Sophos Cloud Optix
“Nobody is listening to your telephone calls,” President Obama said on Friday, defending a broad government surveillance program that was leaked to the press in the preceding week.
Obama defended the program, code-named “PRISM,” at an event on the West coast that was initially supposed to be devoted to the health care law.
According to the New York Times, the president sought to reassure the public that the information collected from nine of the biggest internet companies about phone calls and internet traffic helps to prevent terrorist attacks and is controlled by rigorous judicial and Congressional oversight.
News about the secret surveillance program was broken on Wednesday by the Guardian, which revealed that the National Security Agency (NSA) is collecting telephone records of millions of Verizon’s US customers under a top-secret order issued on April 25 by the secret Foreign Intelligence Surveillance Court (FISA) to the Federal Bureau of Investigation (FBI).
The order, obtained by the Guardian, directs Verizon to hand over information on all telephone calls in its systems, both within the US and between the US and other countries, on an “ongoing, daily basis.”
The court order contains a gag provision that prohibits Verizon from disclosing to the public either the FBI’s request for customer records or the court order itself.
It covers a nearly three-month period ending July 19 (although Senator Dianne Feinstein on Thursday said that the order has been renewed every three months for the last seven years) and requires the numbers of both parties on a call to be handed over, as well as location data, call duration, unique identifiers, and the time of all calls.
The order doesn’t cover call content.
As the Guardian reports, the document is the first demonstration that the current US administration is collecting, indiscriminately and in bulk, communications records of millions of US citizens, whether or not they’re suspected of wrongdoing.
Why is this such a big deal?
The slides explicitly state that collection is being done “directly” from the servers of these US service providers:The American Civil Liberties Union (ACLU) answers that question in a posting of the court order that it’s annotated with comments.
A few examples from the ACLU’s annotations:
- The court order likely refers to an earlier, longer opinion on the legality of using Section 215 of the Patriot Act to track all Americans’ phone calls that was never made public but should have been.
- The FBI and the military are focusing on purely domestic calls, “sweeping up the phone records of countless innocent Americans,” the ACLU says.
- Even if the NSA doesn’t record call content, it’s collecting metadata that can be as sensitive as content: e.g., information about whom you’re calling, who calls you, how long you talk, and maybe even where you’re talking from. This allows the government to build a profile that can reveal political and religious affiliations, medical conditions, infidelities, and more.
But PRISM is larger than Verizon.
For its part, the Washington Post also obtained a top-secret document that showed that the NSA and the FBI are “tapping directly into the central servers” of the nine largest internet companies to extract audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets.
The Guardian on Friday reported that it has obtained documents that further show that the United Kingdom’s electronic eavesdropping and security agency, Government Communications Headquarters (GCHQ), has been piggybacking on PRISM, secretly gathering intelligence.
According to The Guardian, PRISM allows GCHQ to bypass the formal legal process required in the UK to obtain content such as emails, photos and videos from internet companies based outside the country’s borders.
US director of national intelligence James R. Clapper on Thursday confirmed in a statement that coverage from both newspapers pertains to collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Clapper claimed that the two newspapers’ coverage contains “numerous inaccuracies” but failed to elaborate.
The Washington Post obtained a set of 41 partially redacted briefing slides that describe the operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate.
The list of companies allegedly providing access to the NSA includes:
- Google (Gmail, YouTube, etc)
- Microsoft (Hotmail, Skype, etc.)
- Apple
- Yahoo
- PalTalk
- AOL
Yet spokespeople at these companies have denied allowing the US government direct access to their servers, The Guardian reports.
Here’s what spokespeople had to say, courtesy of the Guardian:
- Apple: “We have never heard of PRISM. We do not provide any government agency with direct access to our servers and any agency requesting customer data must get a court order.”
- Facebook: “When Facebook is asked for data or information about specific individuals, we carefully scrutinise any such request for compliance with all applicable laws, and provide information only to the extent required by law.”
