Details of NSA Data Requests from US Corporations

Facebook (here), Apple (here), and Yahoo (here) have all released details of US government requests for data. They each say that they've turned over user data for about 10,000 people, although the time frames are different. The exact number isn't important; what's important is that it's much lower than the millions implied by the PRISM document.

Now the big question: do we believe them? If we don't, what would it take before we did believe them?

Posted on June 18, 2013 at 4:00 PM • 47 Comments

Comments

Andrew PJune 18, 2013 4:27 PM

My assumption is that the publicized 10,000-user numbers are for standard LEA requests (mainly FBI and local police looking for individual suspects).

The PRISM stuff is completely separate and it is possible that the higher-ups at Facebook, Google et. al. are not even aware of it.

Petréa MitchellJune 18, 2013 4:30 PM

None of them say they had requests for about 10,000 people.

Facebook says "between 18,000 and 19,000 accounts", where "account" could mean "group page" for all we know.

Apple says "[b]etween 9,000 and 10,000 accounts or devices were specified in those requests" but the outrage about the Verizon disclosure was that no account was specified, right?

Yahoo! says "between 12,000 and 13,000 requests" and nothing about the number of people affected.

What would it take for me to believe them? Well, ideally the system logs, but next best would be a dictionary explaining what they mean by those words. Seeing as this comes after the NSA explaining that "collect" means something entirely different to them than it does to the layman.

JTJune 18, 2013 4:31 PM

Not I. Based on the leaked presentation slides, I still believe there is a backdoor that allows them to pull data at will. At a "minimum" they are pulling at least meta for traffic analysis.

michaelJune 18, 2013 4:33 PM

I was responsible for this activity at Skype until 2007. Before, at various EU telcos. These numbers seem credible.
Sorry.

tzJune 18, 2013 4:35 PM

The NSA doesn't make requests, the FBI does. PRISM is NSA not FBI.

If there was a national security letter for the private keys, they wouldn't be turning over any individual data, nor in response to a specific request. The request itself would be to effectively install a backdoor. They might request a new cert with new private keys, but then it would just keep going around.

But the ultimate point is if they did not collect the data (in traceable to your drivers license and SSN form) in the first place, it wouldn't be something the government would desire to have.

DaveNJune 18, 2013 4:50 PM

As Andrew P says, it seems to me that there are two things going on here. I go to Facebook and post a picture of myself in a Nixon mask, holding a bag of cash, in front of a freshly robbed bank. When the local police ask Facebook for information about me and that picture, that's the type of request that gets counted in the 10K.

Then there's the other kind, where they just vacuum up every bit of information on every Facebook account that interests them. That's the type of request they're not talking about. And IMO they're giving out all kinds of information about the first kind of request, partly to deflect attention from the second kind.

AjJune 18, 2013 5:16 PM

http://www.washingtonpost.com/business/...

By Craig Timberg,

Google asked the secretive Foreign Intelligence Surveillance Court on Tuesday to ease long-standing gag orders over data requests it makes, arguing that the company has a constitutional right to speak about information it’s forced to give the government.

The legal filing, which cites the First Amendment’s guarantee of free speech, is the latest move by the California-based tech giant to protect its reputation in the aftermath of news reports about sweeping National Security Agency surveillance of Internet traffic.

Google, one of nine companies named in NSA documents as providing information to the top-secret PRISM program, has demanded that U.S. officials give it more leeway to describe the company’s relationship with the government. Google and the other companies involved have sought to reassure users that their privacy is being protected from unwarranted intrusions.

In the petition, Google is seeking permission to publish the total numbers of requests the court makes of the company and the numbers of user accounts they affect. The company long has made regular reports with regard to other data demands from the U.S. government and from other governments worldwide.

-snip-

Not Safe AnywhereJune 18, 2013 5:22 PM

Those 10,000+ requests are all for information concerning specific accounts. The NSA's surveillance capabilities likely involve greater numbers and different channels than the ones used for targeted requests.

