The nine tech companies implicated in the PRISM data-collecting operation yesterday have refuted the allegations by stating that they provide no "direct access" to their servers — but according to The New York Times, the wording is just an artful dodge around the way the systems do in fact work. The Times reports that the government approached companies like Google, Apple, Microsoft, and Facebook about building what were essentially digital secure rooms: separate portals into which the companies would drop data that the government could later access.
Google and Facebook discussed building the portals
According to the Times' sources, most of the tech companies involved resisted implementing this kind of service at first, though many acquiesced to varying degrees (Twitter declined to participate). Both Google and Facebook are named as having discussed plans to build the separate "secure portals" — and according to the report Facebook did in fact build such a system, despite CEO Mark Zuckerberg's outraged post today. The talks about building systems have reportedly continued this year, with the chairman of the Joint Chiefs of Staff, Martin E. Dempsey, travelling to Silicon Valley to meet with executives at various companies.
The denials were consistent for a reason
The PR statements today now seem to be a case of several entities threading a needle just so. The statements from Apple, Google's Larry Page, and others contained a noticeable consistency in their language. Most claimed that they had never heard of PRISM, that they did not offer direct access to their servers, and that they complied with individual court orders for information. Given these new revelations, those statements could very easily be technically correct. The companies wouldn't need to be informed of the "PRISM" moniker to build these systems — and the Times reports that those who had knowledge of the systems wouldn't be legally allowed to discuss them in any case. A separate data storehouse isn't "direct access" or a "back door," and handing off data through said data storehouses would be covered under access that is granted by specific requests under the Foreign Intelligence Surveillance Act (FISA).
A careful dance of language
This careful dance of language may have also been the result of sloppy work on the part of the creator of the leaked PRISM slides as well. As Forbes points out, the Washington Post has since amended its PRISM report, noting that in additional documents it acquired "the arrangement is described as allowing 'collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers." In this case, the installed equipment appears to refer to the secure portals the Times describes.
The Times reports that there were over 1,800 FISA orders last year, and in one such case the NSA dispatched an agent to the headquarters of an unnamed tech company to monitor a cyberattack. There the agent installed government-created software on the company's server and downloaded information to a laptop over a period of several weeks. The NSA can also reportedly receive real-time data from companies when requested.
We've reached out to the companies involved and will let you know their responses. Thus far Microsoft and Twitter have declined to comment on the latest report.
Update: Yahoo has issued a new statement, and unlike the one it released yesterday there is no mention of direct access to the company's servers.
Yahoo! complies with U.S. law and in accordance with those laws, the government can request data about a specific individual. In order to preserve our users privacy, Yahoo! scrutinizes each request and only responds as absolutely required, and then does so in the narrowest and strictest interpretation. Yahoo! wishes to reassure its users that their data is held in the utmost confidence on Yahoo!'s servers and is only disclosed in the rare case that a specific request is made that complies with U.S. law.