On the heels of leading the charge to call for more transparency from the U.S. government in its surveillance requests, Google has now clarified exactly the kind of access the National Security Agency has to its servers. And just as the company has claimed over and over since the leak of the PRISM program, Google insists that it does not give the government "direct access" but rather sets up a secure file transfer protocol to get your data in Washington's hands. "When required to comply with these requests, we deliver that information to the US government — generally through secure FTP transfers and in person," Google spokesman Chris Gaither told Wired, among other news outlets. "The US government does not have the ability to pull that data directly from our servers or network." In other words, when faced with a request — FISA or otherwise — someone on the search giant's side of things "generally" takes that government ask and transfers it to the NSA over the encrypted server or by hand. What does that really mean, and is it really going to make anyone feel better about the very privacy and transparency Google is pushing for? We explain.
Why Google's NSA Setup Could Make You Feel Better...
The original Washington Post report on the PRISM program suggested that the NSA could get into the servers of Google or the other eight companies implicated in the data-mining and take things with "direct access." The paper walked back the claim that the tech giants would "participate knowingly" in the program, but the concept that the NSA was literally plugged into Google — and therefore so much of our daily lives — was directly frightening. Google, Facebook, and a handful of the other seven companies named in the original report have flat-out denied the "direct access" claim, but none had provided a lot more information about how the transfer of information really worked.
Later, the Post revised its story again to say there was special equipment at a "company-controlled location." The FTP setup sounds like it could fall under that very characterization. In its version of how PRISM works, Google handles the government's request and one of Google's own people decides what, exactly, to give up. In addition, Google alleges that it doesn't always comply with the NSA's orders. "We have been asked to do things in the past and we have declined," the company spokesman said. This explanation at least satisfies TechDirt's Mike Masnick: "The specifics of how tech companies are handing legally required data over to the NSA seems like much less of an issue than the breadth of the government's requests."
...and Why It Won't
The distinction between an FTP and "direct access" is pretty subtle: the government still has a way into Google's servers. Instead of the NSA poking around, they just have a Google employee with "national security clearance," per The New York Times's Claire Cain Miller, who can take that information and let the government monitor it in real time. This is, by the way, how The Week's Marc Ambinder basically explained PRISM back when Google first started denying "direct access."
Still, the man-in-the-middle theory does sound better, at least in theory: a Google person searches your data and decides what to give to the country's top spies. But we still don't know what kind of information the government is getting from Google and how this liaison works between Google and the NSA. There are recorded abuses of systems like this, as Marcy Wheeler explains over at the Empty Wheel.
But the short version is that the NY FBI office set up an office to have representatives of the three major telecom companies come in and directly access their data with FBI Agents looking over their back. As such, it’s probably similar to what PRISM accomplishes for internet providers (except that an NSA employee rather than a telecom employee does the search), and presumably akin to whatever NSA does with the Section 215 dragnet information (which, after all, replicates the telecom databases perfectly).Also, it's unclear if this applies to the FISA orders, which Google would not discuss if this data transfer.
Now we know a Google employee and not an NSA agent does the searching — at least of Google's portion of the data-mining, though perhaps the other eight companies have similar setups — but that doesn't mean the data transfers are legal. In the situation Wheeler describes, the FBI did "an unknown number of sneak peeks into the data to see if there was something worth getting formally," among other illegal things. Former NSA director Michael Hayden also admitted that rogue collection happened from time to time, as he told The Daily Beast's Eli Lake. "Hayden said he remembered a collector who was fired for trying to snoop on his ex-wife overseas," writes Lake.
In addition, Google would not discuss with media whether its spy FTP applied to "all law enforcement requests, including those that don't involve secret orders by the Foreign Intelligence Surveillance Court, which authorizes the government to request information from companies in the interest of U.S. national security," reports The Wall Street Journal's Amir Efrati. If it does not apply to FISA requests, then we're back where we started. But even if it does, the NSA still has pretty easy access to your Googling.