NSA Contradicts Assertions by Microsoft and Other Service Providers

Service provider denials that they knew of broad access to customer data by the U.S. National Security Agency appear to have been contradicted by an attorney for that agency.

Rajesh De, general counsel for the NSA, affirmed in a government hearing that service providers provide the data as part of a "compulsory legal process," according to a report published Wednesday by the Guardian. The hearing was conducted by the Privacy and Civil Liberties Oversight Board, which is an executive branch-appointed body. Moreover, according to the Guardian's report, customer data also get accessed in transit, per the authority of Section 702 of the FISA Amendments Act, in addition to being provided by service providers in response to subpoenas.

"After the hearing, De added that service providers also know and receive legal compulsions surrounding NSA's harvesting of communications data not from companies but directly in transit across the internet under 702 authority," the Guardian wrote.

Whistle-blower and former NSA contractor Edward Snowden had contended that NSA analysts could simply reach into service provider traffic without a legal process through the NSA's PRISM program. De's explanation seems to be that Section 702 allows such broad access and that service providers are aware that the NSA has such access.

Microsoft and other service providers early on suggested that they only responded to specific legal requests. Microsoft made that point and suggested that it wasn't aware of the data collection process that came to be known as the PRISM program, according to a June statement issued by the company:

We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it.

However, an NSA slide leaked as a result of Snowden's disclosures indicated that Microsoft had joined the PRISM program back in 2007, with Yahoo, Google, Facebook, Paltalk, Skype, AOL and Apple joining in subsequent years.

Source: Washington Post

Facebook founder Mark Zuckerberg indicated this month that he had called President Obama to complain about U.S. government surveillance behavior, asking for greater transparency. Zuckerberg complained of being "confused and frustrated," but De's comments suggest that Facebook and other service providers are simply aware that the upstream-traffic taps take place.

Microsoft and other service providers dropped their lawsuits in January after an agreement was reached with the government to allow limited bulk reporting of law enforcement requests, including those from the secret Foreign Intelligence Surveillance Court. However, such reporting is delayed for two years if the target is a "new capability order" of that court, meaning that the information was requested for the first time. Microsoft issues its law enforcement request reports every six months, but the names of companies or individuals targeted by legal requests aren't named.

In March, Microsoft announced assurances that companies could use its cloud services with data stored outside the United States. Microsoft, as a U.S.-based company, is bound to comply with U.S. laws, which include nontransparent legal frameworks for searching data networks.

In related news, The Washington Post reported earlier this month that the NSA is capable of retrieving the phone traffic of entire countries for about a month's time. That bulk recording is carried out under a program called MYSTIC that began in 2009, according to the report. The NSA purportedly is capable of tapping major telecommunications hubs across the globe, according to past Snowden-associated leaks.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Industrial Control System Honeypot Illustrates Bad Security Practices

    Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

  • Ransomware: What It Means for Your Database Servers

    Ransomware affects databases in very specific ways. Joey describes the mechanics of a SQL Server ransomware attack, what DBAs can do to protect their systems, and what security measures they should be advocating for.

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.