- Google: “Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘backdoor’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
- Microsoft: “We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
- Yahoo: “Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.”
- Regarding executives speaking off the record, the Guardian writes: “Executives said they had never even heard of PRISM until contacted by the Guardian.”
While that’s a bit of what we do know about PRISM, there’s plenty we don’t know.
One of the main things we don’t know, of course, is the identity of the whistleblower who leaked details of the program.
Whoever it is has risked getting him-, her- or themselves in deep trouble with this administration, which has proved zealous in pursuing whistleblowers.
Obama denounced this particular leak by saying it only helps terrorists when the media publicizes surveillance operations:
"If every step that we're taking to try to prevent a terrorist act is on the front page of the newspapers or on television, then presumably the people who are trying to do us harm are going to be able to get around our preventive measures."
The Atlantic pulled together some of the other remaining question marks in this article.
Just a small sample of the unknowns:
- The slides show that PRISM supposedly supplies one-seventh of the intelligence that goes into Obama’s daily briefings, yet only cost $20 million. How can it be so cheap?
- Why are Twitter and Amazon missing from the list? Does Twitter’s fierce protection of user data have anything to do with it?
- Apple didn’t join the list until October 2012, five years after Microsoft. Why?
- Are the tech companies lying about the access to their servers, forbidden from acknowledging the program or their participation, or is it being done surreptitiously, via an API or an intermediary, such as a government vendor?
CNN’s Michael Pearson has put together an FAQ about how US data collection affects each of us.
But after we learn how it affects us, many of us will want to know how to protect ourselves from government spying on our email, online searches, Skype calls and other electronic communications.
To that end, PC World on Friday put out this list of tips on protecting your PC from PRISM.
These aren’t guaranteed to make your PC surveillance-proof, mind you, but they’re a start, at the very least. Just remember that, given enough resources, an attacker can ferret out most anything about us.
Some of PC World’s tips:
- Avoid using popular Web services. Rather than Google search, for example, try a lesser known search engine such as DuckDuckGo, which promises not to track or store your search history.
- Ditch your smartphone. If you go with a dumb phone, you’re likely still trackable, but it can capture a whole lot less information about you.
- Encrypt your hard drive, files and email.
- Subscribe to a VPN.
Of course, these protective measures beg the question: If you’re a serious criminal, wouldn’t you already be using secure communications anyway, covering your tracks with strong encryption and using throwaway phones?
Image of President Obama, surveillance cameras, and American flag courtesy of Shutterstock.
rigorous judicial and Congressional oversight.
How about civilian added to that or a civilian governance committee
Many Thanks for some of the “tips on protecting your PC from PRISM.”…
I have been advocating some of these for some time, especially for those using “Cloud” type applications for work/business.
Great article!!
Thanks! If you have more tips, pleased do share.
I would also suggest avoiding cloud storage.
In January 2010, befor Google's withdrawal from China, Hillary Clinton (then Secretary of States of the US) said: "The ability to operate with confidence in cyberspace is critical in a modern society and economy." (source: the Guardian, http://www.guardian.co.uk/technology/2010/jan/12/…
I also wondered if Google would withdraw from the US market, just like what they did back in 2010.
Is it a good idea to structure your internet usage/telecom profile to look like a serious criminal?
Note that non-governmental companies like Google and Facebook are using your internet activity for their own gain — that is the basis of their business model!
When trying to come to grips with all the scandals bear in mind one thing: just because someone says something is "law," or is "legal" doesn't necessarily make it so. Congress can and has passed "laws" reprehensible to our inalienable rights.
It's up to the people to determine what "the law" is, ultimately.
Unfortunately if the people don't rise up and put an end to this Orwellian surveillance, it's all over for humanity. If they'll put up with this (and the reprehensible theater in the airports) then they'll put up with anything.
