FBI NSA PRISM: How Much Content US Nabs via Microsoft, Google, Yahoo Accounts

Written by Gina Smith

In a settlement with the DOJ, major tech companies now are able to reveal how many online accounts were affected by FBI and NSA PRISM secret court order …

aNewDomain.net — Is one of your online accounts among the tens of thousands of Microsoft, Google, Facebook and Yahoo accounts that’s had its data turned over to the U.S. government as part of NSA PRISM?

Tech companies aren’t permitted to say too much. But, as a result of a transparency deal the tech vendors reached last week with the Justice Department as a means of ending a transparency lawsuit with the secret U.S. FISA court, tech firms were able to paint in broad strokes the number of affected accounts and what kind of data they’ve delivered to the National Security Agency (NSA) and Federal Bureau of Investigation (FBI) in the government’s once top-secret e-surveillance project, PRISM. 

Tech companies said in various statements included below that they regretted they couldn’t be more specific.

They also said that, under pain of federal penalty, they are not free to describe with more specificity what they’ve delivered to U.S. law enforcement officials in the last six months. So the data Microsoft, Google, Facebook, Yahoo  and other tech companies had to give the government from tens of thousands of accounts isn’t more recent than June 2013. There’s a six month release delay.

It’s worth pointing out that June 2013 was the month NSA whistleblower Edward Snowden disclosed slides and other data about the FBI NSA PRISM e-surveillance project. Up to then it was a secret project designed to glean Internet communications, and intercept, store and analyze them using heavy duty big data analysis silos.

It’s also worth noting that the disclosures tech companies are now permitted to make — however vague — are data only. They don’t include global telephone communications, which the government also is free to intercept and analyze without warrant according to executive order.

Richard Salgado, Google’s legal director for law enforcement and information security, says he isn’t happy about the limit on transparency the deal imposes. In a post on the company’s official blog, he wrote:

We still believe more transparency is needed so everyone can better understand how surveillance laws work and decide whether or not they serve the public interest … specifically we want to disclose the precise numbers and types of requests we receive, as well as the number of users they affect in a timely way.”

Tech vendors don’t have the luxury of revealing more than vague numbers over a six-month-delayed time period — under pain of federal penalty.

Brad Smith, Microsoft’s legal counsel, made a similar lament:

Despite the president’s reform efforts and our ability to publish more information, there has not yet been any public commitment by either the US or other governments to renounce the attempted hacking of Internet companies … We believe the (U.S.) Constitution requires that our government seek information from American companies within the rule of law. We’ll therefore continue to press for more on this point, in collaboration with others across our industry.”

Company by company, here’s a snapshot of what vendors say they did hand over to the U.S. government between January and June 2013.

Google’s Account Data/Content NSA and FBI Handover Summary

Google says it provided the government Internet metadata — presumably based on search and email — of up to 999 customer accounts. It also provided the U.S. federal government and PRISM the actual content of email and other communications for 9,000 to 9,999 customers. Google said there has been a major upswing in NSA requests since the first half of 2009, when it provided the NSA and FBI with data from up to 2,999 customer accounts. By the second half of 2012, it was delivering data at an all-time high. In that time period, it delivered the NSA and FBI, on secret FISA court order, data from up to 12,999 Google customer accounts.

Facebook’s Account Data/Content NSA and FBI Handover Summary

Facebook, which in the hours after the Snowden revelations denied any knowledge of PRISM at all, now admits that in 2012 it handed over content from 4,000 to 4,999 Facebook accounts and metadata from 999 accounts. From January to June 2013, that figure increased by about 1,000 Facebook accounts, Facebook disclosed. 

Microsoft’s Account Data/Content NSA and FBI Handover Summary

In its disclosure, Microsoft execs said the secret FISA court had asked for and received fewer than 1,000 orders for “communications content,” and that the orders related to between 15,000 and 15,999 “accounts or individual identifiers.” That’s down from the 16,000 accounts from which orders called for data in the second half of 2012, Microsoft revealed.

Microsoft offered distinct data on its Skype video and audio communications service. For the period of January to June 2013, Microsoft said it received and delivered data relating up to 999 Skype accounts and metadata relating to them. Such metadata was ostensibly to help the government “reveal communications patterns.” 

