X
Tech

How did mainstream media get the NSA PRISM story so hopelessly wrong?

Last week's bombshell stories by The Guardian and The Washington Post accused some of the biggest names in tech of willingly working with the NSA to give up your data. It now appears that those stories misread the technical details and got the story wrong.
Written by Ed Bott, Senior Contributing Editor

Last week, The Guardian and The Washington Post got their hands on a big story about the National Security Agency and its alleged connection to a handful of giant tech companies.

The bombshell stories in both publications carried the by-lines of experienced reporters. The Guardian’s Glenn Greenwald, a well-known political commentator who also holds a law degree, has been covering national security issues for nearly a decade, and the Post’s Barton Gellman is a Pulitzer Prize winner who has a distinguished record covering privacy and security issues.

But neither publication assigned an independent expert to vet the claims of their source, 29-year-old Edward Snowden, who had until recently worked at the NSA as a contractor for Booz Allen Hamilton. Snowden provided both publications with classified documents he had spirited out of the NSA. He also made claims that turn out to have been exaggerated.

That absence of an independent tech check means both publications got the story wrong, as subsequent reporting by other journalists with experience in these topics has confirmed. These are not trivial details, nor is this a matter of semantics. We're not quibbling over words. If you don’t understand the technical workings of these surveillance programs, you can’t understand whether they’re working as intended, you can’t identify where the government has overstepped its bounds, and you can't intelligently debate the proper response. The fact that the government has maintained rigid secrecy compounds the problem.

Make no mistake about it: This is an important story. The documents that Snowden leaked provide important details about the scope of NSA surveillance. Some had been rumored but never seen before, such as The Guardian’s publication of a top secret Foreign Intelligence Surveillance Court order obtained by the FBI compelling Verizon Business Network Services to turn over data about calls on its network.

The basic facts in that story aren’t news. We’ve known since at least 2006 that the U.S. security establishment is collecting details of phone calls and mining that data to identify calling patterns consistent with terrorist activity. Leslie Cauley of USA Today reported in May 2006 that the NSA was “secretly collecting the phone call records of tens of millions of Americans, using data provided by AT&T, Verizon and BellSouth.”

Seeing one of those top secret orders in 2013 accomplishes two things: First, it indicates that the program has probably been ongoing. Second, it allows ordinary citizens for the first time to see the language of the order, which explicitly forbids recipients to “disclose to any other person that the FBI or NSA has sought or obtained tangible things under this order.”

The other set of documents is a PowerPoint presentation that describes the PRISM program. In their respective stories introducing PRISM, both the Guardian and the Post stated as fact that the NSA could directly access data on the servers of eight companies whose names you certainly know, and a ninth, PalTalk, which was little-known until its appearance in this slide deck.

nsa-prism-companies-data-collection

The Post published its story a few minutes before the Guardian, and both hewed to the same story line, which was damning to the Internet providers named in the story.

The Guardian said:

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document.

[...]

Companies are legally obliged to comply with requests for users' communications under US law, but the Prism program allows the intelligence services direct access to the companies' servers. The NSA document notes the operations have "assistance of communications providers in the US."

When the law was enacted, defenders of the FAA argued that a significant check on abuse would be the NSA's inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies' servers. [emphasis added]

The Post made similar allegations in its initial story, with no qualifying statements:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies …

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

Dropbox, the cloud storage and synchronization service, is described as “coming soon.” …

From inside a company's data stream the NSA is capable of pulling out anything it likes. [emphasis added]

Those allegations have turned out to be wildly inaccurate.

All of the companies involved have explicitly and unequivocally denied the allegations. And now the two news outlets have also begun back-pedaling.

The Post replaced the original version of its story with a heavily edited version the day after its initial publication, backing off on the accusation that the companies “participate knowngly” in any surveillance. (The Post has not disclosed those changes to its readers.)

In a follow-up story a few days later, the Post walked the story back even further:

One top-secret document obtained by The Post described it as “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”

Intelligence community sources said that this description, although inaccurate from a technical perspective, matches the experience of analysts at the NSA. From their workstations anywhere in the world, government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff.

[…]

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process. [emphasis added]

The Guardian’s story hasn’t changed since publication, but Greenwald is now backing off the explosive allegations. In an interview on MSNBC this week, Greenwald took a swipe at the Post’s reporting and defended his own:

We've published four stories so far. The only one about which there has been any question raised is the one that the … Washington Post also published, which is the PRISM story. Our story was written differently than the way the Post wrote theirs, which is why they’ve had to walk back theirs.

Now listen to how the story has changed. Originally, the Guardian story said the NSA was able to access any data it wanted from any of those servers, “directly and unilaterally.” Now, Greenwald is not so confident in that conclusion:

Our story was the following: We have … a document from the NSA that very clearly claims that they are collecting directly from the servers of these Internet giants. That's the exact language that this document used. We went to those Internet companies before publishing and asked them and they denied it. We put into the story very prominently that they denied it.

Our story is that there is a discrepancy between the relationship that the private sector and the government has in terms of what the NSA claims and what the technology companies claim. What is definitely true, and follow-up reporting by the New York Times has proven this, is that there have been all kinds of negotiations about back door access, they have agreements in all sorts of ways to share data with the government. I don't think anybody knows at this point exactly what the nature of those arrangements are.

The reason we published our story and presented it as this discrepancy is because whatever the tech companies and the government are doing should be done in public. We should know what agreements they've reached. We should know what the government has asked for and what they're negotiating with now in terms of access. What we do know for sure is that the government has a program that targets the communication over these companies that huge numbers of people around the world use to communicate with one another. And we think there should be accountability and transparency for whatever those exact agreements are. [emphasis added]

Got that? It’s no longer an established fact, as originally presented, that the NSA can "directly and unilaterally seize the communications off the companies' servers," as The Guardian put it, or “pull out anything it likes,” as the Post claimed originally.