Think about it: Why does the NSA need a huge data center if all it's getting is thousands of records a year, each collected individually? Why so much secrecy if what they're getting is no different than what they'd get from a regular subpoena? How do you mine so little data for new leads on unknown targets? How do you "go back in time" and review or decrypt untargeted communications after the fact?

Facebook, Yahoo and Apple are either lying through omission (targeted vs untargeted communications) or else are ignorant of something deeper going on (such as NSA capturing raw traffic through various ISPs, using whatever techniques are currently at their disposal to deal with things like HTTPS where necessary).

My guess is they're analyzing streams of data coming from or going to the various big websites, using software to look for correlations to generate leads upon which to launch deeper investigations. They may also be using speech-to-text software as one of those data streams to look for keywords in telephone conversations.

The Smart MoneyJune 18, 2013 6:21 PM

The numbers released by companies aggregate accounts affected by all national security AND law enforcement requests. It is everything. And Bruce is right: the numbers don't add up to what PRISM was alleged to be (heck, neither did the 20 million dollar per year budget contained in the powerpoint slides!).

As to whether to believe a contractor on the job for 3 months who has consistently exaggerated his role and powers, or the public, material, and no doubt carefully reviewed statements from several different independent companies who could (and most certainly would) be sued by shareholders for issuing false statements on this subject, that's your call.

Snowden can't be punished for making false statements about these programs, or his level of access, or his capabilities during his self-described tenure as a "career intelligence officer."

In other words, Snowden has every incentive at this point to lie and exaggerate in order to inflate his own value. It's pretty clear now that he has done so. The public companies, by contrast, have every incentive to NOT issue any material and false statements at this point.

So place your bets.

DavidJune 18, 2013 6:46 PM

When you listen to all the government officials claiming things about what 'the NSA' does and doesn't do, it makes me wonder, given the above mentioned redefinition of 'collect', what the answers would be if we asked about 'contractors'.

My guess is that the contractors are doing all the real 'collecting' because they are not 'government' and don't have to abide by constitutional restrictions (remember anonymous already exposed some of these contractors who panned to used their government approved spying in order to take down some journalists .. Greenwald among them,) Meanwhile the NSA gets all the questions and answers with 'no, "we" are not listening in on phone calls, or reading emails illegally" ... forgetting to clarify that they are paying contractors to do it for them.

Of course, when the NSA 'connects the dots' that's called 'intelligence' ... when we connect the dots, they call it conspiracy theory.

LeguleiusJune 18, 2013 6:50 PM

I'm a wordsmith by profession. Open questions for the press release authors:

1. Did the NSA or other intelligence services have the right of final approval of the text of your release?

2. Is it correct to read these releases as acknowledging that a "request" as used in your releases can refer to more than one account.

3. It is clear from at least two of these statements that numbers provided as to accounts "specified" or as to "which data was requested" speaks only to which accounts were targeted in "requests," and does not disclose the number of accounts for which data was PRODUCED. These further questions are begged by the parsimonious nature of the evasive releases:

a. Did the "requests" require you to produce information related to accounts OTHER THAN the accounts "specified" or as to "which data was requested?" In other words if a request identified account holder "X," did the request require and did you produce data, including without limitation traffic analysis or metadata or communications content all or part of the entire network of other persons associated, in contact with, or related in some way to the targeted account holder? In the Facebook context, did you produce data for all friends of the specified account, did you produce communications between all other member accounts and the specified target account, did you produce a list of the other accounts that had VIEWED the specified account?

b. More to the point, irrespective of the number of "requests" and the number of accounts "specified" or named accounts "for which data was requested," HOW MANY ACCOUNTS' WERE IMPLICATED IN THE BY THE DATA YOU PRODUCED IN IN RESPONSE TO THE REQUESTS.

c. If data about accounts "networked" in some fashion with with a specified target were produced, to how many levels of relation did these productions reach. In other words, how many "friends of friends" or "contacts of contacts" of the original target had data about or generated from THEIR accounts produced whether or not they were "specified" in the "requests" or were the named accounts or users "for which data was requested?"

