What sort of information would Microsoft and other tech companies such as Google or Yahoo have that the government would be interested in?
And how might the government gain access to it?
Those are two of the questions that have arisen from reports that broke Thursday that the U.S. government has a surveillance program targeting mainly foreigners that allows it direct access to user information from computer servers of Microsoft and eight other technology companies.
Many of those companies, including Microsoft, have denied participating in, or even knowing about, the program, which is code-named PRISM.
Most Read Stories
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis,” Microsoft said in a statement. “In addition, we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data, we don’t participate in it.”
A blog post from Google’s CEO and chief legal officer was simply titled “What the …?”
Regardless of whether the companies knowingly participated in such a program, it’s not surprising the government would want access to such treasure troves of information.
With billions of users worldwide accessing these servers for email, files, photos, chats and other networked activities, even non-content information (such as location and IP addresses) can yield valuable intelligence information to fight terrorism.
And if the ability to scan content or query for certain phrases is also involved, it could lead to even greater understanding of patterns.
“It’s hard to speculate about exactly how the intelligence community uses data or what generates the most valuable leads,” said Dan Auerbach, staff technologist with the Electronic Frontier Foundation, a San Francisco-based organization that’s been in the forefront of fighting for users’ privacy and consumer rights.
“They’d certainly be interested in who’s contacting whom, frequency of communications, IP addresses, as well as the actual content.”
Skype, which Microsoft acquired in 2011, would be of particular interest to intelligence officials, Auerbach speculated, given that “it has had a lot of traction and interest among people working with activists abroad.”
Denials, or deniability?
Many of the tech companies named in The Washington Post and The Guardian reports disclosing the surveillance programs flatly denied being involved in PRISM. But Auerbach believes “the bottom line is that to do any sort of mass surveillance that the PRISM slides imply would require the participation of those companies.”
(The newspapers’ reports were based on slides about the PRISM program from the National Security Agency that reporters had obtained.)
The Washington Post reported Friday that the discrepancy between the PRISM slides and company denials could be attributed to “imprecision on the part of the NSA author.”
The Post said that, in another classified report it had obtained, the arrangement between the companies and the government “is described as allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.”
That could well mean the government doesn’t have direct access to the companies’ servers, said David Smallman, an attorney who has represented investigative reporters, including, formerly, Laura Poitras, one of the co-authors of The Washington Post’s pieces on PRISM.
But perhaps there could be a covert or offshore entity, or an independent contractor, that installs a piece of equipment on a company’s backup servers, Smallman said.
“It’s plausible deniability,” he said.
In addition, he said, the companies could be legally prevented — perhaps under provisions of the Foreign Intelligence Surveillance Act (FISA) — from disclosing their involvement, if any, in such arrangements.
(The New York Times reported Friday, citing people briefed on negotiations between the government and the tech companies, that the companies were “essentially asked to erect a locked mailbox and give the government the key,” and that data was shared after the companies received FISA orders, which were reviewed by the companies’ lawyers.)
Overall, Smallman believes, what the government is likely looking for from the companies’ voluminous data are patterns of information.
“It’s all being looked at to predict future conduct,” he said. “That’s what big data is amazing with. It’s non-obvious information. That’s the justification for doing it.”
Microsoft, with its offerings such as Skype, Hotmail (now called Outlook.com) and its ever-growing cloud business, would provide a cornucopia of such big data.
In a report from 2012, Microsoft detailed how many law-enforcement requests and court orders it received. But the report does not include any numbers or other information on FISA orders, possibly because it is prevented from doing so under FISA provisions.
The report showed that, including Skype, the company received 75,378 law-enforcement requests that potentially affected 137,424 accounts — about 0.02 percent of active users of Microsoft services.
Excluding Skype, Microsoft received 70,665 requests, of which nearly 80 percent resulted in the disclosure of non-content data, such as the user’s name, billing address or IP history. About 2 percent resulted in the disclosure of customer content, Microsoft said.
The company said it requires an official document-based request, such as a subpoena, before it will consider disclosing non-content data, and that it requires an order or warrant from law enforcement before disclosing content.
The company also disclosed very rough estimates of the number of National Security Letters served on Microsoft: from 0 to 999 in 2012. Those letters, authorized by senior FBI officials, are used to obtain information about individuals if it’s relevant to to anti-terrorism or intelligence activities.
Microsoft was limited by the government to that method of describing the number of National Security Letters it was served.
Janet I. Tu: 206-464-2272 or firstname.lastname@example.org. On Twitter @janettu.