How did mainstream media get the NSA PRISM story so hopelessly wrong?

How did mainstream media get the NSA PRISM story so hopelessly wrong?

Summary: Last week's bombshell stories by The Guardian and The Washington Post accused some of the biggest names in tech of willingly working with the NSA to give up your data. It now appears that those stories misread the technical details and got the story wrong.

SHARE:

Last week, The Guardian and The Washington Post got their hands on a big story about the National Security Agency and its alleged connection to a handful of giant tech companies.

The bombshell stories in both publications carried the by-lines of experienced reporters. The Guardian’s Glenn Greenwald, a well-known political commentator who also holds a law degree, has been covering national security issues for nearly a decade, and the Post’s Barton Gellman is a Pulitzer Prize winner who has a distinguished record covering privacy and security issues.

But neither publication assigned an independent expert to vet the claims of their source, 29-year-old Edward Snowden, who had until recently worked at the NSA as a contractor for Booz Allen Hamilton. Snowden provided both publications with classified documents he had spirited out of the NSA. He also made claims that turn out to have been exaggerated.

That absence of an independent tech check means both publications got the story wrong, as subsequent reporting by other journalists with experience in these topics has confirmed. These are not trivial details, nor is this a matter of semantics. We're not quibbling over words. If you don’t understand the technical workings of these surveillance programs, you can’t understand whether they’re working as intended, you can’t identify where the government has overstepped its bounds, and you can't intelligently debate the proper response. The fact that the government has maintained rigid secrecy compounds the problem.

Make no mistake about it: This is an important story. The documents that Snowden leaked provide important details about the scope of NSA surveillance. Some had been rumored but never seen before, such as The Guardian’s publication of a top secret Foreign Intelligence Surveillance Court order obtained by the FBI compelling Verizon Business Network Services to turn over data about calls on its network.

The basic facts in that story aren’t news. We’ve known since at least 2006 that the U.S. security establishment is collecting details of phone calls and mining that data to identify calling patterns consistent with terrorist activity. Leslie Cauley of USA Today reported in May 2006 that the NSA was “secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth.”

Seeing one of those top secret orders in 2013 accomplishes two things: First, it indicates that the program has probably been ongoing. Second, it allows ordinary citizens for the first time to see the language of the order, which explicitly forbids recipients to “disclose to any other person that the FBI or NSA has sought or obtained tangible things under this order.”

The other set of documents is a PowerPoint presentation that describes the PRISM program. In their respective stories introducing PRISM, both the Guardian and the Post stated as fact that the NSA could directly access data on the servers of eight companies whose names you certainly know, and a ninth, PalTalk, which was little-known until its appearance in this slide deck.

nsa-prism-companies-data-collection

The Post published its story a few minutes before the Guardian, and both hewed to the same story line, which was damning to the Internet providers named in the story.

The Guardian said:

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document.

[...]

Companies are legally obliged to comply with requests for users' communications under US law, but the Prism program allows the intelligence services direct access to the companies' servers. The NSA document notes the operations have "assistance of communications providers in the US."

When the law was enacted, defenders of the FAA argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers. [emphasis added]

The Post made similar allegations in its initial story, with no qualifying statements:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies …

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

Dropbox, the cloud storage and synchronization service, is described as “coming soon.” …

From inside a company's data stream the NSA is capable of pulling out anything it likes. [emphasis added]

Those allegations have turned out to be wildly inaccurate.

All of the companies involved have explicitly and unequivocally denied the allegations. And now the two news outlets have also begun back-pedaling.

The Post replaced the original version of its story with a heavily edited version the day after its initial publication, backing off on the accusation that the companies “participate knowngly” in any surveillance. (The Post has not disclosed those changes to its readers.)

In a follow-up story a few days later, the Post walked the story back even further:

One top-secret document obtained by The Post described it as “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”

Intelligence community sources said that this description, although inaccurate from a technical perspective, matches the experience of analysts at the NSA. From their workstations anywhere in the world, government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff.

[…]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [emphasis added]

The Guardian’s story hasn’t changed since publication, but Greenwald is now backing off the explosive allegations. In an interview on MSNBC this week, Greenwald took a swipe at the Post’s reporting and defended his own:

We've published four stories so far. The only one about which there has been any question raised is the one that the … Washington Post also published, which is the PRISM story. Our story was written differently than the way the Post wrote theirs, which is why they’ve had to walk back theirs.

Now listen to how the story has changed. Originally, the Guardian story said the NSA was able to access any data it wanted from any of those servers, “directly and unilaterally.” Now, Greenwald is not so confident in that conclusion:

Our story was the following: We have … a document from the NSA that very clearly claims that they are collecting directly from the servers of these Internet giants. That's the exact language that this document used. We went to those Internet companies before publishing and asked them and they denied it. We put into the story very prominently that they denied it.

