Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/7/2013
05:02 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Obama Defends NSA Prism, Google Denies Back Door

You can't have 100% security, 100% privacy and 0% inconvenience, insists President Obama.

Apple WWDC 2013: 8 Things To Expect
Apple WWDC 2013: 8 Things To Expect
(click image for larger view and for slideshow)
In defense of classified government surveillance programs that were revealed in the past week, President Obama on Friday offered reassurance that U.S.intelligence efforts are lawful, echoing a statement published the day before by James R. Clapper, Director of National Intelligence.

"When it comes to telephone calls, nobody is listening to your telephone calls," President Obama said during a press conference at the Fairmont Hotel in San Jose, Calif. "As was indicated, what the intelligence community is doing is looking at phone numbers and durations of calls. They are not looking at people's names, and they're not looking at content. But by sifting through this so-called metadata, they may identify potential leads with respect to folks who might engage in terrorism."

Clapper said as much in a statement issued on Thursday. "The program does not allow the Government to listen in on anyone's phone calls. The information acquired does not include the content of any communications or the identity of any subscriber. The only type of information acquired under the Court's order is telephony metadata, such as telephone numbers dialed and length of calls."

[ For an IT chief's take on NSA Prism's impact, see NSA Dragnet Debacle: What It Means To IT. ]

No eavesdropping allegation was made, however. The Guardian on Wednesday reported on the existence of a secret court order that requires Verizon to provide the NSA with all records of phone calls on its network on an ongoing basis. The records represent metadata: phone numbers involved in a call, the call time and duration, and location data, for example, but not the words that were said during the call.

In any event, the scope of the U.S. government's surveillance activities go beyond metadata. The Guardian and The Washington Post on Thursday revealed the existence of a surveillance program called PRISM, which reportedly provides the NSA and FBI with the ability to siphon data directly from the servers of major Internet companies such as Apple, Facebook, Google, Microsoft and Yahoo.

According to The Wall Street Journal, the NSA has been getting data from AT&T and Sprint, as well as credit card companies and Internet companies.

PRISM, according to The Guardian, gathers data as well as metadata: search history, emails, file transfers and chats.

President Obama acknowledged the collection of online content from Internet companies by noting, "Now, with respect to the Internet and emails — this does not apply to U.S. citizens and it does not apply to people living in the United States."

Nonetheless, Internet communications involving U.S. citizens may be caught in the dragnet: Clapper said that PRISM included procedures that "minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons."

President Obama noted that the two surveillance programs have been "authorized by broad bipartisan majorities repeatedly since 2006." Documents posted on Cryptome.org suggest that PRISM has been active since at least 2003. And The Wall Street Journal says that intelligence officials trace such broad intelligence gathering back to the Sept. 11, 2001, terrorist attacks.

In an emailed statement, Google insisted it doesn't provide the government with access to user data. "Google cares deeply about the security of our users' data," a company spokesman said in an email. "We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for the government to access private user data."

Google reiterated and elaborated on this point in a blog post attributed to CEO Larry Page and chief legal officer David Drummond on Friday. "Press reports that suggest that Google is providing open-ended access to our users’ data are false, period," Page and Drummond state. "Until this week's reports, we had never heard of the broad type of order that Verizon received — an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users' Internet activity on such a scale is completely false."

Clapper claims that the surveillance program revealed by The Guardian and The Washington Post is lawful under Section 702 of the Foreign Intelligence Surveillance Act and that the government's activities conform with established oversight requirements. Section 215 of the Patriot Act also appears to be implicated in the government's ability to justify such surveillance.

Taking Google's statement at face value and assuming the press characterization of PRISM is accurate — and late Friday there appeared to be reason to doubt some of the initial claims — Google could be simply providing the NSA with access to data as required by law. A June 7 New York Times story indicates as much. There's also the possibility that the NSA could be obtaining Google customer data without Google's knowledge. Evidence of that, however, has yet to be demonstrated.

Google's Transparency Report includes data on government information requests related to criminal investigations. But the company provides only limited disclosure about government information requests under national security laws, specifically the receipt of National Security Letters. In other words, Google's Transparency Report isn't entirely transparent.

Google however clearly wants to reassure users that it isn't just rolling over. "I'm not sure what the details of this PRISM program are, but I can tell you that the only way in which Google reveals information about users are when we receive lawful, specific orders about individuals -- things like search warrants," said Google+ chief architect Yonatan Zunger in a post.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Geoaddict
50%
50%
Geoaddict,
User Rank: Apprentice
6/14/2013 | 11:53:36 AM
re: Obama Defends NSA Prism, Google Denies Back Door
PRISM and National Security Letters (NSLs) are different. At least PRISM requires a court order, albeit from a secret court. NSLs require no court order and there seems to be no oversight except, perhaps, an internal policy. We will never know since any internal policy is secret. Google has tried to include NSL numbers in their Transparency Report. The law prohibits them from disclosing that they have even received an NSL, let alone how many they have received. To their credit, Google did receive permission earlier this year (http://goo.gl/lZ0eK) but they were only able to disclose how many they receive within a range of thousands of NSLs.
moondog333
50%
50%
moondog333,
User Rank: Apprentice
6/10/2013 | 5:33:39 PM
re: Obama Defends NSA Prism, Google Denies Back Door
"Nothing to see here...move along!"
This has been the default statement every time something like this gets exposed
DDURBIN1
50%
50%
DDURBIN1,
User Rank: Apprentice
6/10/2013 | 5:31:07 PM
re: Obama Defends NSA Prism, Google Denies Back Door
So now our constitutional rights are an inconvenience we should expect to be inconvenienced. The US Supreme court blew it again.
zerses
50%
50%
zerses,
User Rank: Apprentice
6/10/2013 | 12:56:01 AM
re: Obama Defends NSA Prism, Google Denies Back Door
Wait a second, why isn't the author asking the OBVIOUS question?

If GOOGLE and others are DENYING that the have done anything then WHO in their organization was given the HEADS UP and WHO gave them the INFO? If they WERE NOT INFORMED as REQUIRED BY LAW...

WHO IS LYING?????

Why no real questions? Without them we will get NO REAL ANSWERS.
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
6/9/2013 | 1:23:56 PM
re: Obama Defends NSA Prism, Google Denies Back Door
He attempts to defend the indefensible.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.