NSA Paid Tech Companies Millions For Prism

Leaked documents show taxpayer cost of involving Google, Microsoft and other tech companies in Prism digital dragnet.

Mathew J. Schwartz, Contributor

August 23, 2013

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Who paid the cost of giving the National Security Agency direct access to the systems of nine technology companies, including Facebook, Google, Microsoft and Yahoo?

The answer arrived Friday: U.S. taxpayers.

Furthermore, the bill wasn't cheap. The U.S. Foreign Intelligence Surveillance Act (FISA) Court, which is charged with monitoring the NSA's surveillance programs, ruled in 2011 that the agency violated section 702 of FISA as well as the Fourth Amendment. Accordingly, the court ordered the programs to cease within 30 days unless specific "upstream collection" practice problems were fixed.

"Upstream collection is when the NSA gets a copy of Internet traffic as it flows through major telecommunications hubs and searches through for 'selectors,' like an email address or a keyword," Parker Higgins, an activist at Electronic Frontier Foundation, said in a blog post.

[ IT pros can offer valuable insight on the balance between security and privacy. Read NSA Surveillance: IT Pro Survey Says What? ]

That FISA Court ruling triggered a period of successive 30-day extensions, each of which required corresponding changes from the technology companies that were legally compelled to give the NSA access to their systems. Those extensions and the surveillance program certifications they included came at quite a cost, according to a December 2012 NSA newsletter marked "top secret," which was published Friday by the Guardian and presumably provided by former NSA employee-turned-whistleblower Edward Snowden. "Last year's problems resulted in multiple extensions to the certifications' expiration dates which cost millions of dollars for Prism providers to implement each successive extension -- costs covered by Special Source Operations," read the NSA newsletter. Yahoo confirmed to the Guardian that it had been reimbursed for costs related to responding to data requests from the U.S. government. "Federal law requires the U.S. government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government," said a Yahoo official. "We have requested reimbursement consistent with this law." Special Source Operations -- described by Snowden as the NSA's "crown jewel" -- administers the agency's surveillance programs that involve service providers, telecommunications companies and corporate partnership arrangements with technology firms that give the agency direct access to the data they handle. But according to three rulings declassified this week by director of National Intelligence James Clapper -- as ordered by President Obama -- the FISA Court in 2011 ruled that the agency had broken the FISA law and violated the Fourth Amendment thousands of times due to its data interception practices. That document disclosure was made in response to a Freedom of Information Act request from EFF. In one of those declassified documents, FISA Court judge John Bates wrote in an 86-page opinion that the "volume and nature of the information [NSA] has been collecting is fundamentally different from what the court had been led to believe." Furthermore, he said that the NSA's so-called minimization procedures for intercepting multi-communication transaction (MCT) data "tend to maximize, rather than minimize, the retention of non-target information, including information of or concerning United States persons," thus violating the Fourth Amendment. Accordingly, rather than renewing the requested annual legal certifications the agency is required to obtain from the FISA Court for its FISA surveillance programs, he instructed the NSA to fix specific problems or cease its related surveillance efforts. In a cover letter published with the declassified court rulings, Clapper characterized those problems as involving "highly technical reasons concerning the matter in which the collection occurred," rather than involving questions of civil liberties. In particular, the problem appeared to center on the capture of MCT data, which might bundle multiple messages in a single communication. "In large-scale enterprises as technologically sophisticated and operationally complex as the 702 program, mistakes and errors can and will happen," said Clapper. He said that after the court ruling, the agency proactively deleted all upstream communications it had intercepted in violation of FISA. Clapper emphasized, however, that the agency reports all such errors both to the FISA Court and Congress. That included reporting earlier "unintended misrepresentations in the way the collections were described to the FISA Court" that resulted in part from "gaps in technical understanding" between different groups at NSA. In the wake of those discoveries and reporting the problems to the FISA Court and Congress, Clapper said that part of the solution entailed making not just technical changes, but also related structural, managerial and training changes at NSA.

Read more about:

2013

About the Author

Mathew J. Schwartz

Contributor

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights