The NSA may have wanted full firehoses of data from Google, Facebook and other tech giants, but the companies attempted to protect innocent users from monitoring via compliance systems that created segregated data before securely handing it over as required by law, according to individuals familiar with the systems used by the tech companies targeted by PRISM.
How PRISM Requests And Receives Private Data
My sources confirm that the NSA did not have direct access or any special instant access to data or servers at the PRISM targets, but instead had to send requests to the companies for the data. These requests must be complied with by law, but only if the government narrowly defines what it’s looking for. The government may have initially requested a firehose of data, and was happy to take this full data dump from the tech companies and sort it itself. Had the tech giants simply accepted these requests at the minimum level required by law, many innocent citizens’ data could have been monitored.
By working to create “a locked mailbox and give the government the key” which the New York Times reported, rather than allowing widespread monitoring, the firehose is restricted to a trickle of specific requests. When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with. Google or Facebook then puts the specific requested data into the locked mailbox where the government can access it. This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.
By cooperating, companies can better ensure that each request is valid, and narrow enough in its scope. If the request is too broad, the tech companies can send it back and ask for a narrower pull. The method also ensure the data is securely transferred from the companies to the government, opposed to being more forcibly pulled by the NSA in ways that could have left it open for exploit by third-parties.
[Update 1am PST 6/8/2013: This information matches the follow-up statement issued by Google's Chief Legal Officer David Drummond,: We cannot say this more clearly—the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box...Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process.]
PRISM’s Scope May Be Smaller Than Feared
Over the last day, tech executives including Larry Page and Mark Zuckerberg outlined that they did not give bulk or blanket access to user data. However, they may not have been able to discuss the exact volume of the legal demands for data they’ve received. That left the exact scope of how many people had data pulled by NSA open for wide interpretation, and many including myself, in some cases assumed the worst — that while not at the volume of the massive request for data on all Verizon users that’s been reported, huge numbers of people may have been spied on.
However, in the last year, there were only 1,865 FISA requests for data. Some believe those requests could include data pulls as broad as anyone who searched a specific term. Legal experts I’ve consulted, though, believe the requests must be more narrow than that for the tech companies to have not pushed back. That means the the number of people monitored by PRISM may have been in the thousands or tens of thousands, rather than in the tens or even hundreds of millions.
Previously I accused Page, Zuckerberg, and other tech executives and companies of trying to hide the scope of their cooperation with the NSA. Their carefully worded denials of offering direct access or back doors to their data seemed to minimize how they were involved with the NSA. I still think they should be more specific on how requests are handled, and could have been despite FISA restrictions on what they could say. However, after speaking with sources, I’ve come to believe the blame rests more on the government for muzzling these companies in the way they explain to their users the complex privacy issues associated with compliance with government requests for personal information on their users.
Both the secure, segregated responses to demands for data, and the limited scope of the monitoring could help ease the fears of the public. It still may be an assault on liberty, but possibly smaller than suspected. And with any luck, the whole PRISM issue will push the government towards greater transparency.