Saturday, June 08, 2013

PRISM: Should we believe the internet companies' denials?

The Guardian has revealed that the American National Security Agency is collecting data from internet providers and other companies. Yet Microsoft, Yahoo, Google, Facebook and Apple have all denied being party to such an arrangement.

Writing on The Daily Beast, Megan McArdle says their are five possible explanations:
  1. The companies are lying;
  2. Only a few people in the company know about this, and they aren't issuing the statements;
  3. The Post and the Guardian are wrong and have been duped;
  4. PRISM was operating without the knowledge of the companies;
  5. The companies know, and those statements are very carefully worded.
Which does she favour?
All of these are in some way unbelievable. #1 is asking for a class action suit that destroys your company. #3 involves some very suspicious national security reporters at two different outlets simultaneously getting duped. And #2 strikes me as extremely unlikely. I can imagine one rogue employee doing this without telling his employers. I cannot imagine the exact same thing happening at nine of the biggest internet companies. 
The most likely possibilities seem to be #4 or #5: the NSA is filtering this stuff at some point outside the companies, or the companies have issued some very, very carefully worded statements.


Zoe O'Connell said...

#2 is unfortunately a possibility. Even in the UK, it's entirely possible for staff to be legally required to take some action but not discuss details, including with management.

Phil Beesley said...

Large organisations have offices that handle data security requests. In the UK, requests typically relate to FOI, RIPA and CCTV. The office has a manager who is obviously part of "management". Wider management does not involve itself with day to day requests, but it sets bounds for organisational behaviour.

I favour #5 as an explanation. The database technology used by Google, Facebook etc means that information about an individual is not held one one place. The disparate data only makes sense to Google, Facebook etc by using the companies' tools. It is implausible that spooks have re-engineered the entire infrastructure. It is credible that agencies have access to tools used by the companies internally to investigate abuse complaints (ie no direct access to servers).

Microsoft claim: "In addition we only ever comply with orders for requests about specific accounts or identifiers." Which is tosh, given that Microsoft has instigated legal action against abusers of its services.

I'm interested to read what professional spook followers have to say, comparing host snooping with telephone interception (signals intelligence).