Kudos to Sophos for being on the right side of this issue. I'm shocked by the lack of reason in the media these days. It's refreshing to know I can come here and find some sanity. Thanks, folks! 🙂
Actually, it's up to both the people and the SCOTUS to determine if something is Constitutional.
The Americans Officially Follow No Rule of Law, Domestically or Internationally…
"do not provide any government agency with direct access to our servers" – that doesn't mean the information isn't sent to the government.
"user data" and "customer data" appear in at least 2 statements, presumably they don't consider meta-data to be actual user/customer data.
using the reasoning that the information will help the terrorists, why not flood the information market with programs, non-existant or not, detailing how they work, and not being to tell which are real and which are fake, the terrorists will give up? In WW2 we leaked information on hundreds of airfields and lots of equipment we did not have, and then faked it with plywood etc so a surveillance plane would be fooled…I think the terrorists have enough to do terrorizing and we are diminishing ourselves by cowering when we should be attacking the problem, not by spying on our population, but theirs, which is where the terrorists are, OR track down the people in this country that have expired visas or whoi are here illegally and get them out of our country
That would've helped a lot in Boston, huh? On 9-11?
Try monitoring network traffic in and out of the country, not domestic traffic.
There are million of way to be spied on by busineses to make money.and never a worry. Yet if a crime might occur – Looks like success is not getting caught with one's hand in the cookie jar – someone is afraid of getting caught with their hand in the cookie jar
It is so comforting to know that a significant number of our populace believe that they need no Constitutional rights, as they are not criminals.
Perhaps we should make you happy and repeal the first ten amendments.
"Some of PC World's tips:
Avoid using popular Web services. Rather than Google search, for example, try a lesser known search engine such as DuckDuckGo, which promises not to track or store your search history.
Ditch your smartphone. If you go with a dumb phone, you're likely still trackable, but it can capture a whole lot less information about you.
Encrypt your hard drive, files and email."
Encrypt your hard drive? How does that protect against PRISM? PRISM simply records data from emails and phone calls, right? Does PRISM go beyond data collection and actually put a back door into your computer?
No big deal to me. people seem unjustly paranoid, not new
– A few years back we heard about project ECHELON
– secondly spies spy, it's their job. They are supposed to do it ethically, and we elect politicians to monitor spies not to supervise every detail, but to give them rules.
– Yes all large companies are doing massive data scraping data operations so have massives of anonomised data.. but you are just 1 in 300 million so not important enough for the gov to bother with your little secrets.
– It's a complete waste of time to be paranoid about your every day stuff .. of course there are times when you should take extra privacy steps ..like when filing, whistleblowing, patents or other valuable info.
– Maybe it's a US UK cultural difference thing
Personally I don't have any secrets anyone would be interested in.
"…supposed to do it ethically, and we elect politicians to monitor spies not to supervise every detail, but to give them rules."
…and what do politicians know of ethics or rule following??
This is another excuse to stop piracy,i swear.
America is only going to cause itself one headache with all this spying. a loss of economic growth. No one will trust them in the end!
ha don’t make me laugh Mr President you are the same as all the other politicians full of rubbish and lies. time you ended the NSA’s spying program once and for all. stop behaving like you are the police of the world. keep this in mind other countries have their own privacy laws that you are in breach of, so do the right thing shut down the NSA.
I’m curious as to hos Apple ‘never heard’ about PRISM seeing the whole internet has known about it for a long time. Don’t Apple employees ever actually use the ‘net?
As for GCHQ ‘piggy-backing’ on PRISM – they’ve worked hand in glove with the US back since the days of Echelon. They can legally snoop (under UK law) on the US and NSA can legally snoop (under US law on the UK – so they just swap info that they gathered ‘legally’.
Here in Belfast we used to have a ‘Special Powers Act’ that basically allowed intelligence gathering across the board (the Special Branch used to drop into the main telephone exchanges and set up taps at random on a number of libnes and changed them every week). That’s officially ‘gone’ (as if that actually made any difference – telephone contacts are still tapped)