For all the explosive revelations about the U.S. government monitoring online activity, several intriguing mysteries remain. One of them is how the government actually gets the information it monitors.
In a Top Secret slide presentation obtained and published by the Guardian and the Washington Post, the government claimed to gather data “directly from the servers” of nine prominent U.S. firms: Microsoft (MSFT), publisher of this web site Yahoo! (YHOO), Google (GOOG), Facebook (FB), PalTalk, AOL (AOL), Skype (owned by Microsoft), YouTube (owned by Google) and Apple (AAPL). All those firms have denied giving the government direct access to their servers or voluntarily providing customer data to the feds. But those statements seemed carefully crafted to allow exceptions, since U.S. companies must comply with court orders or other legal authorizations requiring them to turn over user data.
The big question privacy experts are now asking is whether the government can essentially gain blanket access to information of its choosing — including data on Americans — in real-time, whenever it wants to. Access to email accounts, chat rooms, social-media postings, personal documents, search engine requests, e-commerce transactions and other types of online behavior would obviously be most helpful at tracking terrorists if it were comprehensive and instantaneous. But such expansive access might still be illegal, even though U.S. laws have been modified during the past few years to enhance federal agents’ ability to track people's online activity.
A murky question
Secrecy and complexity make the whole question even murkier. When companies receive a court order issued under the Foreign Intelligence Surveillance Act, they’re usually not allowed to acknowledge or discuss it publicly. They do have the right to challenge the order, but it must be done in secret, often without access to much of the information on what the feds are after, and why. “Companies are very limited in what they can know and do,” says Alan Butler, an attorney with the Electronic Privacy Information Center, a civil-liberties group. “There’s almost no transparency in this area.”
The government — specifically the National Security Agency, which is charged with electronic espionage — almost certainly has the capability to hack into corporate servers, but that would be illegal if done in the United States. Instead, cybersecurity experts believe the government obtains orders from a secret court allowing it to do “programmatic surveillance” by gathering large amounts of data from technology firms.
Such FISA orders are much broader than the warrants law-enforcement agencies obtain to wiretap phones or monitor email accounts in potential criminal cases. On matters relating to national security, the government doesn’t need to establish probable cause in order to obtain an order. Instead of focusing on one person, such orders cover a huge batch of data involving, apparently, millions of people. And FISA orders can remain in place for as long as a year before agents need to seek a renewal.
One reason the government may want data from companies such as Google, Yahoo!, Microsoft and Apple is they all operate email services. In theory, government agents could obtain an order allowing them to gather all emails sent into or out of, say, Pakistan, on those companies’ email services. Then, they could use computers to search those emails for keywords or other info that might indicate terrorists at work. The same sort of analysis could be done on a huge batch of Web searches, retail purchases or cloud-based documents.
It would be relatively easy to obtain such data from company servers without having direct access to those servers. The tech firms could simply gather such data on their own, under parameters contained in the court order. Then they could transfer the data to some kind of hardware — or even a third-party Web site — where the government takes possession of it. It might be encrypted, with federal agents having the decryption codes.
"My guess is there is a government-provided 'box' at the companies in question," says Irving Lachow, a senior fellow at the Center for a New American Century, a Washington think tank. "The companies are correct in saying the government does not have direct access to their servers, but the government can still get the information it needs." Some analysts describe this type of transfer as an electronic “dead drop,” akin to the pre-arranged sites in Moscow or Washington where Cold War spies used to exchange files. One modern difference, however, is that such data transfers could happen automatically, on a recurring basis, perhaps even in real time, feeding a steady flow of data into government computers.
The FBI would have to coordinate such exchanges, since it’s a law-enforcement organization — not a spy agency — and it’s tasked with domestic intelligence-gathering. But the FBI would then hand off the data to intelligence agencies such as the NSA, which would do the crunching.
Once the government has the data, one part of the process is known as “targeting,” in which computers narrow down the data set through keyword searches or algorithms. This is probably highly automated. At some point, the government must “minimize” the data, which means deleting records or redacting personal information that’s not relevant, before human agents begin poking through it.
How wide a net?
By definition, foreign surveillance is supposed to focus on foreigners, but it’s hard to know how the government can cast a wide net without snaring Americans. “How they do that, we don’t know,” says Butler. “It seems doubtful given the scope of what they’re collecting.” In the past, government officials such as James Clapper, director of national intelligence, have suggested the nature of such surveillance makes it nearly impossible to know how many Americans might mistakenly get swept up. One reason is that identifying Americans in the data would require personalized knowledge earlier in the process than the government is supposed to have it.
For ordinary people with no connection to terrorists, it seems possible their emails or Facebook photos or YouTube videos could, in fact, get swept into a huge electronic dragnet. If the system works, that data should be purged before a federal agent ever has a look at it. The challenge for the government now is providing convincing evidence the system works as it’s supposed to.
Rick Newman’s latest book is Rebounders: How Winners Pivot From Setback To Success. Follow him on Twitter: @rickjnewman.