4. What was the average size of the data produced, in megabytes, for each "request" with which you complied?

MisdirectionJune 18, 2013 7:04 PM

@The Smart Money

"And Bruce is right: the numbers don't add up to what PRISM was alleged to be (heck, neither did the 20 million dollar per year budget contained in the powerpoint slides!"

Suggesting the numbers disclosed here have nothing to do with PRISM. National Security Letters != PRISM.

FritzJune 18, 2013 7:26 PM

Why do they have to provide ranges for these requests? Does the govt think if terrorists know that 9000-10000 requests were made then its OK but if they knew that 9365 requests were made then they'd be able to glean useful information and destroy America?

NarusJune 18, 2013 7:36 PM

Steve Gibson over at grc.com seemed to have a plausible theory on the millions referred to in the PRISM document. He posits that they were collected at the NSA's "secret room" in AT&T's San Francisco switching office (something that was revealed to the public back in 2006: http://www.wired.com/science/discoveries/news/... Thus unbeknownst to Google et al, and the 10,000 or so requests that they received were probably a result of NSA sifting through those.

SomeoneJune 18, 2013 7:42 PM

@Leguleius

Interesting. I hope you pass those questions along to your Congresspersons (assuming you have ones who are open to questioning the NSA programs).

The Smart MoneyJune 18, 2013 7:54 PM

The aggregate includes all national security and law enforcement requests, Misdirection, not just NSLs.

It'd be interesting to see one of the companies respond to some of Legul's questions, but the number of user/accounts requested would be everything that falls into the scope of the requests.

So if a request is general and catches 3 million account, then the number for user/accounts requested should be 3 million.

I don't see how one can receive a general request that catches 3 million accounts, and then claim a lower number of user/accounts requested. That would simply be lying, and would open these companies to enormous legal liabilities. Nor would, before someone mentions it, these statements be covered under the liability shield in FISA.

As far as whether account data for Facebook involves a list of every account that has viewed the request account, I think that's an interesting question, though a separate one from the issue of whether the initial allegations about PRISM are true.

MisdirectionJune 18, 2013 8:04 PM

@The Smart Money:

National security requests != PRISM. National security requests are for records. PRISM is for surveillance. Big difference.

bf skinnerJune 18, 2013 8:26 PM

Remember How Heartland payment processing claimed that only 10 thousand records had been disclosed. And they only admitted to Californians being compromised becuase only California made disclosure a law?

Show us the orders. I'll believe that a corporation will give bare minimal response to the orders. And if that's all the orders called for ? I'd believe them.

bf skinnerJune 18, 2013 8:29 PM

Oh. And...who's PAYING and HOW MUCH are they paying the corporations to provide the data.

Every thing costs and it's reasonable to believe that the USG is defraying corporate costs for the activity.

If we see the costs...that'll give us an idea of the scope.

DJJune 18, 2013 8:41 PM

What if NSA has all the secret keys associated with those companies' certificates? It doesn't have to ask these companies for specific accounts or access to the servers. All it needs to do is monitor the Internet activities in the middle.

DJJune 18, 2013 9:36 PM

@misdirection it's easy for a company e.g. Google to detect the presence of forged certificate. But if NSA somehow manages to intrude into the key pair generation or storage process, then they can do everything as claimed without getting noticed by those companies.

FigureitoutJune 18, 2013 10:34 PM

Fritz
Why do they have to provide ranges for these requests?
--B/c they don't know the exact number. Just like they don't even know all the laws we're supposed to follow. Ask a LEO what laws s/he is supposed to enforce...So essentially our "rights" are just make-believe ideas that can be trashed at the whim of a human being.

MagnumJune 18, 2013 11:11 PM

It seems pretty obvious to me that the NSA vacuums up all the data that passes through the hands of our esteemed, beneficent digital feudal lords, while the legal requests (whether from the NSA themselves or some other govt TLA) are either to calibrate their analyses of the raw data or to provide a fig leaf in actual cases against pesky troublemaking citizens oops I mean terrorists.

