The phone calls began late in the morning, Silicon Valley time, on June 6. Representatives of nine leading U.S. technology companies received a flurry of calls and e-mails from reporters at the Guardian and the Washington Post, asking them to comment on explosive stories they would soon publish. Their reports, based on government documents leaked by former National Security Agency contractor Edward Snowden, alleged that the country’s leading Internet firms were giving the NSA and the Federal Bureau of Investigation “direct access” to their servers and thus to the e-mails, photos, and other private information of hundreds of millions of users around the world. The papers gave the companies roughly two hours to respond, according to spokespeople for four of the businesses.
The tech companies rushed to deny that the NSA surveillance program, called Prism, operated the way the papers and leaked NSA documents described—that they had given the U.S. government carte blanche access to their systems. Since refining their denials, they’ve moved a behind-the-scenes battle further into the open. In the past week, Apple (AAPL), Facebook (FB), Microsoft (MSFT), and Yahoo! (YHOO) have issued reports specifying how many information requests they’ve received from law enforcement, an effort to show that the government appeals for data are targeted.
Google (GOOG) went further on June 18, filing a motion with the Foreign Intelligence Surveillance Act (FISA) court asking permission to disclose the precise number of national security-related secret orders it receives. “Google’s reputation and business has been harmed by the false or misleading reports in the media, and Google’s users are concerned by the allegations,” the company’s lawyers wrote in the motion. “Google must respond to such claims with more than generalities.”
While tech companies must protect their reputation with U.S. users who worry that their private correspondence is being monitored, they may also face more critical consequences abroad. With the government claiming it principally targets communications between the U.S. and other countries, overseas customers of companies like Facebook and Google may want greater protections. (Under the current version of FISA, foreign citizens have almost no rights.) Other nations may demand the same surveillance privileges they believe the U.S. government enjoys.
The Prism companies fear they’ll be lumped together with telephone companies, which are required to make real-time call monitoring available to the government under the Communications Assistance for Law Enforcement Act. Under that 1994 law, the telecoms had to place surveillance equipment in their own facilities and keep it usable as their technology changed. In 2006, AT&T (T) faced blowback from the revelation that its San Francisco hub allowed the government to analyze all phone calls and Internet traffic flooding through the company’s network. On June 5 the Guardian revealed, on the basis of a leaked FISA court order, that Verizon Communications (VZ) was funneling all of its phone records to the NSA. Verizon declined to comment.
By contrast, Internet companies have long boasted that they push back on government surveillance and are more transparent. When the FBI in 2010 first proposed controversial legislation dubbed “Calea-2,” which would have required Internet companies to include mandatory wiretap access to their services, the industry strongly opposed it. The Internet companies “are never going to go along with that,” said Al Gidari, a partner at the law firm Perkins Coie who represents Google and other technology companies on privacy and security matters. “It will be a bloodbath before you see that kind of encroachment on the network and system.” Since 2009, Google has released reports detailing how many law enforcement requests it receives for user data and how many user accounts are affected. Microsoft and Twitter followed with similar reports in 2012. (The reports did not include national security requests.)
In the wake of the Prism allegations, though, the companies can’t agree to a common standard of transparency. While Apple, Facebook, and Microsoft revealed how many data requests they received from law enforcement and how many user accounts were affected, Yahoo disclosed only how many requests it fielded. Google rejected that approach altogether, because the requests include cases unrelated to national security, such as local investigation of petty robberies. “We’re getting a very useful picture of the amount of cooperation with the government, but little insight into the substance of that cooperation or the potential legal objections,” says American University law professor Stephen Vladeck. “I’m not sure, at the end of the day, we’re learning a whole lot through these disclosures.”
The Prism disclosures may embolden foreign governments already eager to expand their Web monitoring. The magazine Der Spiegel recently reported that Germany’s foreign intelligence agency plans to spend €100 million ($133.5 million) on such a program. In the Netherlands, the legislature is debating whether to let law enforcement search computers without an owner’s knowledge. “It’s hard to say whether there will be unanticipated consequences” of the Prism reports, says Google’s lawyer Gidari.
A bigger concern for the companies may be how overseas users react to the Prism allegations. “You can see why the rest of the world would have a problem with this,” says Caspar Bowden, an independent privacy advocate and former chief privacy adviser for Microsoft. “Essentially there is one law for Americans and one law for everyone else.” Bowden says the Prism allegations have revived interest in creating a European open-sourced cloud computing industry to match U.S. providers the way Airbus has matched Boeing in aerospace. “However seriously the threat of Prism is perceived, why wouldn’t Europe want this on economic grounds alone?” Bowden says.
Apple, Facebook, Google, and Microsoft, which have significant portions of their user bases outside the U.S., would suffer from this kind of online protectionism. That could be the real legacy of June 6: the beginning of the end to Silicon Valley’s dominance of the Internet.
The bottom line: The companies named in the Prism stories are pushing back, but their disclosures are limited and inconsistent.