The NSA's $2b data centre in Bluffdale, Utah (source: businessweek.com)

The NSA’s $2b data centre in Bluffdale, Utah (source: businessweek.com)

Security researchers examining the PRISM denials made by the companies alleged to be providing data to the NSA say that the language used is suspiciously similar. The emphasis is ours:

Google: First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers.

Apple: “We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”

Facebook: Facebook is not and has never been part of any program to give the US or any other government direct access to our servers.

The fact that the exact same phrase has been used seems unlikely to be a coincidence. One security researcher I spoke to said the wording only eliminated the NSA pulling data from the servers; it did not mean the companies were not pushing the data to the NSA. If the NSA obtained a secret court order requiring the companies to hand over the data, then of course statements that they only provide data when required to do so by law would also be true … 

Google’s follow-up of course went further:

Press reports that suggest that Google is providing open-ended access to our users’ data are false, period.

Although this statement appears categorical, a security researcher I spoke to on condition of anonymity said that in the security field, ‘user data’ was generally understood to refer to ‘data which can be specifically linked to a named individual’. Meta-data, not linked to an account name, is not considered user data. Here’s how he suggested things could work.

The NSA tells Google content of interest to it, for example a name, place or date. Google flags interactions – emails, chat sessions, etc – that contain that content.

Google assigns a 32-bit hash to each account. Only Google knows which hash equates to which account. Google hands over meta-data to the NSA which says account X emailed accounts Y and Z with this content, and the three of them also had Google Hangouts together on these dates. No message content was provided by Google, and because Google doesn’t supply the account names, none of it counts as ‘user data’.

Once the NSA decides it wants to know who X, Y and Z are, it obtains specific court orders requiring Google to hand over the account details. Everyone has complied with the law, Google’s denials are true and the NSA has what it wanted.

In an interesting twist, the source of the PRISM slides – now revealed by The Guardian as 29-year-old ‘tech specialist’ Edward Snowdon – has made a rather bizarre-sounding claim.

Not all analysts have the ability to target everything. But I sitting at my desk certainly had the authorities to wiretap anyone from you or your accountant to a Federal judge to even the President if I had a personal e-mail.

You can watch the full interview in the video below.