I wouldn't worry about Snowden blabbing too much (besides the rope he's giving to anti-privacy propagandists to assassinate his character with). Probably tens of thousands of people know what he knows. I don't care if he was a system administrator, those guys only have "access to everything" in dumb corporations where the typical office worker is too stupid to set up his own computer. The NSA doesn't strike me as being like that, at least with the people that work with the truly sensitive stuff.

CognativeDisonanceJune 19, 2013 1:06 AM

Look at how the non-sent email from Steve Jobs a while ago is being used by DOJ to persecute Apple Corporation. How did they collect it and why are they using to to extort money from Apple (in fines for supposedly fixing e-books pricing). And why is it even admissible in court as something n his computer that was not even sent to the intended recipient? Thank you "1984".

FigureitoutJune 19, 2013 2:03 AM

Now the big question: do we believe them? If we don't, what would it take before we did believe them?
Bruce
--No. The 2nd coming of Jesus Christ riding a unicorn over a quadruple rainbow.

jfwJune 19, 2013 2:59 AM

I've was raised in "sovijet Germany".
As the familly of a lutheran minister we where 1st class surveillance targets...

No, I'm not surprised. Nor would I ever trust big data heavens. That's why we made Askemos!

Maintains our "private cloud": they might be able to break an encryption key, or even simpler break into the home of a peer and copy the hard disk. We don't care because it would give the data about a handful of people. For the rest they would have to do it again and again...

MorkJune 19, 2013 3:13 AM

The PRISM stuff is completely separate and it is possible that the higher-ups at Facebook, Google et. al. are not even aware of it.

One thing i dont get, is why security specialists all around the world never noticed anything suspicious.

Are all real security specialists working for the NSA? Is the NSA paying that good?

If there are no people in security good enough detecting such a huge surveilance and hacking system, we have a huge problem.

jfwJune 19, 2013 3:18 AM

PS: ...and if they analyse the traffic, they will mostly find noise in the form of hashsums from the process of assembling content from pieces. only loosely related to the actual communication pattern. There is always some traffic originating from my machine, even when I'm obviously not using it. Worse: my machine is not at my home...

Scott June 19, 2013 3:34 AM

@misdirection
National Security Letters != PRISM

Confusing isn't it? There are three NSAs. The one represented by Clappers, the one represented by Senator "Blum" Feinstein, and the other one. If it wasn't compartmentalised the contradictions'd make it dysfunctional, but it's not.

Simple really.

As for the rest of the US intelligence organisations, and all the private US intelligence companies... different, smaller dogs, same leg action.

RobertJune 19, 2013 6:31 AM

@DJ:

SSL has perfect forward security if used in a proper mode: even if you have server's private key, you can't decipher the communication passively. Any active measures would be expensive and, as far as I know, detectable.

JackJune 19, 2013 7:49 AM


"Now the big question: do we believe them? If we don't, what would it take before we did believe them?"


I think a lot of people will say they believe them, but they are lying. It is just one of those outward things people say. It has long been common knowledge that the US Government grabs all data.

What I do not think they usually get is why they should care. Though, I do not think anyone believes the US Government grabs all the data "for terrorism" -- a truly ludicrous and despicable lie.

Technically, of course, Snowden was not deep in the system. Yet, look at the disclosures he has given the world so far. Does the US Government know how to compartmentalize?

So why was details of PRISM and the NSA mass wiretapping spread so far and wide within the government?

Imagine: So you have completely compromised a company's networks. Say you actually find some information you want to be able to share with that compromise. You need a cover for that compromise.

Does anyone really believe the US Government has not completely compromised Microsoft, Yahoo, Google, and these other companies?

I am not sure about how far and wide that knowledge is in these companies. There are many cover stories their people can be told. It is unwise to trust a wide array of business executives - especially silicon valley liberal business executives - with such information.

There is no way to guarantee control of them.

