Report: NSA PRISM program spied on Americans' emails, searches

The National Security Agency's PRISM program tapped directly into the servers of most of the web's largest companies.

For the last several years, the National Security Agency has been reportedly spying on the searches, emails, and file transfers of Americans using a program called PRISM--which tapped directly into the servers used by Apple, Google, Microsoft, and others.

The program was revealed Thursday in separate stories from the Washington Post and  The Guardian, which earlier revealed that the NSA had worked with Verizon to monitor the metadata of millions of phone calls made by Americans.

The news stories brought to light a top-secret 41-page PowerPoint document detailing the PRISM surveillance program and the tech companies involved. The program has grown rapidly larger over the last several years and is still growing, according to The Guardian's report.

The list of companies that the paper alleges participated in the PRISM program reads like a Who's Who of Silicon Valley: in 2007, the document alleges, Microsoft was the first to participate. Yahoo joined in 2008. Others followed in quick succession: Google in 2009, then AOL, Apple, Facebook, PalTalk, Skype, and YouTube in October 2012.

Infographic:Which tech companies are looking out for your privacy?

Some of the tech companies named in the Guardian and Washington Post stories are denying the allegations. Google denied involvement with the PRISM program in the Guardian report.

"We disclose user data to government in accordance with the law, and we review all such requests carefully," a Google spokesperson wrote in a note to TechHive Thursday afternoon. "From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."

Facebook and Apple have also stated that they did not provide the government with direct access to their servers.

Update: The Guardian later on Thursday published a story that reported that "senior executives from the internet companies expressed surprise and shock and insisted that no direct access to servers had been offered to any government agency."

The Electronic Freedom Foundation (EFF) says the tech companies are playing word games. "If you read the denials coming from the tech companies, they are carefully worded and really amount to non-denials," EFF staff attorney Nate Cardozo told TechHive Thursday afternoon. "They all are saying that they didn't provide direct access to the servers, but what they are probably doing is providing access to the data via an API, which would be indirect."

"Somebody somewhere in these companies knew that this was going on," Cardozo says.

Data that could be examined

The amount of data the NSA can access includes email, video and voice chat, videos, photos, voice-over-IP (Skype, for example) chats, file transfers, social networking details, and more, the paper reported.

Perhaps the most important aspect of the report, however, is the fact that the NSA reportedly tapped into the servers of the providers themselves--with or without their knowledge, if the Washington Post and Guardian reports are true.

The Guardian also reported that no court orders were needed, and that the agency could dip into the servers of Google and others both to monitor real-time communication as well as to pull out archived data.

"The presentation claims PRISM was introduced to overcome what the NSA regarded as shortcomings of FISA warrants in tracking suspected foreign terrorists," the report said.

The surveillance activities used in the PRISM program may be based on provisions in the  FISA Amendments Act of 2008, which authorizes the government to monitor electronic communications if one of the communicating parties is believed to be outside the U.S.  Critics say the law allows for the warrantless surveillance of electronic communications such as email and phone calls, of not only foreigners but U.S. citizens. An ACLU lawsuit challenging the law's constitutionality was dismissed 5-4 by the Supreme Court last February.

"If the Washington Post story checks out, what they [the NSA and FBI] did is illegal, EFF's Cardozo says. "The FISA Amendments Act was not meant to authorize anything of this scope."

The Guardian's report also noted that the U.S. has a "home-field advantage" due to housing much of the internet's architecture. But the presentation claimed that "FISA constraints restricted our home-field advantage" because the law required individual warrants and confirmations that both the sender and receiver of a communication were outside the U.S."

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencyweb serviceswashington postWeb & communication softwareinternetprivacyyoutubeFacebookemailAppleYahooskypeGoogleMicrosoftsecuritysearch enginessearch

More about AOLAppleEFFFacebookFBIGoogleMicrosoftNational Security AgencyNSAPalTalkSkypeVerizonVerizonYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Hachman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts