Tech firms' responses to latest NSA disclosures cloud the truth, experts say

The NSA paid millions to compensate companies' surveillance costs, new documents claim

Technology companies may be hiding behind legal jargon to avoid being more forthcoming in their responses to new documents on government surveillance that were disclosed Friday, some experts say.

Internet and software companies including Microsoft, Yahoo, Google and Facebook "are legally compelled to lie," said security expert Bruce Schneier, citing national security letters that companies are prohibited from disclosing.

Some similar statements were made in interviews with the IDG News Service following a report published Friday in The Guardian alleging that the National Security Agency paid millions of dollars to companies such as Google and Facebook to cover costs involved in surveillance.

The tech companies incurred these costs in fulfilling tighter certification requirements after a 2011 court ruling said the government's data collection was unconstitutional, according to documents obtained by The Guardian.

That ruling, which was handed down by the Foreign Intelligence Surveillance Court and was made public on Wednesday, said that the way the NSA collected data violated the Fourth Amendment because the agency did not effectively design its collection efforts to target only foreigners of interest to national security.

The NSA was "misusing its authority" by collecting the digital communications of U.S. citizens for years, the ruling said.

The documents revealed Friday describe the problems that the agency experienced after that ruling and the resulting efforts required to bring companies into compliance, according to The Guardian. The list of involved companies includes Google, Yahoo, Microsoft and Facebook, its report said.

The documents were passed on to The Guardian by former NSA contractor Edward Snowden, the man behind the original leaks of various government surveillance programs such as Prism. The documents provide the first evidence of a financial relationship between technology companies and the NSA, the Guardian report said.

The FISA court is required to sign annual certifications that provide the legal framework for surveillance operations, the report said. After the 2011 ruling, those certifications were only being renewed on a temporary basis as the NSA worked to fix its data collection methods that the court deemed unconstitutional.

This adjustment process entailed huge costs, according to a 2012 NSA newsletter entry, excerpts of which were published by The Guardian. "Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension," the newsletter said.

The Guardian did not give an exact figure for the costs.

The latest disclosure raises serious questions around the use of taxpayer money to finance government surveillance, the Guardian said. But another issue is the growing discrepancy between the information contained in leaked government documents and technology companies' responses to it.

Snowden's original leaks revealing Prism described a program aimed at the mass collection of data owned by U.S. citizens through direct access to company servers. Google and other tech companies have denied cooperating with the NSA to allow the mass collection of data.

They gave similar denials on Friday in response to questions from the IDG News Service.

"Facebook has never received any compensation in connection with responding to a government data request," a Facebook spokeswoman said.

"We think the continued misreporting on this matter by The Guardian and others is troubling," she added in an email.

Google said it has "not joined Prism or any government surveillance programs."

"We do not provide any government with access to our systems and we provide user data to governments only in accordance with the law," a spokeswoman said.

Both Yahoo and Microsoft offered more legalistic, complicated responses. Their responses make it clear that the companies' deals for government compensation are more complicated than something they can simply confirm or deny.

"Microsoft only complies with court orders because it is legally ordered to, not because it is reimbursed for the work," a spokesman said. "We could have a more informed discussion of these issues if providers could share additional information, including aggregate statistics on the number of any national security orders they may receive," he said.

Microsoft asked for permission in June to aggregate statistics about the number of requests for data it receives under the U.S. Foreign Intelligence Surveillance Act.

Currently, companies can reveal the number of FISA requests they receive only if they lump them together with all other requests from U.S. law enforcement agencies.

Yahoo said it had nothing to add beyond the statement that the company supplied to The Guardian, which said "federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government."

"We have requested reimbursement consistent with this law," the company said.

Semantics are at play in companies' responses, experts said.

Friday's leaked documents "say that these companies cooperate with bulk NSA data collection," said Schneier. "The companies deny it, but their denials are precisely worded with a lot of wiggle room," he said.

Also, if companies are compelled by a National Security Letter to comply, they are prohibited from talking about their compliance, Schneier said.

In its response Friday, Google said it continues to await the government's decision on the company's petition to publish more national security request data, "which will show that our compliance with American national security laws falls far short of the wild claims still being made in the press today."

Roger Kay, an IT analyst and founder at Endpoint Technologies Associates, said he was not surprised by the documents that were revealed Friday. Though the companies don't say whether they provided information to the government, the legalistic language in some of their responses suggests they did, he said.

Also, companies' responses to the growing number of leaks, whether they are flat-out denials, chock full of complicated legalese, or just plain vague, are probably damaging some users' trust in the companies, Kay argued.

But for Internet users with short attention spans, disclosures like the ones revealed Friday may just blow over, he added.

Still, many questions remain about the type of data collection that was paid for in the millions of dollars in compliance costs that companies reportedly incurred.

It's not clear how the NSA gathers data from companies, Kay said. "Is it like a direct stethoscope into the main artery, or a broader snapshot?"

Getting answers to those kinds of questions may also boil down to semantics. "Perhaps different people mean different things by 'direct access,'" said Seth Schoen, senior staff technologist at the Electronic Frontier Foundation.

In another new development, The Guardian and The New York Times announced on Friday that they would work as partners to give the U.S. paper access to other documents leaked by Snowden. Both papers will be working together to publish more stories tied to the documents.

Zach Miners covers social networking, search and general technology news for IDG News Service. Follow Zach on Twitter at @zachminers. Zach's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicessocial networkingsocial mediadata protectioninternetsearch enginesprivacyFacebookYahooGoogleMicrosoftsecuritylegal

More about Electronic Frontier FoundationFacebookGoogleIDGMicrosoftNational Security AgencyNSAPrismTechnologyYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Zach Miners

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place