Yahoo Account Data/Content NSA and FBI Handover Summary

Of all the tech companies, Yahoo disclosed it had provided the U.S. government the most data. It delivered the U.S. government “communications content” from 30,000 to 30,999 accounts from January to June 2013. And of those that were a result of secret FISA court orders, it delivered metadata requests from up to 999 Yahoo customer accounts.

Wait, there’s more. Here’s what tech companies provided to U.S. law enforcement agencies as a result of FBI national security letters and related orders …

Email content, search history and metadata wasn’t the only content Microsoft, Facebook and Yahoo said it gave the government. The three also said that they had to comply with what’s known as an FBI national security letter. This is a government, not a judicial, type of subpoena. Under the terms of the transparency settlement, tech companies weren’t limited to revealing disclosures with a six-month delay so the information here is more recent.

Microsoft and Facebook each revealed receipt and compliance with “up to 999” FBI national security letter subpoenas from June to December 2013 — on the same number (up to 999) Microsoft and Facebook accounts. Yahoo also said it received and complied with up to 999 national security letters during the same period — but those requests affected more accounts, up to 1,999.

Google said FBI national security letters forced it to reveal customer records at the rate of up to 1,999 accounts every six months — that’s about 4,000 accounts a year. It’s unclear how many are duplicates and Google was not allowed, under the terms of the transparency agreement, to acknowledge that.

Of all the tech companies, Apple said it had received and complied with the fewest FBI national security letter requests. Apple disclosed that, in the January to June 2013 time period, the FBI had sent it fewer than 250 national security letters and other requests relating to fewer than 250 accounts. The same went for LinkedIn, which disclosed on Monday it also received up to 249 national security orders and requests.

What about phone records? NSA whistleblower Edward Snowden had also brought attention to the fact that the U.S. had clandestine deals with Sprint and other carriers to deliver telephone communications. Microsoft’s Smith said he could only say “we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.” But the disclosures the tech companies have made, as a result of the transparency deal cut with the secret FISA court, don’t apply to telephone communications.

All the disclosures apply purely to data requests tech companies were compelled to turn over as a result of court orders from the secret U.S. FISA court — to the NSA and FBI.

Under U.S. Executive Order 12,333, the NSA is allowed to suck up in-transit communications anywhere on the globe without any court order whatsoever.

To say the least, privacy advocates and Internet data security proponents are unhappy and say the revelations the U.S. government has allowed tech companies to make are terribly inappropriate.

Washington Open Technology Institute’s Kevin Bankston told the UK Guardian that the revelations were:

… far less than what we need for adequate accountability from the government … Lumping  all of the different types of surveillance orders together into one number, then adding obscurity on top of obscurity by requiring that number to be reported in ranges of one thousand, is not enough to educate the American public or reassure the international community that the NSA is using its surveillance authorities responsibly.”

We’ll be watching this story for you. In the meantime, check out Google’s blog post on the history of how these disclosures, however barren, are at last coming out. The post, called , is excerpted below. Wrote Google lawyer Richard Salgado:

We believe the public deserves to know the full extent to which governments request user information from Google. That’s why for the past four years we’ve shared and continuously expanded and updated information about government requests for user information in our Transparency Report.

Until now, the U.S. Department of Justice (DoJ) opposed our efforts to publish statistics specifically about Foreign Intelligence Surveillance Act (FISA) requests. Under FISA, the government may apply for orders from a special FISA Court to require U.S. companies to hand over users’ personal information and the content of their communications. Although FISA was passed by elected representatives and is available for anyone to read, the way the law is used is typically kept secret. Last summer’s revelations about government surveillance remind us of the challenges that secrecy can present to a democracy that relies on public debate.

Last year we filed a lawsuit asking the FISA court to let us disclose the number of FISA requests we may receive and how many users/accounts they include. We’d previously secured permission to publish information about National Security Letters, and FISA requests were the only remaining type of demands excluded from our report.

Today, for the first time, our report on government requests for user information encompasses all of the requests we receive, subject only to delays imposed by the DoJ regarding how quickly we can include certain requests in our statistics.”

For aNewDomain.net, I’m Gina Smith.

Gina Smith is the New York Times best-selling author of Apple co-founder Steve Wozniak’s memoir, iWoz Computer Geek to Cult Icon: How I Invented the Personal Computer and Had Fun Doing It (W.W. Norton, 2005/2007/2012). With John C. Dvorak and Jerry Pournelle, she is the editorial director at aNewDomain.net. Email her at gina@aNewDomain.net, check out her Google + stream here or follow her @ginasmith888.