Don't Fall For Misleading Story Being Spread By NSA Suggesting Tech Companies Lied About PRISM
from the bogus dept
Update: With little fanfare, the Guardian has now added a note (at the bottom) saying that it has adjusted the story because of the initial misleading claims:This article was amended on 20 March 2014 to remove statements in the original that the testimony by Rajesh De contradicted denials by technology companies about their knowledge of NSA data collection. It was also updated to clarify that the companies challenged the secrecy surrounding Section 702 orders.I wonder how many people who have been repeating the initial misleading claims will go back and see that change? Original story below:
I'm seeing a bunch of folks passing around a story by Spencer Ackerman at The Guardian, claiming that tech companies lied about their "denials" of PRISM. The story is incredibly misleading. Ackerman is one of the best reporters out there on the intelligence community, and I can't recall ever seeing a story that I think he got wrong, but this is one. But the storyline is so juicy, lots of folks, including the usual suspects are quick to pile on without bothering to actually look at the details, insisting that this is somehow evidence of the tech companies lying.
So, let's look at what actually happened. The report is based on statements by Rajesh De, the NSA general counsel, who was testifying before the US's Privacy and Civil Liberties Oversight Board (PCLOB). Here's the part that's catching everyone's attention:
Everything stated above is technically true, but misleading. The problem is that what the companies denied is not what De is talking about. What they denied is what both the Washington Post and the Guardian initially implied: that the NSA had "direct access" to the servers of the nine companies named under PRISM, with the clear implication of the stories being that direct access was to basically all servers. All of the companies denied that level of access (which was and remains true). They also (as Ackerman does mention) denied knowing what PRISM was. Within a day or so, it became quite clear that "PRISM" was merely orders under Section 702 of the FISA Amendments Act -- which is what eventually lead a bunch of those same companies to sue the government, saying they wanted to reveal the details of the Section 702 orders that they got, including how many orders they received and how many user accounts were impacted by those orders. The very reason they filed that lawsuit was in an attempt to prove that PRISM/Section 702 orders were never about full access to everything, but rather more targeted requests approved of by the FISA court (it's fair to point out that the NSA's definition of "targeted" is more broad than you and I would like, but that's a separate issue).Asked during at a Wednesday hearing of the US government’s institutional privacy watchdog if collection under the law, known as Section 702 or the Fisa Amendments Act, occurred with the “full knowledge and assistance of any company from which information is obtained,” De replied: “Yes.”
When the Guardian and the Washington Post broke the Prism story in June, thanks to documents leaked by whistleblower Edward Snowden, nearly all the companies listed as participating in the program – Yahoo, Apple, Google, Microsoft, Facebook, Paltalk, AOL – claimed they did not know about a surveillance practice described as giving NSA vast access to their customers’ data. Some, like Apple, said they had “never heard” the term Prism.
In January, that lawsuit was settled, with the DOJ giving companies (for the first time) the ability to reveal (in quite a limited way) how many FISA orders they received and how many "customer selectors targeted." And, in fact, a bunch of companies have done so. Here, for example, we wrote about Yahoo and Google's reporting of those requests. For example, from January to June of 2013, Google received between 0 and 999 FISA orders, including 9000-9999 user accounts targeted. During the same period, Yahoo received between 0 and 999 such orders, targeting between 30,000 and 30,999 accounts. Much of that is PRISM -- and no one has ever denied that. It's unfortunately obfuscated, because the "FISA orders" lump together the Section 702 "PRISM" orders with separate Section 107 orders, and (worse) because the companies can't really reveal users impacted, just customer selectors targeted. That obfuscation is a big problem, but is entirely unrelated from the original reporting on PRISM and the companies' response.
So, yes, of course companies were aware of the Section 702 orders they get. That's the only possible way they can comply with Section 702 orders. And, certainly, the only way they could report on how many such orders they got. What they denied was the original reporting which suggested, incorrectly, that PRISM was a much broader program, that involved direct access to these companies systems, allowing them to suck out just about anything. That was never true, and that was what they were denying. The lawsuit and the transparency reports were all about (attempting to) clear up that confusion, showing that these companies simply comply with Section 702 orders, rather than grant broad access to all accounts, as the original reports implied. And, in fact, the release of those transparency reports provided at least a little transparency (tragically muddied by the DOJ's requirements). There are separate issues about other ways that the NSA got access to these companies information, such as hacking into datacenters connections, but that's unrelated to PRISM.
Ackerman has been following all of this, so I'm both confused and surprised for why he'd fall for De's attempt to suggest that the companies were lying. Even more bizarre is his claim that De's comments were "contradicting the tech companies about the firms' knowledge of Prism." But that's not true. De is saying the companies knew about Section 702 orders, which of course they did. Otherwise, why would they have been fighting to reveal the details -- and why else would they have posted the details to their transparency reports? I find it hard to believe that Ackerman doesn't know about the very transparency reports from the companies that show that the companies were (of course) aware of the Section 702 orders he says in the article they denied. They never denied such orders.
If anything, this feels a lot more like the NSA (as the NSA does) using careful language choices to attack-by-false-implication the tech companies who have recently been fighting hard to encrypt more data to make it harder for the NSA to crack into their systems (not under PRISM, but under Executive Order 12333). In the end, De's claim is a non-story, turned into a misleading story.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: nsa, pclob, prism, rajesh de, section 702, spencer ackerman, surveillance, transparency
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Because, terrorists!!!!11
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Yeah.. By definition. It's the collection not under the law that they don't know about.
[ link to this | view in thread ]
Here we go with the parsing game again. Define "company". Company legal staff, company officers, company sales & marketing, company finance, company PR possibly didn't know about collection *not* under the law, or didn't know what they knew, or didn't know what they didn't know. Embedded moles and infiltration at senior levels. There are spies in all strategically important companies, not those that the CEOs know about - those that they don't do the real dirty work.
[ link to this | view in thread ]
[ link to this | view in thread ]
Guardian Update
[ link to this | view in thread ]
[ link to this | view in thread ]
Black mail perhaps...
His compliance with NSA desires to fudge the news by misinformation, keeps the NSA's photoshopped pictures of Spencer and 3 nine year old asian hookers out of his mailbox I'd assume.
Pretty sure you'd do the same. :)
[ link to this | view in thread ]
Re: Re:
1) General: Get Tails (which is opensource). It's user-friendly to the beginner, and simple to set up either as a liveboot or with virtualbox which is opensource (there are plenty of guides to setting this up for the beginner available via google -- it's usually just a few steps). It has built in capabilities for claws-mail (see below) for email with gpg and pidgin with otr (again, see below) for chat along with other things.
2) Email: K9 Mail on your mobile device with its gpg plugin and Claws Mail with gpg plugin for your PC. Make sure to use gpg and enable it in your options. No encryption will work if your recipient does not also use GPG (at least not effectively).
3) Chat: Adium with the OTR plugin on OSX, Pidgin with the OTR plugin on Windows or Linux. For mobile (if you're on android), you can use ChatSecure (previously known as GibberBot) which incorporates otr encryption and other privacy scrubbing mechanisms.
4) If you're on Android, get Orbot and use that to run ChatSecure (as above) via Tor (Tails uses TOR for everything; Tails and TOR both have plentiful documentation out there).
5) For web browsing with Orbot/Tor get Orweb -- and try to use SSL pages. This is imperfect but with Tor you have some small extra measure of theoretical privacy.
6) Voice: There's an experimental voice plugin for ChatSecure. Look into Jitsi. You might want to consider redphone if it's still supported but I consider its use of phone-connected-to-account a bit suspect.
7) SMS: TextSecure is awesome.
[ link to this | view in thread ]