In a story whose details match those that Wired reported earlier this week, the Post described a much more straightforward process that Google says it uses to respond to court orders:

When faced with a court order, the tech giant said, it uses surprisingly simple and low-tech methods, including the delivery of information by hand or by using relatively common techniques to transfer files from one computer to another.

“When required to comply with these requests, we deliver that information to the U.S. government — generally through secure FTP transfers and in person,” Google said in a statement.

That could include putting data onto a memory disk or external hard drive, or printing out the requested information for a federal official, Google said. FTP, or file transfer protocol, is a popular method for exchanging information between servers with an extra layer of security.

[…]

Officials and former staffers at the tech companies said it would be difficult for the government to place equipment on their servers or directly access them in secret. Too many engineers would know, they say.

Indeed, that is a thoroughly believable description of a process that is all too common in the post-9/11 world.

The original stories make it sound as though the tech companies involved are eagerly turning over unrestricted access to data about their customers. The vehemence of the denials makes it clear that no such eagerness exists.

We know that the FBI can go to any tech company in the U.S. and demand information. We don’t know how often they do that, or how much data the companies deliver in response, or whether the requests are overly broad. Google has asked the U.S. for permission to disclose those numbers, saying that the actual figure would make it clear that the “direct access” allegations are wrong:

Assertions in the press that our compliance with these requests gives the U.S. government unfettered access to our users’ data are simply untrue. However, government nondisclosure obligations regarding the number of FISA national security requests that Google receives, as well as the number of accounts covered by those requests, fuel that speculation.

We therefore ask you to help make it possible for Google to publish in our Transparency Report aggregate numbers of national security requests, including FISA disclosures — in terms of both the number we receive and their scope. Google’s numbers would clearly show that our compliance with these requests falls far short of the claims being made. Google has nothing to hide.

Microsoft and Facebook have joined in that request.

Based on other reports, it’s likely that the NSA has been systematically gathering and mining data by tapping into switches at Tier-1 providers on the Internet backbone. It’s been supplementing that data collection with more targeted data requests from Internet providers like Microsoft, Yahoo, and Google.

But it can’t just grab whatever it wants from those services. The government needs to present a warrant in the case of American citizens suspected of domestic crimes (if you’re not a U.S. citizen and you’re not in the United States, sorry, you’re not protected by our Fourth Amendment). For investigations related to possible terrorist activities, the FBI can use a Foreign Intelligence Surveillance Court (FISC) order or a national security letter, which doesn't require a warrant. The company served with that document either challenges the order or delivers the requested documents and data.

And as a report in the New York Times today makes clear, those companies do push back. The Times describes Yahoo's attempts to refuse a warrantless request for data, which was turned down by the Foreign Intelligence Surveillance Court, as well as similar actions from other companies named in the PRISM presentation. 

The judges disagreed. That left Yahoo two choices: Hand over the data or break the law.

So Yahoo became part of the National Security Agency’s secret Internet surveillance program, Prism, according to leaked N.S.A. documents, as did seven other Internet companies.

[...]       

Google filed a challenge this year against 19 National Security Letters in the same federal court, and in May, Judge Illston ruled against the company. Google was not identified in the case, but its involvement was confirmed by a person briefed on the case.

In 2011, Twitter successfully challenged a silence order on a National Security Letter related to WikiLeaks members.

The system described in the PRISM presentation appears to be an automated way to process those FBI and NSA requests. It's clearly not an open doorway into any of those companies' servers, as The Guardian and the Post originally alleged.

Update June 15: An AP story published today confirms many of the details in this post: "Prism ... is a relatively small part of a much more expansive and intrusive eavesdropping effort. ... a streamlined, electronic process [for handling data requests], which required less time from the companies and provided the government data in a more standard format." The entire article is a must-read. 

The nine companies listed in the PRISM slide deck are there because they offer widely used communication services, most of them free.

It’s logical that Microsoft and Yahoo would be first on the list. At the time of the 9/11 attacks and for years after, they were the two most popular providers of free webmail services. In fact, both services were directly tied to the 9/11 attacks, as CBS News reported in 2009:

In the days following the Sept. 11 terrorist attacks, alleged al Qaeda operations mastermind Khalid Sheikh Mohammed intended to use his free Hotmail account to direct a U.S.-based operative to carry out an attack, according to a guilty plea agreement filed by Ali Saleh Kahlah al-Marri in federal court.

[…]

Al-Marri sent e-mails to Khalid Sheikh Mohammed's Hotmail account… Al-Marri initially tried to use a Yahoo e-mail account to contact Mohammed, but it failed to go through. So he switched to Hotmail as well. When al-Marri arrived in the United States, he created five new e-mail accounts to communicate with Mohammed…

In late 2007 and early 2008, when the PRISM presentation claims that the program began adding data collected from Microsoft and Yahoo, those two companies were still the kings of free email. Google’s Gmail had been an invitation-only service until February 2007, and it would be another two years before it was a major competitor of Microsoft and Yahoo. Coincidentally, that’s when it appears on the PRISM timeline slide.

The botched reporting by the Guardian and the Post means that millions of readers directed their anger at a handful of big companies that were unfairly accused of selling out their customers to the national security apparatus. The reality is that if NSA surveillance is indeed overstepping its bounds, those companies are victims, not willing participants.

Editorial standards