FISA Security

Moving the Goal Posts

Under the dishonest headline of “Tech Companies Concede to Surveillance Program,” the New York Times is reporting that tech companies do comply with government requests for information, but their description of the program is nothing like earlier accounts provided by the Washington Post.

They opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests. And in some cases, they changed their computer systems to do so. [...]

Each of the nine companies said it had no knowledge of a government program providing officials with access to its servers, and drew a bright line between giving the government wholesale access to its servers to collect user data and giving them specific data in response to individual court orders. Each said it did not provide the government with full, indiscriminate access to its servers.

The companies said they do, however, comply with individual court orders, including under FISA. The negotiations, and the technical systems for sharing data with the government, fit in that category because they involve access to data under individual FISA requests. And in some cases, the data is transmitted to the government electronically, using a company’s servers. [...]

The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

“It is not sent automatically or in bulk, and the government does not have full access to company servers” is all you really need to read, but indulge me.

As I said yesterday, complying with legally-binding requests for information approved by the FISA court is not even remotely the same thing as providing unfettered, sweeping “direct-access” to the servers of Google, Facebook, Microsoft, and Apple.

What I did not highlight yesterday is that the meat of the story concerns FISA warrants for information on foreign users.

What The New York Times has confirmed is that Director of National Intelligence James Clapper, President Obama, and each of the tech companies originally named by The Washington Post were telling the truth. It does not apply to U.S. citizens and a warrant is required to proceed at every step of the way.

So where’s the scandal?

As far as I can tell, the original story has fundamentally changed and the only thing we are left with is a matter of routine which has been carried out on a daily basis for the better part of a decade under FISA.

The New York Times for their part seems to be clinging to the idea that tech companies have maliciously ‘made it easier’ for the government to obtain information from them, but my impression is that some companies did so in the interests of efficiency. Other companies do comply with government requests for information approved by the FISA court, however they have not taken extra steps to comply with such requests.

The idea that the government has been provided a “back-door” or “direct-access” to the servers of your favorite tech companies to spy on your every action is a ginned up fantasy. And at this point, it borders on being a conspiracy theory that isn’t supported by the evidence.

If you believe the FISA court has too much authority or that FISA itself is too broad, that’s another matter entirely and one that should be separated from the notion that Big Brother is a creepster that’s listening to your calls to mom and dad.

Update... Google's Chief Legal Officer has stated once again in no uncertain terms that there is no direct-access, back door, drop box, or other shady way of transferring information.

We cannot say this more clearly—the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box. Nor have we received blanket orders of the kind being discussed in the media. It is quite wrong to insinuate otherwise. We provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. And we have taken the lead in being as transparent as possible about government requests for user information.