PRISM Spying Denials From Tech Companies Baffle Security Experts

Why It's Unlikely Tech Companies Didn't Know About NSA Spying

NEW YORK -- When Mark Klein went to work as a technician at an AT&T communications center in San Francisco in the fall of 2003, his company entrusted him with a key to every door but one: room 641A.

Access to that room, he later testified in a court deposition, was restricted to employees who had security clearances from the National Security Agency, the vast government department that scans the world's communications.

But even though he wasn't permitted to enter the secured room, Klein says he was directly involved in ensuring that it achieved its function: making sure that all of the Internet traffic reaching the facility, including emails and online chats, could be seen and analyzed by the government spying agency.

Klein's testimony -- recounted in court documents that are part of a federal lawsuit against the NSA by the Electronic Frontier Foundation, a digital rights group -- was cited in the case as proof of a contention that now has greater currency than ever: Klein's account, the EFF claims, amounts to proof that AT&T collaborated with the NSA in the surveillance of the domestic communications of millions of Americans.

The particular lawsuit in which Klein appears as witness has been moving at glacial speed through federal district court in San Francisco. But his testimony now has special resonance as Americans absorb reports that indicate the NSA has for years tapped into the networks of telephone and Internet companies to collect vast stores of information in its quest to identify and track terrorists.

This week, The Guardian and The Washington Post reported on the existence of a secret program known as PRISM through which the NSA has gained access to the personal data of millions people using a host of communications services run by major American technology companies including Microsoft, Yahoo, Google, Facebook, Apple, and AOL, which owns The Huffington Post.

The Guardian also reported this week on the existence of a secret court order compelling Verizon to turn over phone call records to the NSA, including the date, location and duration of calls.

Senior government officials, including President Obama, acknowledged and defended the existence of the domestic surveillance programs. James Clapper, the director of national intelligence, said Friday that PRISM cannot be used to intentionally target any U.S. citizen, or any other person living in the United States.

Verizon refused to confirm or even comment on the court order in its case. But the cluster of Internet companies said to have actively participated in the PRISM program, in sharp contrast, forcefully denied any involvement, with some specifically saying they had no knowledge of it.

“We have never heard of PRISM,” Apple said in a statement. “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”

"I want to respond personally to the outrageous press reports about PRISM," Facebook CEO Mark Zuckerberg wrote in a public Facebook message Friday evening. "Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."

But data security experts pointed to the AT&T case and Klein’s testimony to suggest that the sort of massive-scale data-mining operation outlined in the news reports would be nearly impossible without some form of corporate cooperation.

Although the type of harvesting revealed in documents leaked to the press could be realized without a company's full knowledge, experts said it's hard to envision a scenario in which someone on the inside wasn't aware of government snooping. Large Internet companies have sophisticated and powerful mechanisms to detect such intruders, they said.

"It would be absurd if security people were unaware that data was being moved out of their system," said Ali Golshan, a former intelligence agency analyst and founder of the cybersecurity firm Cyphort. He said it was "impossible" that the NSA could collect data from tech companies without those companies knowing.

According to Golshan, tech companies routinely give the spy agency access to the back end of their networks. "You're essentially letting the NSA run analysis on top of your network to sort the data any way they want. It's like giving them the private keys to the back door of your home," he said.

Matthew Aid, who wrote a book on the history of the NSA, said the denials from tech companies over the domestic surveillance program appear carefully worded and don't necessarily mean they were not involved. "We may be looking at nuances in language here," he said.

At least one company, Google, explicitly said that the government has not established a secret entrance to its information network. "From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data,” a spokesman said.

Other data security experts said that while the NSA could be hacking into companies' servers without their knowledge, aggregating and making sense of all the information stored there would be extremely difficult without some level of cooperation.

"Even if you do have direct access to the data, then you'd need to have an engineer help explain to you how to interact with it," said Aaron Massey, a postdoctoral fellow at Georgia Tech whose research focuses on computer security and legal compliance software systems.

The data collection method described by Klein, the AT&T whistleblower, appears to differ from what is purported to be happening under the PRISM program, said Richard Wiebe, the San Francisco attorney representing the Electronic Frontier Foundation in its lawsuit against the NSA.

In his testimony, Klein said he helped maintain a device that essentially duplicated the stream of Internet traffic reaching the facility, with that duplicated feed then piped directly into room 641A. Once inside the room, a so-called semantic traffic analyzer -- a device designed to sift through vast amounts of data -- was presumably used to sort the information and search for certain keywords.

Reading through passing messages, as in the AT&T case, is different from mining a company's computer servers for information, the activity described in the PRISM reporting, Wiebe said.

That latter method of spying, he said, can be accomplished even if the subject -- such as a consumer with a Facebook account -- never communicates with anybody. "Even if you don't have any friends, the NSA is friending you," he said.

Wiebe said it's possible that such data-mining could be done without the knowledge of security monitors, for example by disguising it as the same sorts of probes done every day on consumer data by the companies themselves. Even so, he said, it is hard to fathom that the initial connection could be accomplished without someone at the company being aware.

Making sense of the other big data-mining story that broke this week -- the one involving a secret court order obliging Verizon to turn over its entire store of domestic phone records to the NSA -- is much easier, Wiebe said.

That the U.S. government is collecting so-called metadata, such as information about the time, location and duration of calls made by American citizens, has been known for years, he said, and is also alleged in the Electronic Frontier Foundation case. "This is a complete confirmation of what we have been saying for seven years," he said.

Before You Go

Sen. Dianne Feinstein (D-Calif.)

Politicians React To NSA Collecting Phone Records

Popular in the Community