Our story is that there is a discrepancy between the relationship that the private sector and the government has in terms of what the NSA claims and what the technology companies claim. What is definitely true, and follow-up reporting by the New York Times has proven this, is that there have been all kinds of negotiations about back door access, they have agreements in all sorts of ways to share data with the government. I don't think anybody knows at this point exactly what the nature of those arrangements are.

The reason we published our story and presented it as this discrepancy is because whatever the tech companies and the government are doing should be done in public. We should know what agreements they've reached. We should know what the government has asked for and what they're negotiating with now in terms of access. What we do know for sure is that the government has a program that targets the communication over these companies that huge numbers of people around the world use to communicate with one another. And we think there should be accountability and transparency for whatever those exact agreements are. [emphasis added]

Got that? It’s no longer an established fact, as originally presented, that the NSA can "directly and unilaterally seize the communications off the companies' servers," as The Guardian put it, or “pull out anything it likes,” as the Post claimed originally.

In a story whose details match those that Wired reported earlier this week, the Post described a much more straightforward process that Google says it uses to respond to court orders:

When faced with a court order, the tech giant said, it uses surprisingly simple and low-tech methods, including the delivery of information by hand or by using relatively common techniques to transfer files from one computer to another.

“When required to comply with these requests, we deliver that information to the U.S. government — generally through secure FTP transfers and in person,” Google said in a statement.

That could include putting data onto a memory disk or external hard drive, or printing out the requested information for a federal official, Google said. FTP, or file transfer protocol, is a popular method for exchanging information between servers with an extra layer of security.

[…]

Officials and former staffers at the tech companies said it would be difficult for the government to place equipment on their servers or directly access them in secret. Too many engineers would know, they say.

Indeed, that is a thoroughly believable description of a process that is all too common in the post-9/11 world.

The original stories make it sound as though the tech companies involved are eagerly turning over unrestricted access to data about their customers. The vehemence of the denials makes it clear that no such eagerness exists.

We know that the FBI can go to any tech company in the U.S. and demand information. We don’t know how often they do that, or how much data the companies deliver in response, or whether the requests are overly broad. Google has asked the U.S. for permission to disclose those numbers, saying that the actual figure would make it clear that the “direct access” allegations are wrong:

Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures — in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

Microsoft and Facebook have joined in that request.

Based on other reports, it’s likely that the NSA has been systematically gathering and mining data by tapping into switches at Tier-1 providers on the Internet backbone. It’s been supplementing that data collection with more targeted data requests from Internet providers like Microsoft, Yahoo, and Google.

But it can’t just grab whatever it wants from those services. The government needs to present a warrant in the case of American citizens suspected of domestic crimes (if you’re not a U.S. citizen and you’re not in the United States, sorry, you’re not protected by our Fourth Amendment). For investigations related to possible terrorist activities, the FBI can use a Foreign Intelligence Surveillance Court (FISC) order or a national security letter, which doesn't require a warrant. The company served with that document either challenges the order or delivers the requested documents and data.

And as a report in the New York Times today makes clear, those companies do push back. The Times describes Yahoo's attempts to refuse a warrantless request for data, which was turned down by the Foreign Intelligence Surveillance Court, as well as similar actions from other companies named in the PRISM presentation. 

The judges disagreed. That left Yahoo two choices: Hand over the data or break the law.

So Yahoo became part of the National Security Agency’s secret Internet surveillance program, Prism, according to leaked N.S.A. documents, as did seven other Internet companies.

[...]       

Google filed a challenge this year against 19 National Security Letters in the same federal court, and in May, Judge Illston ruled against the company. Google was not identified in the case, but its involvement was confirmed by a person briefed on the case.

In 2011, Twitter successfully challenged a silence order on a National Security Letter related to WikiLeaks members.

The system described in the PRISM presentation appears to be an automated way to process those FBI and NSA requests. It's clearly not an open doorway into any of those companies' servers, as The Guardian and the Post originally alleged.

Update June 15: An AP story published today confirms many of the details in this post: "Prism ... is a relatively small part of a much more expansive and intrusive eavesdropping effort. ... a streamlined, electronic process [for handling data requests], which required less time from the companies and provided the government data in a more standard format." The entire article is a must-read. 

The nine companies listed in the PRISM slide deck are there because they offer widely used communication services, most of them free.

