Evolution Of The PRISM Denials: This May Be Why They Seem So Similar

Source: Washington Post, The Guardian

Quite a bit of debate has emerged by how similar these various denials of PRISM involvement are from the tech companies involved. I think they’ve all evolved naturally from each other and from the stories they were responding to. This is my reasoning.

Google & The “Back Door”

Both the Washington Post story and the Guardian story had this statement from Google in their stories when they initially ran:

Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door‘ into our systems, but Google does not have a ‘back door’ for the government to access private user data.

I don’t recall seeing denials from other companies, when these stories first appeared. Maybe I missed them, but I’m pretty sure they weren’t there, because almost immediately after the stories came out, I started working on our story with reactions from the tech companies — which turned into a long list of denials.

If you see more denials now, that seems largely because after denials came out, they were added to the stories — something that’s not noted in the stories.

Why’s Google talking about a back door? My guess is because it was asked about this by one of the publications, probably the Washington Post, which I believe was slightly earlier than The Guardian to publish. The Post has this in its article:

When a clandestine intelligence program meets a highly regulated industry, said a lawyer with experience in bridging the gaps, neither side wants to risk a public fight. The engineering problems are so immense, in systems of such complexity and frequent change, that the FBI and NSA would be hard pressed to build in back doors without active help from each company.

If you ask a company if it’s providing a back door, that increases the chances it will respond using that particular language.

The Google statement was out at least around 3:30pm PT, because I emailed Google about it at that time, asking them to reconfirm it for me and to specifically ask:

 is Google part of this PRISM program and, if so, how does it grant access to data and what types?

Google reconfirmed this about 3 minutes after I asked but also added it had no knowledge of the program and wasn’t participating in it. That was the answer to my second question, but it wasn’t on record and part of the statement I was allowed to use. That caused me to go back to Google to see if I could get it on record.

Apple & “Never Heard Of PRISM” &  “Direct Access”

While I was waiting on Google, the next denial I saw came from Apple, which came around 4pm PT as quoted by CNBC. To repeat it:

“We have never heard of PRISM. We do not provide any government agency with direct access to our servers.”

I’ve highlighted two key parts, because they’re important. The “direct access” part comes up almost certainly because by then, Apple had seen the stories that talked about it providing direct access to its servers. From the Washington Post:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies….

Equally unusual is the way the NSA extracts what it wants, according to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”….

Several companies contacted by The Post said they had no knowledge of the program, did not allow direct government access to their servers and asserted that they responded only to targeted requests for information….

Now, the first two paragraphs I’m pretty sure were part of the original story. Someone reading that story might have contacted Apple — perhaps CNBC — and asked if Apple gave “direct access” or something similar based off of it. The third paragraph was added, I think, as the Washington Post updated its story.

As for the Guardian:

Companies are legally obliged to comply with requests for users’ communications under US law, but the Prism program allows the intelligence services direct access to the companies’ servers….

But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers….

With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users….

Jameel Jaffer, director of the ACLU’s Center for Democracy, that it was astonishing the NSA would even ask technology companies to grant direct access to user data….

I think all those paragraphs were part of the original story. Again, you can see “direct” or “direct access” being used often, so if Apple was asked by someone reading these stories, it’s natural that it would use the same language in response.

Back To Google & No Knowledge

By 4:49pm PT, I got permission to get specific about Google’s denials — that it wasn’t just saying there was no backdoor but also that it wasn’t involved with PRISM specifically. As best I can tell, I was the first to report that particular aspect. It was important, because by then, various people on Twitter were chattering about what Google “really” meant with the back door denials. IE, sure, it could say there was no “back door” if the NSA was being allowed through the “front door.”

Going on record to say it wasn’t part of PRISM seemed a pretty clear-cut denial to me. And as I worked on further on getting answers back from other companies, I asked specifically about PRISM. That leads to Facebook.

Facebook & “Direct Access”

I can see that at 4:48pm PT, I emailed Facebook to reconfirm a statement it had given The Next Web. That was the first time I’d come across a Facebook statement, so it probably came out very close to that time. I don’t recall seeing any Facebook statement before Google and Apple, not that I recall. It said:

We do not provide any government organization with direct access to Facebook servers.  When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.

Why’s Facebook using the phrase “direct access?” My guess is for the reason why Apple did — it was asked about the story with that language, or it was responding to that language being used in the stories. Or both. Or triple-threat, it had seen the Apple statement and figured it wasn’t going to go wrong using the same type of denial.

Conspiracy! Not really, not for anyone who has seen companies react when all questioned about anything that might be touchy. They aren’t responding the same way because there’s a secret puppet-master behind the scene. They’re responding that way because like lemmings, that’s the way the herd is going. Though hopefully, not over a cliff.

Facebook confirmed the statement with me at 4:59pm PT. As with Google, I went back to ask Facebook if it could specifically say it wasn’t part of PRISM. It confirmed that at 5:05pm, and I pushed that live into my story. As with Google, I think that’s the first time Facebook went on record specifically denying PRISM.

Microsoft: Unique!

I asked Microsoft for a statement at 5:06pm PT, as I hadn’t yet seen one anywhere. Then I spotted one up on The Verge at 5:11pm (because I emailed Microsoft at that time to reconfirm it):

We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.

Microsoft’s statement doesn’t use any of the language of the others. It could be because of various reasons. Interestingly, Microsoft — unlike the others I’d talked with at this point — refused to specifically say it wasn’t part of PRISM.

Yahoo: More About “Direct Access”

I asked Yahoo for a statement at 5:16pm PT, as I hadn’t yet seen one anywhere. It came back with this at 5:19pm PT:

Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.

Now, the quick turnaround indicates the statement was ready to go, though I hadn’t seen it published anywhere yet. Chances are, it was — that some other publication had asked earlier, so one was ready. And it’s probably so similar to Facebook and Apple because it was responding to the same story and very likely, Yahoo at this point had seen statements from both Facebook and Apple out there already.

That was it for me, yesterday. AOL never got back to me that day (or anyone, I’m pretty sure) and PalTalk — which no one really gets being part of all this — had a no comment, probably because (I’m guessing) they’re a small company with a small PR team that was likely going WTF?

Today’s Statements

Today, we got statements from first Google, then later Facebook that had similar sounding language, in particular about no “direct access” and never having heard of PRISM before yesterday.

My reaction to those similarities was largely, “Duh.” If you’d been watching how the stories emerged, what they said and who responded when, it seems pretty natural why these statements sound similar — and it’s not because of that puppet master pulling strings.

Separately from this, from all my reading so far, my best guess as to what’s going on is that the NSA may have access to ISPs that in turn give them lots or all of the data flowing from these companies but that those who have said they aren’t part of PRISM really aren’t.

It would be extraordinarily stupid to have such strong denials if these companies are knowingly part of these programs. And for those who say, “well, the law might force them to lie,” no. National security laws have prevented companies from revealing they’ve given over data, but I haven’t seen cases forcing them to lie.

That means, if they’re really involved and can’t say, I’d expect a “no comment.” In fact, I’d have expected a loud “no comment” because most of them probably wouldn’t want to do this. But to say flat-out they don’t know about this program and aren’t part of it? I tend to believe that while a program may be out there that somehow gathers their content, that’s not because they know about it.

And anyone can slap a company’s logo on a slide and claim it’s a partner. We’ve only seen 3 of these 41 slides out there that the Washington Post and the Guardian have, and again, personally, I’d like to see much more of what they have so we can better understand specifically what’s going on, assuming that’s not going to put anyone in danger.

Postscript: The New York Times is out now with a story that suggest these companies have been asked, and in some cases knowingly built copies of their data that the government could access. It suggests that part of the “direct access” language might indeed be a way to cover the fact that there are these other services that might as well be direct access.

Also see our analysis of the story, Did Tech Companies Have Checkout & Delivery System For Gov’t Access To Their Data?

Related Articles

• Scope of Alleged Spying On Americans’ Internet Activity Massive, “Beyond Orwellian”
• Google, Apple, Facebook & AOL Deny Participating In Alleged NSA “PRISM” Program
• Google & Facebook To Users: We’re Not Part Of PRISM & Government Needs More Transparency
• Imaginary Letter: Google CEO Larry Page Writes Congress, Asks “What’s Up With PRISM?”
• Did Tech Companies Have Checkout & Delivery System For Gov’t Access To Their Data?
• PRISM, The Tech Companies & Monitoring Versus Requests