"Nobody is listening to your telephone calls," President Obama said on Friday, defending a broad government surveillance program that was leaked to the press in the preceding week.
Obama defended the program, code-named "PRISM," at an event on the West coast that was initially supposed to be devoted to the health care law.
According to the New York Times, the president sought to reassure the public that the information collected from nine of the biggest internet companies about phone calls and internet traffic helps to prevent terrorist attacks and is controlled by rigorous judicial and Congressional oversight.
News about the secret surveillance program was broken on Wednesday by the Guardian, which revealed that the National Security Agency (NSA) is collecting telephone records of millions of Verizon's US customers under a top-secret order issued on April 25 by the secret Foreign Intelligence Surveillance Court (FISA) to the Federal Bureau of Investigation (FBI).
The order, obtained by the Guardian, directs Verizon to hand over information on all telephone calls in its systems, both within the US and between the US and other countries, on an "ongoing, daily basis."
The court order contains a gag provision that prohibits Verizon from disclosing to the public either the FBI's request for customer records or the court order itself.
It covers a nearly three-month period ending July 19 (although Senator Dianne Feinstein on Thursday said that the order has been renewed every three months for the last seven years) and requires the numbers of both parties on a call to be handed over, as well as location data, call duration, unique identifiers, and the time of all calls.
The order doesn't cover call content.
As the Guardian reports, the document is the first demonstration that the current US administration is collecting, indiscriminately and in bulk, communications records of millions of US citizens, whether or not they're suspected of wrongdoing.
Why is this such a big deal?
The slides explicitly state that collection is being done "directly" from the servers of these US service providers:The American Civil Liberties Union (ACLU) answers that question in a posting of the court order that it's annotated with comments.
A few examples from the ACLU's annotations:
- The court order likely refers to an earlier, longer opinion on the legality of using Section 215 of the Patriot Act to track all Americans’ phone calls that was never made public but should have been.
- The FBI and the military are focusing on purely domestic calls, "sweeping up the phone records of countless innocent Americans," the ACLU says.
- Even if the NSA doesn't record call content, it's collecting metadata that can be as sensitive as content: e.g., information about whom you’re calling, who calls you, how long you talk, and maybe even where you’re talking from. This allows the government to build a profile that can reveal political and religious affiliations, medical conditions, infidelities, and more.
But PRISM is larger than Verizon.
For its part, the Washington Post also obtained a top-secret document that showed that the NSA and the FBI are "tapping directly into the central servers" of the nine largest internet companies to extract audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.
The Guardian on Friday reported that it has obtained documents that further show that the United Kingdom's electronic eavesdropping and security agency, Government Communications Headquarters (GCHQ), has been piggybacking on PRISM, secretly gathering intelligence.
According to The Guardian, PRISM allows GCHQ to bypass the formal legal process required in the UK to obtain content such as emails, photos and videos from internet companies based outside the country's borders.
US director of national intelligence James R. Clapper on Thursday confirmed in a statement that coverage from both newspapers pertains to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Clapper claimed that the two newspapers' coverage contains "numerous inaccuracies" but failed to elaborate.
The Washington Post obtained a set of 41 partially redacted briefing slides that describe the operation, intended for senior analysts in the NSA's Signals Intelligence Directorate.
The list of companies allegedly providing access to the NSA includes:
- Google (Gmail, YouTube, etc)
- Microsoft (Hotmail, Skype, etc.)
Yet spokespeople at these companies have denied allowing the US government direct access to their servers, The Guardian reports.
Here's what spokespeople had to say, courtesy of the Guardian:
- Apple: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order."
- Facebook: "When Facebook is asked for data or information about specific individuals, we carefully scrutinise any such request for compliance with all applicable laws, and provide information only to the extent required by law."
- Google: "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'backdoor' into our systems, but Google does not have a 'back door' for the government to access private user data."
- Microsoft: "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it."
- Yahoo: "Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or network."
- Regarding executives speaking off the record, the Guardian writes: "Executives said they had never even heard of PRISM until contacted by the Guardian."
While that's a bit of what we do know about PRISM, there's plenty we don't know.
One of the main things we don't know, of course, is the identity of the whistleblower who leaked details of the program.
Whoever it is has risked getting him-, her- or themselves in deep trouble with this administration, which has proved zealous in pursuing whistleblowers.
Obama denounced this particular leak by saying it only helps terrorists when the media publicizes surveillance operations:
"If every step that we're taking to try to prevent a terrorist act is on the front page of the newspapers or on television, then presumably the people who are trying to do us harm are going to be able to get around our preventive measures."
The Atlantic pulled together some of the other remaining question marks in this article.
Just a small sample of the unknowns:
- The slides show that PRISM supposedly supplies one-seventh of the intelligence that goes into Obama's daily briefings, yet only cost $20 million. How can it be so cheap?
- Why are Twitter and Amazon missing from the list? Does Twitter's fierce protection of user data have anything to do with it?
- Apple didn't join the list until October 2012, five years after Microsoft. Why?
- Are the tech companies lying about the access to their servers, forbidden from acknowledging the program or their participation, or is it being done surreptitiously, via an API or an intermediary, such as a government vendor?
CNN's Michael Pearson has put together an FAQ about how US data collection affects each of us.
But after we learn how it affects us, many of us will want to know how to protect ourselves from government spying on our email, online searches, Skype calls and other electronic communications.
To that end, PC World on Friday put out this list of tips on protecting your PC from PRISM.
These aren't guaranteed to make your PC surveillance-proof, mind you, but they're a start, at the very least. Just remember that, given enough resources, an attacker can ferret out most anything about us.
Some of PC World's tips:
- Avoid using popular Web services. Rather than Google search, for example, try a lesser known search engine such as DuckDuckGo, which promises not to track or store your search history.
- Ditch your smartphone. If you go with a dumb phone, you're likely still trackable, but it can capture a whole lot less information about you.
- Encrypt your hard drive, files and email.
- Subscribe to a VPN.
Of course, these protective measures beg the question: If you're a serious criminal, wouldn't you already be using secure communications anyway, covering your tracks with strong encryption and using throwaway phones?