It’s logical that Microsoft and Yahoo would be first on the list. At the time of the 9/11 attacks and for years after, they were the two most popular providers of free webmail services. In fact, both services were directly tied to the 9/11 attacks, as CBS News reported in 2009:

In the days following the Sept. 11 terrorist attacks, alleged al Qaeda operations mastermind Khalid Sheikh Mohammed intended to use his free Hotmail account to direct a U.S.-based operative to carry out an attack, according to a guilty plea agreement filed by Ali Saleh Kahlah al-Marri in federal court.

[…]

Al-Marri sent e-mails to Khalid Sheikh Mohammed's Hotmail account… Al-Marri initially tried to use a Yahoo e-mail account to contact Mohammed, but it failed to go through. So he switched to Hotmail as well. When al-Marri arrived in the United States, he created five new e-mail accounts to communicate with Mohammed…

In late 2007 and early 2008, when the PRISM presentation claims that the program began adding data collected from Microsoft and Yahoo, those two companies were still the kings of free email. Google’s Gmail had been an invitation-only service until February 2007, and it would be another two years before it was a major competitor of Microsoft and Yahoo. Coincidentally, that’s when it appears on the PRISM timeline slide.

The botched reporting by the Guardian and the Post means that millions of readers directed their anger at a handful of big companies that were unfairly accused of selling out their customers to the national security apparatus. The reality is that if NSA surveillance is indeed overstepping its bounds, those companies are victims, not willing participants.

Topics: Security, Apple, Google, Government US, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

173 comments
Log in or register to join the discussion
  • and the myth will never go away

    PRISM will live on in the conspiracist's mind. That "$20M" was the smoking gun all along that should have told us that it couldn't be much of a secret police state.
    larry@...
    • You bought into the distraction technique

      $20 million (per year), which is no small amount of money, is just the smoking gun. Most of the funding for projects like these are off books.
      Astringent
      • Right...

        So we're supposed to believe everything else in the presentation, but the funding number is a ruse?
        larry@...
    • Exactly. Chump change.

      $20 million is what the federal government paid last year to cater the 34th Annual NSA Ice Cream Social.




      I made that up.
      Jessie Canty
  • Thanks for the update, but it's ancient news - Echelon activity since WW2

    has been doing exactly what is claimed in the initial reports for over 60 years -- that is the collection of all communications from inside the US to places outside the US, ie all communications crossing the US border. I mentioned this in the other articles on this PRISM mix up, and had next to no responses on it, despite the Echelon program being a big media thing in the 1990s. I'm surprised no one in the media hasn't mentioned it at all.
    Deadly Ernest
  • Europe

    As European citizens, we (logically) do not have a say in the US elections, nor did we have any influence when previous laws were installed that made this kind of surveillance legal and possible

    As it said in the article: 'if you’re not a U.S. citizen and you’re not in the United States, sorry, you’re not protected by our Fourth Amendment', is there anyhting unreasonable about our outrage?

    I travel to the middle east as well as the US on a regular basis and can tell you from first hand experience, that the treatment i get for having a couple of Arabic language VISA's in my passport is enougt to scrutunize me and treat me as a criminal, every single time

    It has now come to the point where i have decided to no longer travel to the US, and that is not even considering the whole NSA and PRISM scandal

    I grew up with the idea that Americans where our friends, our allies, almost an extension of our own culture, and i believe i can speak for many of us that we cannot any longer see it this way

    This whole affair will and already has hurt US/Europe relations, the trust is gone, an important aspect in this scandal that is all too often forgotten
    fyamrya
    • So this makes it all ok?

      lets all just be complacent and let them do whatever they want,...right, that's whats happening anyway, sheep like you are why this country is going to hell!
      winddrift03
      • Nothing to see here

        Ed wants us to go back to sleep.
        Astringent
        • Thanks, I thought

          I was having a déjà vu.
          DancesWithTrolls
        • Clearly you missed the point of this story

          Sheesh. You think I'm somehow saying all of this is OK?
          Ed Bott
          • Pretty much.

            Don't mind the man from Hawaii. He's just a young kid who doesn't know what he's talking about. Let's just listen to the guy from the White House. And companies considering doing a PR spin so that they don't look like they openly dumped their data for the government to pick up. Yes, the tin foil can be applied heavily after this and no matter who says what, they are going to be deemed part of the system that we are supposed to rebel against.
            nucrash
          • I actually think you missed the point

            First of all, Constitutions normally apply based on location, not on nationality, except where explicitly stated otherwise. An American in Germany thus is under protection of the GERMAN constitution, not of the US Constitution. If he tries to use his second amendment rights, he'll at best get a stiff fine and at worst a few nights of free room and board courtesy of the German taxpayer.

            Conversely, foreigners within the US have rights under the US Constitution, except for those strictly reserved for citizens, such as voting and standing for election for certain public offices.

