Tech firms' responses to latest NSA disclosures cloud the truth, experts say

The NSA paid millions to compensate companies' surveillance costs, new documents claim

Technology companies may be hiding behind legal jargon to avoid being more forthcoming in their responses to new documents on government surveillance that were disclosed Friday, some experts say.

Internet and software companies including Microsoft, Yahoo, Google and Facebook "are legally compelled to lie," said security expert Bruce Schneier, citing national security letters that companies are prohibited from disclosing.

Some similar statements were made in interviews with the IDG News Service following a report published Friday in The Guardian alleging that the National Security Agency paid millions of dollars to companies such as Google and Facebook to cover costs involved in surveillance.

The tech companies incurred these costs in fulfilling tighter certification requirements after a 2011 court ruling said the government's data collection was unconstitutional, according to documents obtained by The Guardian.

That ruling, which was handed down by the Foreign Intelligence Surveillance Court and was made public on Wednesday, said that the way the NSA collected data violated the Fourth Amendment because the agency did not effectively design its collection efforts to target only foreigners of interest to national security.

The NSA was "misusing its authority" by collecting the digital communications of U.S. citizens for years, the ruling said.

The documents revealed Friday describe the problems that the agency experienced after that ruling and the resulting efforts required to bring companies into compliance, according to The Guardian. The list of involved companies includes Google, Yahoo, Microsoft and Facebook, its report said.

The documents were passed on to The Guardian by former NSA contractor Edward Snowden, the man behind the original leaks of various government surveillance programs such as Prism. The documents provide the first evidence of a financial relationship between technology companies and the NSA, the Guardian report said.

The FISA court is required to sign annual certifications that provide the legal framework for surveillance operations, the report said. After the 2011 ruling, those certifications were only being renewed on a temporary basis as the NSA worked to fix its data collection methods that the court deemed unconstitutional.

This adjustment process entailed huge costs, according to a 2012 NSA newsletter entry, excerpts of which were published by The Guardian. "Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension," the newsletter said.

The Guardian did not give an exact figure for the costs.

The latest disclosure raises serious questions around the use of taxpayer money to finance government surveillance, the Guardian said. But another issue is the growing discrepancy between the information contained in leaked government documents and technology companies' responses to it.

Snowden's original leaks revealing Prism described a program aimed at the mass collection of data owned by U.S. citizens through direct access to company servers. Google and other tech companies have denied cooperating with the NSA to allow the mass collection of data.

They gave similar denials on Friday in response to questions from the IDG News Service.

"Facebook has never received any compensation in connection with responding to a government data request," a Facebook spokeswoman said.

"We think the continued misreporting on this matter by The Guardian and others is troubling," she added in an email.

Google said it has "not joined Prism or any government surveillance programs."

"We do not provide any government with access to our systems and we provide user data to governments only in accordance with the law," a spokeswoman said.

Both Yahoo and Microsoft offered more legalistic, complicated responses. Their responses make it clear that the companies' deals for government compensation are more complicated than something they can simply confirm or deny.

"Microsoft only complies with court orders because it is legally ordered to, not because it is reimbursed for the work," a spokesman said. "We could have a more informed discussion of these issues if providers could share additional information, including aggregate statistics on the number of any national security orders they may receive," he said.

Microsoft asked for permission in June to aggregate statistics about the number of requests for data it receives under the U.S. Foreign Intelligence Surveillance Act.

Currently, companies can reveal the number of FISA requests they receive only if they lump them together with all other requests from U.S. law enforcement agencies.

Yahoo said it had nothing to add beyond the statement that the company supplied to The Guardian, which said "federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government."

"We have requested reimbursement consistent with this law," the company said.

Semantics are at play in companies' responses, experts said.

Friday's leaked documents "say that these companies cooperate with bulk NSA data collection," said Schneier. "The companies deny it, but their denials are precisely worded with a lot of wiggle room," he said.

Also, if companies are compelled by a National Security Letter to comply, they are prohibited from talking about their compliance, Schneier said.

In its response Friday, Google said it continues to await the government's decision on the company's petition to publish more national security request data, "which will show that our compliance with American national security laws falls far short of the wild claims still being made in the press today."

Roger Kay, an IT analyst and founder at Endpoint Technologies Associates, said he was not surprised by the documents that were revealed Friday. Though the companies don't say whether they provided information to the government, the legalistic language in some of their responses suggests they did, he said.

Also, companies' responses to the growing number of leaks, whether they are flat-out denials, chock full of complicated legalese, or just plain vague, are probably damaging some users' trust in the companies, Kay argued.

But for Internet users with short attention spans, disclosures like the ones revealed Friday may just blow over, he added.

Still, many questions remain about the type of data collection that was paid for in the millions of dollars in compliance costs that companies reportedly incurred.

It's not clear how the NSA gathers data from companies, Kay said. "Is it like a direct stethoscope into the main artery, or a broader snapshot?"

Getting answers to those kinds of questions may also boil down to semantics. "Perhaps different people mean different things by 'direct access,'" said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation.

In another new development, The Guardian and The New York Times announced on Friday that they would work as partners to give the U.S. paper access to other documents leaked by Snowden. Both papers will be working together to publish more stories tied to the documents.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is zach_miners@idg.com

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies