posted by Thom Holwerda on Sat 8th Jun 2013 14:57 UTC
IconAnd yes, the PRISM scandal is far, far from over. More and more information keeps leaking out, and the more gets out, the worse it gets. The companies involved have sent out official statements - often by mouth of their CEOs - and what's interesting is that not only are these official statements eerily similar to each other, using the same terms clearly designed by lawyers, they also directly contradict new reports from The New York Times. So, who is lying?

Let's compare the official statements from the companies involved. First, Google CEO Larry Page:

First, we have not joined any program that would give the U.S. government - or any other government - direct access to our servers. Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Facebook's Mark Zuckerberg:

Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn't even heard of PRISM before yesterday.

An Apple spokesperson told Reuters:

We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.

PalTalk told The Washington Post:

We have not heard of PRISM. Paltalk exercises extreme care to protect and secure users’ data, only responding to court orders as required to by law. Paltalk does not provide any government agency with direct access to its servers.

Then there's AOL:

We do not have any knowledge of the Prism program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers.

And here's Yahoo:

Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or network. We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers.

Notice a few things? Yes, these statements all contain the same key words and phrasings, and if you truly believe all these companies would come up with this independently I have a palace to sell you. This looks like a coordinated marketing campaign, with a focus on three elements: we have not heard of PRISM, we only respond to court orders, no direct government access to our servers. Those three elements return in all official statements.

Now let's compare this to the most recent development, which comes courtesy of The New York Times. According to the latest report in the NYT, the US government contacted Silicon Valley's technology companies to demand easier ways to access the user data these companies hold. Except for Twitter, all of them complied.

But other companies were more compliant, according to people briefed on the negotiations. They opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests. And in some cases, they changed their computer systems to do so.

The companies involved are legally obliged to comply to these court orders under FISA, and they include Google, Microsoft, Yahoo, Facebook, AOL, Apple, and Paltalk. The talks and negotiations around this matter are all classified, and it's illegal for the people involved to discuss them - which explains why the companies involved deny they have any knowledge of PRISM. These talks are still ongoing, and now also include Intel and possibly other companies.

It gets much worse, though. According to the NYT report, at least two companies (but perhaps more) went above and beyond their obligations under the law, and altered their computer systems to make the process more efficient.

In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said.

This means that the coordinated PR statements from Apple, Google, Facebook, and so on, are technically correct: they do not provide the government with direct access to their servers, and they only hand out data whenever it's part of a FISA order - and those orders are, in turn, classified and may not be discussed.

Interestingly enough, a more detailed account of what happens by the NYT seems to contradict all of this:

In one recent instance, the National Security Agency sent an agent to a tech company's headquarters to monitor a suspect in a cyberattack, a lawyer representing the company said. The agent installed government-developed software on the company's server and remained at the site for several weeks to download data to an agency laptop.

When you put all this together, it's clear that only one major player had the balls to resist demands from the US government for easier access to user data, and that's Twitter. Everybody else did what they can to make it easier for the US government, which makes their statements, while technically true, incredibly scummy and slithery. The outrage from people like Zuckerberg and Page, hence, is fake, dishonest, and douchy. These guys, as well as the other companies' spokespeople, know full well what's going on, and they know full well they're using technicalities to skirt around the issue.

This is what you get when you let companies rule the show. They don't care about you, and they don't care about your privacy. I've been saying this for years, but I'll repeat it once more: do not trust companies. Ever.

e p (9)    70 Comment(s)

Technology White Papers

See More