If you’ve been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance.
Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means to hack computers, and Facebook's Chief Security Officer explained to reporters that the attack technique has not worked since last summer. Yahoo, Google, Microsoft, and others are now regularly publishing "transparency reports," listing approximately how many government data requests the companies have received and complied with.
On the government side, last week the NSA's General Counsel Rajesh De seemed to have thrown those companies under a bus by stating that—despite their denials—they knew all about the NSA's collection of data under both the PRISM program and some unnamed "upstream" collections on the communications links.
Yes, it may seem like the the public/private surveillance partnership has frayed—but, unfortunately, it is alive and well. The main focus of massive Internet companies and government agencies both still largely align: to keep us all under constant surveillance. When they bicker, it’s mostly role-playing designed to keep us blasé about what's really going on.
Two Surveillance Regimes, Still in Force
The U.S. intelligence community is still playing word games with us. The NSA collects our data based on four different legal authorities: the Foreign Intelligence Surveillance Act (FISA) of 1978, Executive Order 12333 of 1981 and modified in 2004 and 2008, Section 215 of the Patriot Act of 2001, and Section 702 of the FISA Amendments Act (FAA) of 2008. Be careful when someone from the intelligence community uses the caveat "not under this program," or "not under this authority"; almost certainly it means that whatever it is they're denying is done under some other program or authority. So when De said that companies knew about NSA collection under Section 702, it doesn't mean they knew about the other collection programs.
The big Internet companies know of PRISM—although not under that code name—because that's how the program works; the NSA serves them with FISA orders. Those same companies did not know about any of the other surveillance against their users conducted on the far more permissive EO 12333. Google and Yahoo did not know about MUSCULAR, the NSA's secret program to eavesdrop on their trunk connections between data centers. Facebook did not know about QUANTUMHAND, the NSA's secret program to attack Facebook users. And none of the target companies knew that the NSA was harvesting their users' address books and buddy lists.
These companies are certainly pissed that the publicity surrounding the NSA's actions is undermining their users' trust in their services, and they're losing money because of it. Cisco, IBM, cloud service providers, and others have announced that they're losing billions, mostly in foreign sales.
These companies are doing their best to convince users that their data is secure. But they're relying on their users not understanding what real security looks like. IBM's letter to its clients last week is an excellent example. The letter lists five "simple facts" that it hopes will mollify its customers, but the items are so qualified with caveats that they do the exact opposite to anyone who understands the full extent of NSA surveillance. And IBM’s spending $1.2B on data centers outside the U.S. will only reassure customers who don’t realize that National Security Letters require a company to turn over data, regardless of where in the world it is stored.