Government Snooping May Be Legal, But That Doesn’t Make It Right

This post is an expanded version of an article that first appeared in the San Jose Mercury News

By Larry Magid

We’ve been hearing a lot about government spying over the past couple of weeks, including reports about PRISM — a secret computer system that, according to initial reports, gives the government a “backdoor” to access data directly from the servers of companies like Facebook, Google, Microsoft and Apple. But based on what I can determine, there is no backdoor,

Not really a secret

The fact that the government was secretly obtaining information from Internet companies was actually not a secret, at least not since March 5th, when Google revealed it had received secret National Security Letters from the FBI demanding users’ data.

For me at least, the big secret, revealed in March, is that the FBI has the authority to prohibit companies from talking about these requests. Google, while not publicly disclosing as much as it would have liked about the data requests, did get government permission at the time to at least disclose a range of the number of such letters it received, which Google reported at the time as being between 0 and 999.

I happened to be in Washington, D.C. the day the Washington Post story on PRISM was published, and was shocked by its assertion that the National Security Agency had a direct link into the servers of Google, Facebook, Microsoft, Apple and other companies. It’s one thing to force companies to comply with secret, though legal, government orders, but quite another to give government direct access to servers so agents can roam around looking for whatever data they want. That would be like an apartment complex owner giving the local police department the key to every unit, with blanket permission to come over any time to look around in the possibility they might find some stolen property in a tenants’ closet.

After the Post article came out, both Google CEO Larry Page and Facebook CEO Mark Zuckerberg denied there was a backdoor or direct link to their company’s servers. As Page and Google’s chief lawyer David Drummond put it, “We have not joined any program that would give the U.S. government-or any other government-direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers.” Later that day Zuckerberg responded to what he called “outrageous press reports about PRISM.” He added: “When governments ask Facebook for data, we review each request carefully to make sure they always follow the correct processes and all applicable laws, and then only provide the information if is required by law.”

Zuckerberg joined Google in calling for “all governments to be much more transparent about all programs aimed at keeping the public safe.”

Because I was in Washington that day, I met with a contact who had worked on government and law enforcement compliance operations at a major Internet company. He, like Zuckerberg and Page, said he didn’t know of any backdoors but postulated it’s possible there are servers where Internet companies deposit documents they are required to turn over to the government.

Regardless of how government agencies obtain data, it makes sense that they would store it on a server and use sophisticated software — perhaps called PRISM — to analyze and access it. We don’t’ know exactly how that data gets there, but unless there is a vast conspiracy that includes the likes of Zuckerberg and Page, we know that it’s not based on a direct pipeline

Short of that unlikely “backdoor,” I really don’t care how the data gets from the service provider to the government. It doesn’t matter to me whether they email it in, upload it themselves to a government server or post it to a dropbox-type server that the government can access. From a compliance standpoint, what’s important is that the data gets into the government’s hands only through legal processes.

Still, the fact that something may be legal doesn’t make it right. It’s time for Congress to take another look at the Foreign Intelligence Surveillance Act, and time for the Obama administration to heed the calls for greater transparency.

While I understand the need to keep some secrets about how the government conducts investigations to avoid tipping off suspects, I don’t understand the justification for refusing to allow Internet companies to disclose how many information requests they get from government and how they process those requests. If anything, more transparency would give Americans greater assurances that we’re not being spied upon by our government. Unless, of course, that’s not the case.

Disclosure: Larry Magid is co-director of ConnectSafely.org, a non-profit Internet safety organization that receives financial support from Google, Facebook and other Internet companies.