Parsing PRISM denials: Could everyone be telling the truth?

A number of theories are still available to make all the carefully worded statements and shifting facts sing harmoniously together today.

A day after The Washington Post and Guardianpublished bombshell revelations that America's biggest tech companies are allowing the U.S. government to constantly monitor highly personal data contained in their servers, the facts remain fuzzy and somewhat fluid--and the statements of the parties involved don't add up.

All the tech companies have issued denials, saying they haven't given the government "direct" access or a "back door" to their servers under a surveillance program called PRISM, as the Post and Guardian stories claim.

Google's Larry Page repeated his company's denials in a blog post today: "First, we have not joined any program that would give the U.S. government--or any other government--direct access to our servers. Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers."

The National Security Administration is saying the news stories are "full of inaccuracies," but isn't saying what the inaccuracies are. However, the NSA isn't denying the claims made in the stories. It hasn't said it's not working with Google, Facebook, Apple and all the other companies who've denied PRISM cooperation. If anything, the NSA is stressing that the PRISM program was never meant to spy on Americans.

So how do we square this disconnect? On one side, we have Silicon Valley saying it's not working with government spooks. On the other side, we have an NSA slide that lists exactly which big tech companies are working with PRISM, even noting their start dates.

For its part, The Washington Post, which first broke the story yesterday, is making a slight modification today. This might explain some of the disconnect between its story and the staunch denials of the tech companies:

"It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers."

Is it possible that everyone's telling the truth? Possibly, yes. But only if you allow for a wide breadth of interpretation and license in how you parse the words from everyone involved.

"If you read the denials coming from the tech companies, they are carefully worded and really amount to non-denials," EFF staff attorney Nate Cardozo told TechHive Thursday afternoon. "They all are saying that they didn't provide direct access to the servers, but what they are probably doing is providing access to the data via an API, which would be indirect."

Such an application programming interface (API) would have given the NSA a web-based window to certain data elements within the servers of the tech companies.

When I described the API method of availing the data in the servers to USC law professor and privacy expert Jack Lerner, he said it sounded very "direct" to him. However, Lerner says there are other ways the tech companies may have provided "indirect" access to the NSA.

"They could have meant indirect' to say You can look at our data, but you can't use our interface to do it, you'll have to build your own.'" Lerner says.

And here's another way the conflicting stories might square: The tech companies may have hinged their denials on the places where the NSA was tapping into the data from their servers. For example, the NSA may have been tapping in via a path somewhere in the Internet backbone that connects to the servers. "It's conceivable that the NSA could have tapped into a major cable or fiber optic line through which the data was passing," Lerner says. The update from The Post today seems to support this possibility.

Robert Graham, CEO of Atlanta-based cybersecurity firm Errata Security, says that the NSA could have installed taps in many different places within the tech companies, or in the telecommunications network connecting the servers. "The NSA is probably tapping into the undersea fiber optic lines connecting to other countries," Graham says.

Such line tapping is certainly nothing new to network administrators, Graham says. And the gear being used by the NSA is probably not much different than the gear used by the tech companies for their own network monitoring. "Companies use sniffers' all the time for intrusion detection," he says. "They may install one to diagnose network problems, or they might install a sniffer to detect hackers."

Graham also points out the possibility that the tech companies could be providing access to the NSA while never being aware of the specific PRISM brand name. "It has a lot to do with the names they use," Graham says. "Google only knows what they're doing for them [the NSA], but they may be totally unaware of the names the NSA uses."

USC's Lerner says there may be yet another, more legally motivated, explanation of the tech companies' denials. "There may be a place in the law that requires them not to discuss it, so they would just be complying with the law," Lerner says. "For example, major service providers receive thousands of National Security Letters every year that they can't can't discuss."

In the midst of the spinning and he-said she-said coming from all sides, it's easy to lose sight of the real implications of the PRISM program. That is, that real data privacy doesn't exist.

"I see this and see people saying 'there is no privacy anymore' and it reminds me of the end of 1984 where Winston has completely given up and has completely internalized the totalitarian nature of the regime," Lerner says. "We're in a very scary place."

Top photo: Fort George G. Meade Public Affairs Office

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGooglesecuritywashington postprivacyFacebook

More about AppleEFFFacebookGoogleNSATechnologyUSC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mark Sullivan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place