News

NSA Contradicts Assertions by Microsoft and Other Service Providers

• By Kurt Mackie
• 03/20/2014

Service provider denials that they knew of broad access to customer data by the U.S. National Security Agency appear to have been contradicted by an attorney for that agency.

Rajesh De, general counsel for the NSA, affirmed in a government hearing that service providers provide the data as part of a "compulsory legal process," according to a report published Wednesday by the Guardian. The hearing was conducted by the Privacy and Civil Liberties Oversight Board, which is an executive branch-appointed body. Moreover, according to the Guardian's report, customer data also get accessed in transit, per the authority of Section 702 of the FISA Amendments Act, in addition to being provided by service providers in response to subpoenas.

"After the hearing, De added that service providers also know and receive legal compulsions surrounding NSA's harvesting of communications data not from companies but directly in transit across the internet under 702 authority," the Guardian wrote.

Whistle-blower and former NSA contractor Edward Snowden had contended that NSA analysts could simply reach into service provider traffic without a legal process through the NSA's PRISM program. De's explanation seems to be that Section 702 allows such broad access and that service providers are aware that the NSA has such access.

Microsoft and other service providers early on suggested that they only responded to specific legal requests. Microsoft made that point and suggested that it wasn't aware of the data collection process that came to be known as the PRISM program, according to a June statement issued by the company:

We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it.

However, an NSA slide leaked as a result of Snowden's disclosures indicated that Microsoft had joined the PRISM program back in 2007, with Yahoo, Google, Facebook, Paltalk, Skype, AOL and Apple joining in subsequent years.

Facebook founder Mark Zuckerberg indicated this month that he had called President Obama to complain about U.S. government surveillance behavior, asking for greater transparency. Zuckerberg complained of being "confused and frustrated," but De's comments suggest that Facebook and other service providers are simply aware that the upstream-traffic taps take place.

Microsoft and other service providers dropped their lawsuits in January after an agreement was reached with the government to allow limited bulk reporting of law enforcement requests, including those from the secret Foreign Intelligence Surveillance Court. However, such reporting is delayed for two years if the target is a "new capability order" of that court, meaning that the information was requested for the first time. Microsoft issues its law enforcement request reports every six months, but the names of companies or individuals targeted by legal requests aren't named.

In March, Microsoft announced assurances that companies could use its cloud services with data stored outside the United States. Microsoft, as a U.S.-based company, is bound to comply with U.S. laws, which include nontransparent legal frameworks for searching data networks.

In related news, The Washington Post reported earlier this month that the NSA is capable of retrieving the phone traffic of entire countries for about a month's time. That bulk recording is carried out under a program called MYSTIC that began in 2009, according to the report. The NSA purportedly is capable of tapping major telecommunications hubs across the globe, according to past Snowden-associated leaks.