical hedges, saying they complied with court orders, but never gave the government "direct access" or a "back door" into their systems.

A statement issued by Google reads, "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."

While some businesses, including Apple, said they'd never heard of PRISM, none of the businesses denied being part of such a program. Then again, they may be subject to a gag order.

"My read on PRISM: named [companies] provide an API to specific content and 'target activity' under FISA. Think of it as push notification for NSA," tweeted security researcher Ashkan Soltani. "This isn't 'direct access' nor is it a 'backdoor' which is why the talking points are all similar. It's a targeted API."

But is PRISM legal? The short answer appears to be -- no matter how unpalatable a massive domestic Internet surveillance program might sound -- yes.

"From what I've seen so far, it sounds like the program is the way the government is implementing the FISA Amendments Act of 2008 and the Protect America Act of 2007, which were enacted in response to the 2005 disclosure of the Bush Administration's warrantless wiretapping program," said George Washington University professor Orin Kerr, a former Department of Justice computer crime prosecutor, in a blog post.

Even so, the scale of the domestic surveillance programs, launched by President George W. Bush and reauthorized by President Barack Obama, has drawn criticism from a number of civil rights and privacy groups. "Many lawmakers, like Senators Wyden and Udall, warned that the Executive Branch's interpretations of the Patriot Act and the FISA Amendments Act were dangerously broad," said Center for Democracy and Technology (CDT) senior counsel Greg Nojeim, in a statement. "Now we know just how right they were, and just how badly Congress needs to reform those laws."

Based on the leaked PRISM materials, however, the takeaway from the program doesn't appear to differ significantly from previously used law enforcement data-gathering techniques. "There's less difference between this 'collection-first' program and the usual law enforcement data search than first meets the eye," said attorney Stewart A. Baker, who served as NSA general counsel from 1992 to 1994. "In the standard law enforcement search, the government establishes the relevance of its inquiry and is then allowed to collect the data. In the new collection-first model, the government collects the data and then must establish the relevance of each inquiry before it's allowed to conduct a search."

"If you trust the government to follow the rules, both models end up in much the same place," Baker said.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights