Entries in NSA (3)


Facebook, Microsoft Release Data on Info Handed Over to Government

NICHOLAS KAMM/AFP/Getty Images(NEW YORK) -- When reports of the National Security Agency’s alleged program to gain “direct access” to large amounts of Internet communications (code-named PRISM) was first reported last week, the technology companies tied to the reports all denied participation in the surveillance program – but they also urged the government to allow for more transparency regarding the requests they do receive.

On Friday evening, after reaching an agreement with the FBI and Department of Justice, Facebook and Microsoft were the first companies to release transparency reports. Facebook revealed that the company received between 9,000 and 10,000 data requests from local, state and federal governments in the last six months of 2012. Within those, access to or information about 18,000 to 19,000 individual Facebook accounts were requested. During that same period, Microsoft received between 6,000 and 7,000 requests for access to a total of 31,000 to 32,000 accounts.

“As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range,” Facebook General Counsel Ted Ullyot wrote in a Facebook blog post. “This is progress, but we’re continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.

“These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat,” Ullyot wrote.

Ullyot reminded readers Facebook has more than 1 billion users, maintaining that “a tiny fraction of 1 percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months.”

Microsoft’s deputy general counsel, John Frank, made similar points in a post of his own: “This only impacts a tiny fraction of Microsoft’s global customer base.”

Facebook and Microsoft agreed that the numbers were a step toward providing greater transparency, but because of the nature of the classified and sensitive information, the government has not allowed for more to be disclosed.

“We continue to believe that what we are permitted to publish continues to fall short of what is needed to help the community understand and debate these issues,” Frank wrote.

Earlier this week, Facebook, Google and Microsoft petitioned the government to allow them to share more about the scope and size of the user-data requests.

Google, however, doesn’t think Facebook and Microsoft’s approach is helpful and is instead looking to just reveal the numbers of the requests national security requests on its own.

“We have always believed that it’s important to differentiate between different types of government requests,” Google said in a statement on Friday night. “We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.”

Copyright 2013 ABC News Radio


Dissecting Tech Companies' Denial of Involvement in NSA's Spying Program 

(WASHINGTON) -- The National Security Agency and the FBI have been tapping into the servers of nine technology companies, including Microsoft, Apple, Google, Yahoo, to collect audio, video, photographs, e-mails and other documents under a program code-named PRISM, according to a report in the Washington Post. But the tech companies named have responded to questions about the story with statements that may leave out as much as they say.

All the major technology companies named in the Post's report have adamantly denied that they have given the government full access to their servers in similar prepared statements.

President Obama said Friday that members of Congress have repeatedly been informed of these programs. "The relevant intelligence committees are fully briefed on these programs. These are programs that have been authorized by broad, bipartisan majorities repeatedly since 2006. And so I think at the outset, it's important to understand that your duly elected representatives have been consistently informed on exactly what we're doing," he said.

Still, while Obama says that data being collected on emails and Internet activity is targeted at foreign nationals and not U.S. citizens, the tech companies have all released similar prepared statements to the media denying involvement in this program.

The Statements

Apple: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."

Microsoft: "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it."

Google: "Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."

Facebook: "Protecting the privacy of our users and their data is a top priority for Facebook. We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law."

Yahoo: "Yahoo! takes users' privacy very seriously. We do not provide the government with direct access to our servers, systems, or network."

Paltalk: "We have not heard of PRISM. Paltalk exercises extreme care to protect and secure users' data, only responding to court orders as required to by law. Paltalk does not provide any government agency with direct access to its servers."

AOL: "We do not have any knowledge of the Prism program. We do not disclose user information to government agencies without a court order, subpoena or formal legal process, nor do we provide any government agency with access to our servers."

Dissecting The Wording and What They Can't Say

The similarity in all the statements is clear. All mention that they would only comply with orders for requests about access to information if forced to do so under the law and that they do not provide "back door" or "direct" access to their servers and to user account information.

Experts believe that commonality in statements could mean a few things. The first is that the companies simply can't talk about this to begin with.

"If these companies received an order under the FISA amendments act, they are forbidden by law from disclosing having received the order and disclosing any information about the order at all," Mark Rumold, staff attorney at the Electronic Frontier Foundation, told ABC News.

John Black, an assistant professor of Computer Science at the University of Colorado, shared a similar opinion. "Many times these laws say they have to comply and they can't disclose their compliance," Black said.

However, the companies are talking about it, they aren't simply saying "no comment." Apple and Paltalk are even specifically saying they have never heard of PRISM.

Rumold says that could be a technicality. "Apple might have had no idea of the government's codename for the program, which was PRISM. What Apple didn't say is that we have never given the NSA access to our data." Rumold went to Berkeley Law and is involved with lawsuits with the NSA and the Department of Justice about some of the other wiretapping cases.

Google, on the other hand, said there was no back door to its servers. "Back door at Google might have one meaning, but what they didn't say is they aren't giving the NSA widespread access to data, which they could potentially say if they had not received an order and given the NSA access to their data," Rumold said.

Black echoed the same thought. "They seem consistently careful in saying we don't give back-door access to the government servers. That's not the same thing as saying the government has no way to access any of our data." Black explained that maybe the NSA doesn't have access to the servers, but the companies don't deny that the government can get whatever information it may want.

James R. Clapper, the director of national intelligence, said in a written statement that the Post report and another on phone surveillance by The Guardian contained "numerous inaccuracies," and that the data collection only targets non-Americans outside the United States.

President Obama stressed that members of Congress have repeatedly been informed of these programs."The programs that have been discussed over the last couple days in the press are secret in the sense that they're classified, but they're not secret in the sense that when it comes to telephone calls, every member of Congress has been briefed on this program," he said.

Still, both Black and Rumold say it is highly unlikely that the technology companies wouldn't have been informed of these programs.

"Google is probably the biggest collection of information on Earth. It would be shocking to me that the NSA wasn't attempting with all its power to get access to Google," Rumold said. "Google might have very well fought a valiant and difficult fight to keep the NSA away from it, but there is only so much it can do as an American company if you get a valid United States court order."

Copyright 2013 ABC News Radio


NSA Director on Cyberattacks: ‘Everybody’s Getting Hit’

iStockphoto/Thinkstock(WASHINGTON) -- Gen. Keith Alexander, the commander of U.S. Cyber Command and director of the National Security Agency, Wednesday bluntly addressed widespread cyberattacks hitting major corporations and the damaging loss of intellectual property being harvested from their computer networks.

“From my perspective, this is huge,” Alexander said at a symposium sponsored by the computer security firm Symantec. “When we look out there – the companies that have been hit – you look across the board: Everybody’s getting hit.

“In 2012, just some of them — Nissan, MasterCard and Visa -- that should make all of us concerned,” Alexander said.  “[In] 2011, RSA, COMODO, Epsilon, L-3, Sony, Citi, Lockheed Martin, Northrup Grumman, Google, Booz Allen, DigiNotar, Mitsubishi, Sony, Adidas – I had to bring that one in for our allies -- Stratfor, Visa, [US] Chamber of Commerce.

“We see the biggest amount of theft going to intellectual property for most of these companies,” he added. “And when you look at it, the theft that’s going on hits in two directions, either directly hitting the company that they’re trying to steal the information from, or they’re stealing the certificates and keys to get into that company to steal the intellectual property. Either way, they’re getting it.”

According to U.S. intelligence officials, in 2009 U.S. companies suffered losses of about $50 billion from their research and development efforts.

Alexander addressed a series of disruptive “denial of service” attacks on Wall Street and U.S. banks that have been going on since September. During a denial of service attack, computer systems are intentionally overloaded and become unable to function properly, often crashing a website or slowing it to a crawl.

He also mentioned a cyber attack against a Saudi oil company, Saudi Aramco, that resulted in vast amounts of company documents and emails being digitally vaporized by a malicious computer virus.

“What we have is a huge concern: theft by crime, theft of intellectual property, and now disruption, destruction coming on these networks. And we’ve got to address that,” Alexander said.

The destruction of data could have massive implications for financial institutions and global stock markets, according to security officials. In 2008, then-Director of National Intelligence Mike McConnell warned Congress about the threat in congressional testimony.

“Our experience to note that when people break into a network, they’re often there for six to nine months before we detect them,” Alexander told the conference. “Six to nine months, you’re allowed to roam freely about that network. You own it. You can take all the intellectual property you want.”

Ironically, as Alexander was addressing the Symantec Government Symposium, there were reports circulating that a hacking group called Hack the Planet had allegedly hacked into Symantec’s network and compromised a database of more than 3,000 Symantec employee e-mail addresses and passwords.

Symantec, in a prepared statement, said it was aware of the claim.

“We take each and every claim very seriously and have a process in place for investigating each incident,” it said. “Our first priority is to make sure that any customer information remains protected.  We are investigating these claims and have no further information to provide at this time.”

Describing the Internet traffic and infrastructure that creates the cyber domain, Alexander addressed privacy concerns as he advocated a way for the private sector and the government to come together to work on cybersecurity issues.

“The government is not looking at the traffic; industry’s looking at the traffic, and they have to do that to own and operate these networks. We’re going to help them with signatures and other things,” Alexander said, addressing the issue of identifying when companies have become vulnerable. “They need to tell us when they need our help. But it’s got to be done in time for us to help.”

Following Congress’ failure to pass cybersecurity legislation this year, according to federal officials, a draft executive order being circulated by the White House would allow intelligence agencies, including the NSA, DHS and the FBI, to share information about cyber threats with critical infrastructure entities such as water plants, the energy sector and financial institutions.

In his remarks Wednesday, Alexander also addressed the need for education of the public on issues relating to cybersecurity.

“Most of the people do not technically understand the network and what we’re talking about,” he said. “And so there’s a lot of paranoia out there. You know, we have to help them understand – everyone understand in the United States and our allies – actually what we mean by operating in cyberspace a secure area where we protect our civil liberties and privacy. We can do both.”

Copyright 2012 ABC News Radio

ABC News Radio