In many cases, the compromise likely happened under the auspices of a government team coming into the company to work undercover for some other cause, for instance, for a counterintelligence investigation. Or for a security audit of their code. Which they can mandate because that code will run on their systems or be used by their agencies.

Nobody asks any questions about all of the consultancy teams coming in and out of these companies.

Bob TJune 19, 2013 9:58 AM

Now the big question: do we believe them? If we don't, what would it take before we did believe them?

I believe that the company's are telling us what they legally can which is less than what is actually going on.

I don't believe the government's story at all. I don't believe anything that comes out of Washington. What would it take for me to believe them?

It would take them to start following our Constitution. First off, staying out of undeclared wars and staying out of the middle of spats between other countries would alleviate 90% of their temptation to violate our other rights and privacy. The other 10% of temptation comes from power and economic opportunities related to governmental politics and corruption. Our complex problems really come from straying from a few very simple ideals that the nation was formulated on.

If our government starts operating with self restraint and humility, I might start believing them again. I don't think that will happen in my lifetime though. At least not without a totally calamity which might end up instead being even worse.

Nick PJune 19, 2013 12:47 PM

@ Clive Robinson re Pork/politics

Yes, pork spending and political gains can justify ridiculous stuff. It's been long known in the states. There's a few main ways that can happen in defense:

1. It benefits the big defense contractors who later hire the Pentagon big shot who authorized it.

2. It benefits politicians via campaign contributions, charitable donations, image boost, or perks.

3. It benefits politicians via jobs. This is a big one. One of voters main expectations is that their politicians bring their state jobs, a better economy and so on. Many defense contracts and spending that seem to have "no" benefit actually have the real benefit of jobs.

In each of these cases, the project was money well spent rather than a waste. It's all perspective. Many people just make the mistake to assume their elected officials share their perspective. If that ever happens, it's quite uncommon. ;)

JackJune 19, 2013 5:38 PM

>

Another 911 or worse, and the whole thing will collapse. We will have drones with guns on every city block.

Even these smaller actions like the Boston Bombers feed into the inertia of this direction.

The two work together, hand in hand.

Right now, the real danger is that there are a few people "in power" using this to subvert politicians and other lesser power brokers. Not so much that the government is targeting you, personally. More like they can run government as they please, killing candidate's as they want to. (I do not mean literally.)

Thankfully, when they did this in the past (which means the first fifty years of the existence of the FBI, and similar histories with the NSA and CIA) they did not, at least, succeed in their many very wild attempts to down, for instance Martin Luther King Jr.

But not for lack of trying.

And they always do this thing saying it is for the good of the country -- when, by "country" they, of course, mean, for their own self and their own prized (and yet oh so temporary and mortal) place above the other turtles on whose backs they sit.

Did I just inject a Dr Seuss reference there.

Dirk PraetJune 19, 2013 6:51 PM

Every relation, personal or business, is based upon mutual trust and respect. Yahoo, Apple, Facebook and Microsoft management know very well that Snowden's revelations have severely damaged the trust part of the relation with their user base. What we are seeing here is damage control in the form of carefully crafted PR initiatives.

@ Leguleius and @ Bob T make a couple of excellent points: they're telling us what they legally can. This begs the question how on earth they can possibly restore the trust of their users on a topic that is surrounded by secrecy, gag orders and double speak. The simple answer for me is that they can't because things just don't work that way.

So, do I believe them ? Of course not. What would it take for me to believe them ? Growing a pair of balls would be a good start, but I doubt they will. The USG can't shut them down if anyone would decide to come clean, but some serious scrutiny by the IRS or the DoJ retaliating Joseph Nacchio style is enough of a menace to shut up any CxO who contrary to people like Manning and Snowden has no intention whatsoever to risk losing it all.

aboniksJune 20, 2013 11:34 AM

Dirk,

"...This begs the question how on earth they can possibly restore the trust of their users on a topic that is surrounded by secrecy, gag orders and double speak. The simple answer for me is that they can't because things just don't work that way..."

