7 Jun 2013

Spying on Google and Facebook data – key questions

After reports that the US government is able to mine the servers of the country’s seven biggest technology companies, including Google and Facebook, Channel 4 News looks at what it means for UK users.

What are newspapers reporting?

The Washington Post says it has obtained a top-secret presentation with details about a programme, known as Prism, that allows US intelligence agencies to track people through all data available on seven companies’ servers.

This follows a Guardian report, which said that the National Security Agency (NSA) also had a warrant to collect all records of phone calls from the phone company Verizon for the past three months.

The way the law is written, it allows them to spy on people who are not US citizens with essentially unlimited capability. Mike Rispoli, Privacy International

In a strongly worded statement, US Intelligence Chief James Clapper confirmed the existence of Prism and of the secret court order for Verizon to hand over phone records, but said they were legal. He defended the Prism programme, saying the information obtained was “among the most important and valuable foreign intelligence information we collect” and said there were inaccuracies in both reports.

All companies named in the documents, including Google and Facebook, strongly deny their involvement.

What kind of data is at risk?

This is the scary bit. If genuine, the implications of the Prism programme cut to the heart of our life online. The document implies that everything from our conversations on Skype, to our holiday photos on iCloud, and our documents stored on Google Drive, is up for grabs to be trawled through by the NSA and FBI.

That includes: email, video and voice chat, videos, photos, stored data, VoIP, file transfers, video conferencing, the time of logins, and online social networking details, according to a slide from the presentation obtained by the Washington Post.

It is worth quoting the Post’s statement that “under current rules the agency does not try to collect it all”. Instead it will pull up information that arises from a variety of search terms. US cyber spies are also currently required to be 51 per cent sure of their target’s “foreignness” to be able to delve into their data.

But I’m in the UK – isn’t my data safe?

You are actually in a worse position, says Mike Rispoli, of UK-based charity Privacy International, because protections that exist for US citizens do not apply to foreigners.

“Intelligence agents would be constrained in terms of the US government spying on US citizens,” he told Channel 4 News. “But the way the law is written, it allows them to spy on people who are not US citizens with essentially unlimited capability.”

The NSA is specially targeted at foreigners, so its mission is to pick up information about people outside the US. Though the UK and EU say that all citizens have a right to data protection, local laws are not much help because, like it or not, most of your online communications will go through a US company.

And though the EU wants companies operating in Europe to obey European laws, they have little power to enforce them on American companies. European Commissioner for Home Affairs Cecilia Malmström told Channel 4 News they were concerned about the consequences.

Later on Friday, it emerged that at least one European intelligence agency is using the US service too, according to the Guardian. The paper reported that GCHQ has had access to the system since at least June 2010, and generated 197 intelligence reports from it last year.

US mining internet data: the key questions (G)

Wasn’t this happening anyway?

Surveillance agencies have always worked with private companies to gather intelligence. The Washington Post says that the difference this time is the size of the companies involved and the nature of the access, which allows the government to dip in and out of the data “treasure troves” through a so-called “back door” into the server.

This allows greater and quicker access than the previous model, where the government had to go through the courts and get a judge to grant an information request that would then be delivered to a company like Google. The company could legally challenge the request.

Technology companies say they comply with legal requests for data on a case-by-case basis, but have no “back door”.

Is this related to the snooper’s charter?

Yes. In both cases it is a government compelling private companies to gather intelligence. But though the US passed legislation that paved the way for this in 2007 under George Bush, the UK’s data communications bill – or snooper’s charter – has not passed parliament yet and is currently causing controversy.

However, the snooper’s charter is much more limited in scope than the alleged US surveillance: it only applies for the last 12 months of data, and does not include access to the content of communications. It would just give access to the data around a phone call or email: who sent it and when, but not the actual text or audio. Access to content would have to be sought separately.

We are of course concerned for possible consequences on EU citizens’ privacy. Cecilia Malmström, EU commissioner for home affairs

The proposed law in Britain also requires the police to prove that the data is necessary for a specific investigation before accessing it. In the situation the Washington Post describes, the US government simply needs to suspect that the target was involved in terrorist activity.

Which companies are involved?

Seven companies are named in the top-secret files obtained by the Washington Post, but each allegedly joined at different times in the past seven years, according to the NSA slides:

Microsoft: September 2007
Yahoo!: March 2008
Google: January 2009
Facebook: June 2009
PalTalk: December 2009
YouTube (owned by Google): September 2010
Skype (owned by Microsoft): February 2011
AOL: March 2011
Apple: October 2012

As the timeline above shows, certain companies appeared to sign up during the Bush era, while Apple waited five years before joining up.

In terms of why they may have got involved, the Post reports that the internet giants can get legal immunity in exchange for complying with a “directive”.

The vigorous denials from all companies involved meant that the Post had to retract statements about their complicity in the spying. But the paper stands by its report and the debate who know what – and where the information goes – is likely to continue over coming days.

One of the government slides appears to show that the companies’ involvement was hugely sensitive, and that they may withdraw from the programme if they were exposed. According to the briefing author’s notes: “98 per cent of Prism production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources.”

What happens to the data?

Data gathered through Prism has been used in one in seven intelligence reports, the Post reports, and formed part of the president’s daily briefing in 1,477 items last year.