Josh Constine at TechCrunch says that the Guardian, or their source, Edward Snowden, is exaggerating the access that the NSA has to the systems of Microsoft, Yahoo, Google, Skype and other internet companies. Constine says that there is a separate, segregated system and requests still have to be made one by one.
The NSA may have wanted full firehoses of data from Google, Facebook and other tech giants, but the companies attempted to protect innocent users from monitoring via compliance systems that created segregated data before securely handing it over as required by law, according to individuals familiar with the systems used by the tech companies targeted by PRISM.
The widely criticized corroboration with the NSA therefore may have benefited citizens rather than being to their detriment.
My sources confirm that the NSA did not have direct access or any special instant access to data or servers at the PRISM targets, but instead had to send requests to the companies for the data. These requests must be complied with by law, but only if the government narrowly defines what it’s looking for. The government may have initially requested a firehose of data, and was happy to take this full data dump from the tech companies and sort it itself. Had the tech giants simply accepted these requests at the minimum level required by law, many innocent citizens’ data could have been monitored.
By working to create “a locked mailbox and give the government the key” which the New York Times reported, rather than allowing widespread monitoring, the firehose is restricted to a trickle of specific requests. When the NSA has specific people they want to data about, they make a specific, legal request for that data that the tech companies are required to comply with. Google or Facebook then puts the specific requested data into the locked mailbox where the government can access it. This keeps requested data about suspected terrorists or other people who are threats to national security segregated from that of innocent users.
By cooperating, companies can better ensure that each request is valid, and narrow enough in its scope. If the request is too broad, the tech companies can send it back and ask for a narrower pull. The method also ensure the data is securely transferred from the companies to the government, opposed to being more forcibly pulled by the NSA in ways that could have left it open for exploit by third-parties.
If this is true, that make it considerably more palatable — but it’s hardly a panacea. Bear in mind that the government can use National Security Letters without a warrant to request such information. also bear in mind that we know that NSLs have been used more often for non-terrorism investigations than for terrorism ones. The same is true of “sneak and peek” warrants. So I’d still like to know a lot more about the criteria used by both the government and the companies and the safeguards in place. Are warrants required? If not, the 4th Amendment is violated.
So if this is true, it reduces the danger posed by the NSA program but doesn’t eliminate it. And it does nothing about the privacy concerns for the Verizon metadata program (also followed by AT&T and Sprint).