The U.S. government is reportedly mining data from at least nine leading Internet companies through a secret program code-named PRISM that is aimed at sifting through foreign communications traffic to track potential terrorists.
On the heels of a report earlier this week revealing the U.S. is collecting phone records from Verizon (NYSE:VZ), the news is likely to raise the heat in a renewed debate about the government’s surveillance authority.
According to a top-secret document obtained by The Washington Post, the National Security Agency and the FBI are able to tap directly into the central servers of technology companies to extract audio and video chats, photographs, emails, documents and connection logs. The report said PRISM is focused on foreign targets, not American ones.
The document lists the following U.S. service providers: Microsoft (NASDAQ:MSFT), Yahoo (NASDAQ:YHOO), Google (NASDAQ:GOOG), Facebook (NASDAQ:FB), PalTalk, AOL (NYSE:AOL), Skype, YouTube and Apple (NASDAQ:AAPL).
Most of the companies named in the report denied providing “direct” access to the U.S. government or said they were unaware of such a program.
“For those companies where aggregating data is a vehicle for profit, their need to balance the desires of users, investors and the U.S. government is getting more complicated,” said Christopher Bronk, a fellow in information technology policy at Rice University’s Baker Institute.
PRISM was launched under President George W. Bush in 2007, but has since been significantly expanded by President Obama, serving as the National Security Agency’s leading source of raw material by accounting for nearly one in seven intelligence reports, the Post reported.
During televised remarks on Friday, Obama defended the surveillance programs, saying his administration kept Congress informed, received approval from federal judges and attempted to bolster safeguards. He also stressed that PRISM is targeted at non-U.S. citizens.
"My assessment and my team's assessment was that [these programs] help us prevent terrorist attacks," Obama said. "You can't have 100% security and also 100% privacy and zero inconvenience. We’re going to have to make some choices as a society.”
Jameel Jaffer, deputy legal director at the ACLU, said in a statement that the recent press stories "make clear that the NSA -- part of the military -- now has direct access to every corner of Americans’ digital lives. Unchecked government surveillance presents a grave threat to democratic freedoms."
Director of National Intelligence James Clapper said in a statement that “information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats.”
Clapper, who took issue with "numerous" unidentified "inaccuracies" in the report, said “the unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”
Bronk, the academic at Rice, speculated about the ripple-effects of the recent disclosures.
"Is this the beginning of the repeal of the Patriot Act?" said Bronk.
Tech Firms Deny Giving 'Direct' Access
The Internet companies named in the report often rely on consumers freely sharing information without fear of it being shared more widely.
“Google does not have a ‘back door’ for the government to access private user data,” said a spokesperson from the tech giant, which also owns YouTube. “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully.”
The Post story said Microsoft, which owns Skype, was the first company to sign up to PRISM.
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis,” a Microsoft spokesperson said, adding that it only complies to requests about “specific” accounts or identifiers. “If the government has a broader voluntary national security program to gather customer data we don't participate in it."
Joe Sullivan, chief security officer at Facebook, said the social network does not “provide any government organization with direct access to Facebook servers.” Sullivan said the company believes protecting the privacy of users and their data is a “top priority” and its executives “carefully scrutinize” requests for information.
Notes obtained by the Post say “98% of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources.”
Stocks Shrug Off Report
Apple didn’t respond to a request for comment, but a spokesman told Dow Jones that the electronics giant “has never heard” of PRISM. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."
According to the Post, the far smaller PalTalk hosted traffic of “substantial intelligence interest” during the Arab Spring and in the ongoing civil war in Syria.
PalTalk said it has not "heard of PRISM" and that it "exercises extreme care to protect and secure users' data, only responding to court orders as required by law." PalTalk said it does not provide "any government agency with direct access to its servers."
"Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or networks," a Yahoo spokesperson said in an emailed statement.
AOL didn’t respond to a request for comment.
It’s possible the conflict between the comments from the Internet companies and the PRISM presentation slides cited by the Post is caused by semantics. The paper said in another classified report the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations.”
Shares of the tech companies appeared to be unfazed by the report, with most trading moderately higher or lower Friday morning.
“If every cloud-based or social network-based company that started in the U.S. is automatically considered to be working for U.S. intelligence, that will be a deterrent for foreign buy-in both from the user side and from the investment side," said Bronk.