The FBI May Have Your Emails

The other shoe drops:

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian. The NSA access is part of a previously undisclosed program called PRISM, which allows them to collect material including search history, the content of emails, file transfers and live chats, the document says.

The program essentially provides [WaPo] the agency with a search bar into Americans’ lives:

To collect on a suspected spy or foreign terrorist means, at minimum, that everyone in the suspect’s inbox or outbox is swept in. Intelligence analysts are typically taught to chain through contacts two “hops” out from their target, which increases “incidental collection” exponentially. The same math explains the aphorism, from the John Guare play, that no one is more than “six degrees of separation” from Kevin Bacon.

The tech companies participating “include most of the dominant global players of Silicon Valley,” such as Apple, Microsoft, Yahoo, Google, YouTube, Facebook, and Skype. Ambers theorizes how this exchange works:

It is not clear how the NSA interfaces with the companies. It cannot use standard law enforcement transmission channels to do, since most use data protocols that are not compatible with that hardware. Several of the companies mentioned in the Post report deny granting access to the NSA, although it is possible that they are lying, or that the NSA’s arrangements with the company are kept so tightly compartmentalized that very few people know about it. Those who do probably have security clearances and are bound by law not to reveal the arrangement.

This arrangement allows the U.S. companies to “stay out of the intelligence business,” one of the officials said. That is, the government bears the responsibility for determining what’s relevant, and the company can plausibly deny that it subjected any particular customer to unlawful government surveillance. Previously, Congressional authors of the FAA said that such a “get out of jail free” card was insisted by corporations after a wave of lawsuits revealed the extent of their cooperation with the government.

Several of those tech companies immediately denied letting the government into their servers. Andrea Peterson explains what this might actually mean:

Comparing denials from tech companies, a clear pattern emerges: Apple denied ever hearing of the program and notes they “do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order;” Facebook claimed they “do not provide any government organisation with direct access to Facebook servers;” Google said it “does not have a ‘back door’ for the government to access private user data”; And Yahoo said they “do not provide the government with direct access to our servers, systems, or network.” Most also note that they only release user information as the law compels them to.

But the PRISM program’s reported access to data and the now repeatedly confirmed widespread access to phone records and other types of digital data appears to be almost exactly what the 2008 Protect America Act (PAA) allows Foreign Intelligence Surveillance Act (FISA) courts to compel tech companies to do — as many warned around the time of its passage. If tech companies are not providing direct access to their servers but are cooperating with the PRISM program, that leaves at least one other option: Companies are providing intelligence agencies with copies of their data.

Timothy B. Lee flashes back to when Congress passed the Protect America Act, on Sept. 11 2007:

Civil liberties groups warned that the PAA’s vague requirements and lack of oversight would give the government a green light to seek indiscriminate access to the private communications of Americans. They predicted that the government would claim that they needed unfettered access to domestic communications to be sure they had gotten all relevant information about suspected terrorists.

It now appears that this is exactly what the government did. Today’s report suggests that the moment the PAA was the law of the land, the NSA started using it to obtain unfettered access to the servers of the nation’s leading online services. To comply with the requirement that the government not target Americans, PRISM searches are reportedly “designed to produce at least 51 percent confidence in a target’s ‘foreignness’” — the lowest conceivable standard. PRISM training materials reportedly instruct users that if searches happen to turn up the private information of Americans, “it’s nothing to worry about.”

Tim Worstall defends the program:

[T]his sort of behaviour is not something that we should be shouting about government doing. It’s something that we should be shouting about government notdoing. The crucial point is here, from the DNI:

Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.

As I say that’s the important part of it all. The information, the data, may be in the US as a result of the global spread of the internet and the physical location of servers. But the information cannot be about either a US citizen or someone who is in the US. And, if we’re prepared to be honest about matters, we do actually want the government to be keeping an eye on foreigners in foreign lands. Which is what they’re doing.

Amy Davidson is unsatisfied with that explanation:

[T]his is all supposedly meant to stop terrorism by foreigners. When the N.S.A. looks through the private files of people who are one or two degrees of separation from the person who has caught its eye, though, it hasn’t just gone beyond that mission but has betrayed it. The Post article described analysts using “selectors” that are “designed to produce at least 51 percent confidence in a target’s ‘foreignness.’ ” If they turn out to have targeted “U.S. content”—beyond all the incidental information on Americans that’s swept up—they are supposed to submit it to yet another database, “but it’s nothing to worry about.” Actually, it is.

James R. Clapper, Director of National Intelligence, has released a terse statement on the leak:

Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.