Privacy Advisor

The NSA’s PRISM Program and Reactions

June 7, 2013

By Jedidiah Bracy, CIPP/US, CIPP/E

PRISM
The Washington Post
reports on the U.S. National Security Agency’s online data surveillance system called PRISM. According to leaked documents and Power Point slides, the NSA and the Federal Bureau of Investigation “are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents and connection logs” that allow intelligence analysts to track foreign threats.

National Intelligence Director James R. Clapper said, “information collected under this program is among the most important and valuable foreign intelligence information we collect,” and warned that the disclosure of this “entirely legal program…risks important protections for the security of Americans.”

Several of the online businesses named in the documents say they do not allow unfettered access to their central servers. Facebook Chief Security Officer Joe Sullivan said, “When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”

A Google spokesman also denied the allegations, adding, “From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”

The Daily Beast reports that at least one foreign government has gained access to the sensitive data collected by the NSA. According to the report, some of the metadata collected has been shared with UK government officials.

Reaction
The disclosure of the PRISM program, along with yesterday’s revelations about Verizon and the NSA, is affecting talks between the EU and U.S. on a data protection agreement, EUobservor reports. German Green MEP Jan Philip Albrecht said, “Common rules will only be possible if the principles of data protection will be accepted in the U.S. The foreseen, but struggling EU-U.S. umbrella agreement, would be a good chance to show that this is the case.”

In the same report, Dutch Liberal Deputy Sophie in’t Veld also told EUobservor that the PRISM disclosure “could help raise awareness” of such issues for Brussels. She noted that past agreements—including the SWIFT banking and passenger name recognition programs—were secretly instituted prior to their formal implementation.

German Federal Data Protection Commissioner Peter Schaar wrote a blog post (in German) on the issue. He notes that the NSA program bolsters the need for a strong EU data protection regime.

Former Clinton administration Chief Counselor for Privacy Peter Swire, CIPP/US, has written a Privacy Perspectives blog post calling for the Privacy and Civil Liberties Oversight Board to make the NSA programs a top priority.

Several privacy advocates have chimed in, expressing concern about the program. Alexander Hanff has written to European Commission President José Manuel Barroso calling for immediate revocation of the U.S. Safe Harbor status.

The LA Times, however, asks, in light of the Verizon news, where is the consumer outrage? “The bottom line is this,” writes David Lazarus, “Consumers in the digital age have no reason to believe their electronic communications are off-limits to government and private-sector entities.”

CNN has also compiled a roundup of expert opinions on government surveillance and privacy concerns, including reaction from Prof. Neil Richards, blogger Bruce Schneier and former CIA Director Michael Hayden.  

The New Yorker delves into definitions and consumer perceptions of “meta data,” the term used to describe what data was accessed in the Verizon case—that the contents of the phone calls were not accessed, just who called whom, and from where. Sun Microsystems engineer Susan Landau said, “The public doesn’t understand (metadata)…It’s much more intrusive than content.”

Read more by Jedidiah Bracy:
Council of European Union Releases Draft Compromise 
Medine’s Confirmation Moves PCLOB Forward; Questions Remain About Cybersecurity Authority
A Look at the Privacy Consultants of Acxiom
ICO Fine “Confirms” Emergence of Private-Sector Enforcement Trend