An update and slight correction, 7:59 p.m.: A spokesperson forwarded us this message from Google's chief legal counsel David Drummond:
"We cannot say this more clearly -- the government does not have access to Google servers--not directly, or via a back door, or a so-called drop box. Nor have we received blanket orders of the kind being discussed in the media. It is quite wrong to insinuate otherwise. We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. And we have taken the lead in being as transparent as possible about government requests for use information."
They also wanted to clarify that Google and Facebook have not yet incorporated any sort of drop-box system for the NSA to extract files from. That plan was simply being negotiated, the Times reported. This report was originally said they were already in place. We regret the error.
Original: Ever since Thursday's blockbuster reports from the Washington Post and the Guardian revealing the existence of the National Security Agency's PRISM — the government program that allegedly works with major Internet companies to collect (some) U.S. citizen data — tech companies have been fighting to distance themselves from the potentially privacy-violating government programs. The Post and the Guardian allege tech companies that participate in the PRISM program — Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple —offered the government "direct access" to their servers full of user information. "From inside a company's data stream the NSA is capable of pulling out anything it likes," the Post's Barton Gellman and Laura Poitras reported. Facebook and Google were two of the most aggressive deniers. But similarities in their statements raised eyebrows. Both Google CEO Larry Page and Facebook CEO Mark Zuckerburg denied giving the government "direct access," per se, to their servers. That Page and Zuckerberg's statements were, when boiled down, almost identical didn't help matters.
New reports released Saturday morning reveal Facebook and Google were telling something resembling the truth when they denied the NSA has "direct access" to their servers, and that the government doesn't, in fact, have direct access to these massive personal information treasures storing most of our modern day-to-day communications. Both The New York Times' Claire Cain Miller and CNET's Declan McCullagh have reports debunking some the previous myths about the way PRISM and the NSA interact with the tech companies who cooperate with their surveillance work. "It's not as described in the histrionics in the Washington Post or the Guardian," a source told McCullagh, who went on to say it's "a very formalized legal process that companies are obliged to do."
First, it turns out Facebook and Google weren't lying. The government does not have "direct access" to their servers. But they are negotiating something special for the NSA to make obtaining the specially requested information as easy as a ransom hand-off. Per Miller:
In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said.
So the government doesn't have "direct access" to Facebook and Google servers, but there is a process in place so the NSA can request the information, and there's a special, secure place for them to retrieve that information. The NSA wants information on person X so they send a request to Google or Facebook. The tech company gathers all the information it has on person X and deposits that information onto the secure server set up for the NSA. Once the information is in place, the NSA accesses the secure server and retrieves the requested information. So the government doesn't have "direct access," or even "backdoor access," as has been implied.
The servers are, in effect, the tech equivalent of a safety deposit box that only the NSA and the corresponding tech company can access. Miller calls it "a locked mailbox," that the government has a key to open. Or we much prefer this visual, if you want to be brutish about it: a locked briefcase full of intel left in a digital garbage can with the NSA swinging in to pick it up at a prescribed time. Just like in the movies.
How other tech companies linked to PRISM ended up cooperating is unclear at this time. Twitter is only one who bristled at the government's request to make the handing-over of information easier. How Microsoft, Yahoo, PalTalk, AOL, Skype, YouTube, and Apple all operate with the NSA is still unknown. In some instances NSA agents would be stationed at a tech companies' office and would remain "at the site for several weeks to download data to an agency laptop," Miller writes. Occasionally the government would request data in real time, "which companies send digitally," she reports. But this brings us to an important legal point.
These tech companies have no choice but to fork over the information when the NSA came calling. "The companies were legally required to share the data under the Foreign Intelligence Surveillance Act," Miller reminds us. But building the special secure server used for dumping information for the NSA was going above and beyond the legal call of duty. Still, it's important to remember these companies had no choice but to hand over the requested information once the government went through the proper channels, as McCullugh explains:
The legal process, the person said, is akin to how law enforcement request information in criminal investigations: the government delivers an order to obtain account details about someone who's specifically identified as a non-U.S. individual, with a specific finding that they're involved in an activity related to international terrorism. Both the contents of communications and metadata, such as information about who's talking to whom, can be requested.
The tech companies also do their due diligence before handing over all of the requested information, too. Lawyers look over the government document before anything is handed over. "It is not sent automatically or in bulk, and the government does not have full access to company servers," Miller reports.
Miller also offers a new reason why the initial denials proved to be false. The PRISM and the FISA request system is a lot like Fight Club. The first rule is you're not allowed to talk about your PRISM and FISA work, even with your own coworkers, who have no idea you fork information to the government at their beck and call, lest you break federal laws (emphasis ours):
Tech companies might have also denied knowledge of the full scope of cooperation with national security officials because employees whose job it is to comply with FISA requests are not allowed to discuss the details even with others at the company, and in some cases have national security clearance, according to both a former senior government official and a lawyer representing a technology company.
So, yes, some people at Facebook and Google probably have national security clearance. That's coming from both sides of this scandal. On any other day, we would crack wise about how scary Eric Schmidt (possibly) having level seven security clearance is, but it still seems too soon for that.