Parsing PRISM denials: Could everyone be telling the truth?

A day after The Washington Post and Guardianpublished bombshell revelations that America's biggest tech companies are allowing the U.S. government to constantly monitor highly personal data contained in their servers, the facts remain fuzzy and somewhat fluid--and the statements of the parties involved don't add up.

All the tech companies have issued denials, saying they haven't given the government "direct" access or a "back door" to their servers under a surveillance program called PRISM, as the Post and Guardian stories claim.

Google's Larry Page repeated his company's denials in a blog post today: "First, we have not joined any program that would give the U.S. government--or any other government--direct access to our servers. Indeed, the U.S. government does not have direct access or a 'back door' to the information stored in our data centers."

The National Security Administration is saying the news stories are "full of inaccuracies," but isn't saying what the inaccuracies are. However, the NSA isn't denying the claims made in the stories. It hasn't said it's not working with Google, Facebook, Apple and all the other companies who've denied PRISM cooperation. If anything, the NSA is stressing that the PRISM program was never meant to spy on Americans.

So how do we square this disconnect? On one side, we have Silicon Valley saying it's not working with government spooks. On the other side, we have an NSA slide that lists exactly which big tech companies are working with PRISM, even noting their start dates.

For its part, The Washington Post, which first broke the story yesterday, is making a slight modification today. This might explain some of the disconnect between its story and the staunch denials of the tech companies:

"It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers."

Is it possible that everyone's telling the truth? Possibly, yes. But only if you allow for a wide breadth of interpretation and license in how you parse the words from everyone involved.

"If you read the denials coming from the tech companies, they are carefully worded and really amount to non-denials," EFF staff attorney Nate Cardozo told TechHive Thursday afternoon. "They all are saying that they didn't provide direct access to the servers, but what they are probably doing is providing access to the data via an API, which would be indirect."

Such an application programming interface (API) would have given the NSA a web-based window to certain data elements within the servers of the tech companies.

When I described the API method of availing the data in the servers to USC law professor and privacy expert Jack Lerner, he said it sounded very "direct" to him. However, Lerner says there are other ways the tech companies may have provided "indirect" access to the NSA.

"They could have meant indirect' to say You can look at our data, but you can't use our interface to do it, you'll have to build your own.'" Lerner says.

And here's another way the conflicting stories might square: The tech companies may have hinged their denials on the places where the NSA was tapping into the data from their servers. For example, the NSA may have been tapping in via a path somewhere in the Internet backbone that connects to the servers. "It's conceivable that the NSA could have tapped into a major cable or fiber optic line through which the data was passing," Lerner says. The update from The Post today seems to support this possibility.

Robert Graham, CEO of Atlanta-based cybersecurity firm Errata Security, says that the NSA could have installed taps in many different places within the tech companies, or in the telecommunications network connecting the servers. "The NSA is probably tapping into the undersea fiber optic lines connecting to other countries," Graham says.

Such line tapping is certainly nothing new to network administrators, Graham says. And the gear being used by the NSA is probably not much different than the gear used by the tech companies for their own network monitoring. "Companies use sniffers' all the time for intrusion detection," he says. "They may install one to diagnose network problems, or they might install a sniffer to detect hackers."

Graham also points out the possibility that the tech companies could be providing access to the NSA while never being aware of the specific PRISM brand name. "It has a lot to do with the names they use," Graham says. "Google only knows what they're doing for them [the NSA], but they may be totally unaware of the names the NSA uses."

USC's Lerner says there may be yet another, more legally motivated, explanation of the tech companies' denials. "There may be a place in the law that requires them not to discuss it, so they would just be complying with the law," Lerner says. "For example, major service providers receive thousands of National Security Letters every year that they can't can't discuss."

In the midst of the spinning and he-said she-said coming from all sides, it's easy to lose sight of the real implications of the PRISM program. That is, that real data privacy doesn't exist.

"I see this and see people saying 'there is no privacy anymore' and it reminds me of the end of 1984 where Winston has completely given up and has completely internalized the totalitarian nature of the regime," Lerner says. "We're in a very scary place."

Top photo: Fort George G. Meade Public Affairs Office