Read all the tech giants' denials regarding the NSA's PRISM program and you'll start to notice a pattern:
Google CEO Larry Page:
We have not joined any program that would give the US government—or any other government—direct access to our servers.
Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.
Facebook Chief Security Officer Joe Sullivan:
Protecting the privacy of our users and their data is a top priority for Facebook. We do not provide any government organization with direct access to Facebook servers.
Yahoo:
We do not provide the government with direct access to our servers, systems, or network.
Paltalk:
Paltalk does not provide any government agency with direct access to its servers.
Apple:
We do not provide any government agency with direct access to our servers
The Washington Post's initial report about PRISM, a massive NSA digital surveillance operation, alleged that it gave tech companies "direct access" to the servers of America's largest tech companies. This particular detail, it seems, is one that these companies feel they can respond to — indeed, the Washington Post has seemingly hedged its story a bit.
But a lack of "direct access" does not preclude the type of sweeping surveillance described in the leaks. Marc Ambinder explains how that might work:
On the “no direct access” —ISPs push to a separate server the subset of accounts that the FISC order covers; NSA monitors them in real time
Marc Ambinder
@marcambinder
On the “no direct accessâ€
—ISPs push to a separate server the subset of accounts that the FISC order covers; NSA monitors them in real time
Let’s say court order says “all Yahoo accounts in Pakistan” Yahoo would push those accounts to the server; NSA could watch them in real time
Marc Ambinder
@marcambinder
Let’s say court order says “all Yahoo accounts in Pakistan†Yahoo would push those accounts to the server; NSA could watch them in real time
They’d try & figure who & where the incoming emails were coming from. US persons data minimized automatically if possible (often it’s not).
Marc Ambinder
@marcambinder
They’d try & figure who & where the incoming emails were coming from. US persons data minimized automatically if possible (often it’s not).
It's a significant difference in some ways, but not in ways that matter to the average user. In terms of privacy, it's a technicality.
Another claim that keeps coming up is that these companies, or executives, haven't "heard of" PRISM. The WaPo story suggests that they had knowledge of the program, which these companies feel able to deny:
Mark Zuckerberg:
We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.
Google CEO Larry Page:
We had not heard of a program called PRISM until yesterday
Apple:
We have never heard of PRISM.
Dropbox:
We've seen reports that Dropbox might be asked to participate in a government program called PRISM.
Paltalk:
We have not heard of PRISM.
Aol:
We do not have any knowledge of the Prism program
But this also doesn't mean much. PRISM is alleged to be the NSA's name for a program that involves a lot of different companies, but there's no reason the companies involved would have necessarily heard about it under that designation. It's not unlike how Apple might have an internal codename for a product that, to its customers and even partners, is known as something completely different, or not known by any single name. Why would the NSA feel the need to tell these companies that the National Security Letters they keep receiving are part of a larger program, and that that program has a title?
Also worth noting is the overall similarity between what are supposed to be the two most candid responses — the ones posted by Facebook's Mark Zuckerberg and Google's Larry Page after both of their companies issued official responses. Here's Zuckerberg's:
I want to respond personally to the outrageous press reports about PRISM:
Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.
When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law. We will continue fighting aggressively to keep your information safe and secure.
We strongly encourage all governments to be much more transparent about all programs aimed at keeping the public safe. It's the only way to protect everyone's civil liberties and create the safe and free society we all want over the long term.
And here's Page's:
Dear Google users—
You may be aware of press reports alleging that Internet companies have joined a secret U.S. government program called PRISM to give the National Security Agency direct access to our servers. As Google's CEO and Chief Legal Officer, we wanted you to have the facts.
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a "back door" to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don't follow the correct process. Press reports that suggest that Google is providing open-ended access to our users' data are false, period. Until this week's reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users' call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users' Internet activity on such a scale is completely false.
Finally, this episode confirms what we have long believed—there needs to be a more transparent approach. Google has worked hard, within the confines of the current laws, to be open about the data requests we receive. We post this information on our Transparency Report whenever possible. We were the first company to do this. And, of course, we understand that the U.S. and other governments need to take action to protect their citizens' safety—including sometimes by using surveillance. But the level of secrecy around the current legal procedures undermines the freedoms we all cherish.
Great minds think alike! And so do good lawyers.