For a certain minority of users, you're right, the trust will be gone. For the majority, I suspect trust will simply continue to be part of the background noise, as it was before Snowden.

Look at the market penetration...users who want to walk away from these companies have very few places to go that will offer them equivalent services with equivalent ease of use.

It's not like they were even aware of the terms under which they used these products and services in the first place...it's not because they trust the people who write EULA documents...it's because they can't be bothered to read them in the first place.

Apathy; it's future-proof.

aboniksJune 20, 2013 11:42 AM

As an aside, the dog and pony show of PR reaction from these companies isn't directed at the users at all, It's aimed at shareholders first and partners second.

Pig farmers don't hold press conferences for their pigs.

PeterJune 20, 2013 8:26 PM

There are still too many questions about PRISM. I think it's a shame that The Guardian is ony producing new scopes every day, instead of making their claims more reliable and trustworthy. Why they didn't publish more of the 41 slides, so we can get a better idea of how it's working? Also a number of other things, like quite exaggerated claims made by Edward Snowden, should raise questions, which are hardly heard...

twofishJune 21, 2013 8:20 AM

Conspiracy theory time....

What I think may be going on is that the NSA data requests are just a cover. NSA and FBI uses surveillance from PRISM to catch people. Once they figure out who they want from PRISM, only *then* do they write the national security letter, and the only purpose of the letter is so that they have an excuse for how that got the information if they have to go to court.

I'm rather certain that as more information comes out it will be obvious that this is what is going on. Once people look at the numbers of NSL's, the interesting number will be how *low* those numbers are. They are *low* in number because when the NSL is issued the NSA already has the information that it wants, and the only purpose of the NSL is to hide where the NSA actually got the information.

I think that the major ISP's realize that this is going on, and so they want the numbers out so that they don't get killed when the storm really hits. If someone at a major ISP realizes that they got 10 requests last year, and all of them hit a major terrorist, it doesn't take too much effort to figure out what is going on.

twofishJune 21, 2013 8:30 AM

The other thing is that I'm pretty sure that the NSA has broken the private keys for the major internet companies. It turns out that the fact that internet services have been concentrated in a few large companies has become a security flaw. If everyone used end-to-end encryption, then breaking a key for one person doesn't get you very far, but if you have a few large ISP's, then it becomes cost-effective to break their keys.

I think over the next few weeks it will be obvious that this is what the NSA has done, because documents will turn out indicating that the NSA has information gotten from the ISP's that they could not have possibly gotten through a National Security Letter. Once some shows a document from ISP X, and ISP X denies that they gave people access to get that document, it's going to be obvious what happened.

Curiously the standards that NIST puts out does not recommend that large ISP's use stronger encryption. I wonder why that is......

But the real blowback will come once people figure out that by encouraging weak crypto so that the NSA can read people's e-mail, they also made the US commercial infrastructure vulnerable to cyberhacking by foreign powers. If the NSA can break the keys of the major ISP's so presumably can China, Russia, and maybe Iran......

twofishJune 21, 2013 8:35 AM

The fact that Snowden is putting out the documents piece by piece is a good strategy. If it put them all out at once, people would tell the standard lies, and then everyone will forget about things in a few days.

What is happening is that they are putting out a few documents, *expecting* that the standard lies will be told about them, and once the lies are told, putting out a few new documents. Repeat over the course of several months.

Once the people in power, realize that Snowden has a ton of documents, and they don't know what he has and what he hasn't, they may try something radical like telling the truth.

James M. AtkinsonJuly 5, 2013 4:17 PM

As I review the documents in question, what I see is that the NSA (by way of DISA and the U.S. Army) obtained what is called a "General Warrant" from the FISC. But the FISC specially lack the authority to issue such a warrant, so if they did, then under 42 USC 1983 and under 18 USC 14141 they are liable both civilly and criminally as their are legally required to resign or be removed from office.

They also forfeit any and all forms of judicially immunity, as does any person involved in any stage of this program.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..