PRISM and the Response of the IT Giants On June 6, 2013, the British newspaper the Guardian revealed that the National Security Agency (NSA)the U.S. agency responsible for collecting, decoding, and analyzing intelligence datawas obtaining from Verizon "all call detail records or 'telephony metadata' created by Verizon for communications between the United States and abroad." The newspaper published a copy of a court order requiring Verizon to comply with the government's request for the data by supplying to the NSA daily updates that includes information such as the numbers of both parties involved as well as the time, duration, and location of each call. The court order was legal under the Foreign Intelligence Surveillance Act (FISA) of 1978. Yet the revelation alarmed privacy rights and civil liberties activists.

The following day, the Guardian published an article alleging that the NSA's PRISM program had been accessing data located on the servers of Apple, Facebook, Google, Microsoft, and other IT giants. The newspaper claimed that it had verified the existence and authenticity of a top secret presentation used to train intelligence operatives that indicated that the NSA was collecting data directly from these companies' servers. PRISM allowed the NSA and the FBI to access the actual content of the emails, chats, and other forms of electronic communications. Verizon had been providing the NSA with metadata; the PRISM data was much wider in scope.

The Washington Post and other media outlets jumped on the story. Reporters both inside and outside of the IT world raced to discover how PRISM worked. The Guardian article claimed the NSA had "direct access." Did this mean that PRISM had some back door into these companies' servers?

"No," Google exclaimed emphatically. According to a statement issued by the company, "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data." Yahoo's response to the revelation was more succinct, "We do not provide the government with direct access to our servers, systems, or network."

But Apple's and Facebook's statements gave away a vital clue. An Apple spokesperson offered the following response: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order." Facebook also repeated the "direct access" denial, but revealed: "When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law."

On June 15, 2013, the Associated Press (AP) revealed that PRISM was just one part of a much larger government surveillance program. According to the AP's report, Section 702 of the FISA enabled the NSA to access electronic data in two waysdirectly through the Internet's major pipelines and indirectly via court orders directed at tech companies. The task of analyzing all the unstructured data streaming through the Internet's pipelines is gargantuan, and the court orders allow the NSA to narrow its focus to communications data of specific foreign targets. The initial statements by the companies that they had never heard of a project called PRISM was likely trueas they only responded to specific court orders regarding the communications of specific accounts, individuals, or identifiers.

After the initial revelations regarding the PRISM program, some of the IT companies explained that they have fought these data requests, particularly when they deemed the requests too broad. For example, Yahoo asserted that between 2007 and 2008, the company refused multiple requests from the NSA for customer information. "At one point," Yahoo's general council Ron Bell revealed, "the U.S. Government threatened the imposition of $250,000 in fines per day if we refused to comply." The Foreign Surveillance Intelligence Court eventually ruled in the NSA's favor, and Yahoo was forced to comply with the requests.

Days after the initial Guardian article, Edward Snowden, a 29-year-old NSA contractor based in Hawaii, identified himself as the whistleblower who had handed over the stack of classified documents regarding the NSA's classified surveillance, among other things. Many in the press and among the public hailed Snowden as a hero. Americans had no idea that the NSA was collecting such broad information. Moreover, while the targets of the searches were suspected foreign agents, any of their correspondence with American citizens living in the United States was also fair game. Analysts also expressed concern that analysis of unstructured data flowing through the Internet pipeline could lead the NSA to pursue "false positives" and persecute innocent citizens.

Others, however, argued that Snowden should not have disclosed the classified documents. NSA administrators have stated that the data collected through the PRISM program helped the FBI prevent 54 terrorist attacks in the United States and abroad. Since these cases are still classified and cannot be shared with the public, the media cannot verify these statements independently. Critics also argue that Snowden gave terrorists insight into how the United States is tracking them by leaking the NSA documents, although others assert that the techniques disclosed by Snowden were widely known in the cybersecurity community. According to Snowden, he was motivated by his concerns for privacy rights. He had placed stickers on his own computer promoting digital rights and Internet freedom organizations, including the Electronic Frontier Foundation (EFF) and the Tor Project. The EFF is a nonprofit group whose mission is "defending civil liberties in the digital world."* Tor is an open-source software that makes it more difficult for someone's Internet activity to be traced. The Tor project is intended to safeguard personal privacy; however, it is a double-edged sword that can also be used by cybercriminals to build black markets where they sell stolen credit card data and other health and personal information.

Since the Snowden leak, the U.S. courts have continued to authorize the NSA to collect individual digital data and bulk phone data. It will be up to Congress to decide whether to extend these laws so that they remain valid in the years to come or to revise the laws to place greater limits on the NSA and grant individual greater privacy rights.

Discussion Questions How does the government's responsibility to provide for the common defense of the American people and to protect civil liberties conflict in the case of the PRISM project?

What measures can be taken to ensure that the government's counterterrorism projects do not infringe, or only minimally infringe, on individual privacy?

What measures should IT companies take to protect their customer's privacy?

Some people have claimed that consumers have more to worry about from hackers and identity thieves than from government snoops focused on terrorist suspects. Do you agree? Why or why not?