            Second: The NSA is operating facilities WITHIN Europe and has been accessing data from there. In Europe, European data protection laws are OF COURSE valid and in force. Spying against Germany from within Germany is OF COURSE illegal under German law, and no statement from FISA courts will change anything about that, because FISA courts have no authority to decide on compliance with German law. Just this week, two Russian agents were convicted to pretty long prison terms. If the NSA wants to continue to operate from within Europe, they should maybe rethink their tactics.

            Lastly, the icing on the cake is the dropmire case. Tapping into diplomatic communication is a big no-no under the Vienna Conventions on Diplomatic and Consular Relations. Doing that against the EU reveals every claim that this was for mutual state security as ridiculous. The EU is not responsible for security issues except in a coordinative function. Actual operations are carried out by member states. Spying against the EU can only have two functions: Political leverage or economic espionage.

            The blind deference to FISA courts only underscores little understanding of international relations and the limits of jurisdiction of individual nations.
            hydroxide
      • AT&T, Room 641A

        Ed, if I recall correctly, is the guy who loves Windows 8, thinks that the smartphone ("metro") interface is modern and innovative, and destined to revolutionize the way we use computers. LOL! (search YouTube for "BumpTop" for real innovation - bought by Google and killed!)

        When it comes to stroking the ego of corporate executives, we can rely on $$Ed$$

        Interestingly, no mention from Ed that AT&T allowed the NSA to directly tap into its cables for many years - Room 641A!. In 2006, when the AT&T story broke, we were told that other firms were cooperating in a similar manner.

        But Ed says: no way, corporations love and care about us - how could you think otherwise?

        God, I'm sorry, Ed - please pass on my profuse apologies to Microsoft, Google, Facebook, Apple, and all the other spies - God, there I go again! :( I meant "SuPplIErS".

        -

        (Could ZDNet STICK TO COMPUTERS and keep out of politics)
        Mike00000
    • Isn't it against international law to carry more than one passport?

      Certainly, I understand the frustration when carrying a Arabic Language passport in this day and age - especially when crossing U.S. borders. But isn't this more about human nature?

      The whole point though is that, for all it's faults, the USA is still in very high demand as a place to move to - especially when compared to Europe, which has higher unemployment than in the USA.
      M Wagner
      • No, it's not against the law to own and carry multiple passports IF

        you own them legally. It's only against the law to have someone else's passport. Many people have dual citizenship or multi-citizenship with a legal passport from each country they're a citizen off. Also, most people that have a government issued passport for government work, like a diplomatic passport, usually have a personal passport as well. The only other International legal aspect is when you leave a country you show them the same one as you entered on.
        Deadly Ernest
        • Some countries?

          Well, I know for the USA, I maintain dual citizenship, (which a judge told me a few months ago) I did not know. But I can only have one passport, a USA passport. They mark a line through the original passport which had a valid 10 year visa and gave me a new USA passport. The other countries accept the USA passport. But for the countries that require special visas, you have to obtain those visas before entering them and they would be stamped in your current passport. I would like to know which countries allow you have multiple passports? Can you name me any such country?
          kmdennis@...
      • Dual citizen ship allowed

        America allows dual citizenship so yes, more than 1 passport is allowed in some cases.
        kdjkdj@...
      • Passports and VISA's are different

        He said he had Arabic VISA's in his PASSPORT. That is different than having more than one passport. In a lot of countries, including the U.S., foreigners must have VISA's to enter. Those VISA's are attached to your passport. VISA's give the person permission to enter the country it was issued by and to conduct whatever activities are authorized by the VISA. In the US we have several types of VISA's from Travel VISA's (vacation), Work VISA's, and Student VISA's (international students - high school or college).
        Nightfighter82@...
    • So sorry for your inconvenience

      While you grew up on the idea that American's were your friends (which I assume you feel is is no longer the case), I grew up thinking that a bunch of fundamentalist radicals wouldn't fly airplanes into American buildings killing almost three thousand civilians.

      I love Europe, always have and always will. And America has some people who are clearly nuts, to be sure. But I am not sure of which culture you are referring to. Do you think the whole of Europe is allowing radicals to just do whatever they want and there is no intelligence gathering? The UK? France? Germany? That is shockingly naive.
      MsJoanne
      • Who's naive?

        Of course countries in Europe gather intelligence, that's not the issue.

        But collecting data about European citizens with no legal basis and then shrugging it off with: "sorry, you're not an American" - that's the culture we're outraged about.

        Or, to put it another way: if, say, Deutsche Telekom - T-mobile -, was to collect all that data and pass it on to any European government, you think there wouldn't be an outrage in the US? Who is being naive?

        You see, you have your fourth amendment, but believe it or not, over here in Europe we have similar laws, too.
        42Ph