The global surveillance scandal involves many players in the corporate world and — thanks to Edward Snowden — details of their identities and relationships with the NSA and other intelligence agencies continue to dribble out.
Many publications are doing fine work carrying these stories, but the information is a tad scattered. So I thought it might be useful to compile a list of the companies that are thought to be involved in Prism, Tempora, Blarney and all the other mysteriously codenamed sub-programs that add up to a near-global surveillance network.
This list will be updated as and when new information comes in (please do note omissions in the comments below).
The companies named in the original Prism scandal are as follows:
All have denied giving the NSA “direct access” to their servers, but Snowden has maintained that they do so, and the roles played by these companies are part of the focus of French prosecutors looking into the affair.
Microsoft and many other U.S. tech firms are also alleged to disclose security flaws in their products to U.S. intelligence services before they inform other customers around the world. This would give the NSA and other agencies a headstart on patching their own systems, but it could also give them a window of opportunity to exploit the flaws in order to attack others. Microsoft is also alleged to have given the NSA early access to products such as Outlook.com, so encryption could be circumvented before users even come online.
Internet backbone providers and other telcos
The Washington Post published a scoop on Thursday that gave some insight into the budget enjoyed by the NSA, CIA and other U.S. intelligence agencies. One of the most interesting allegations there was that the agencies not only reimburse their partners in the telecoms industry for the costs incurred in accessing data from their systems — which is to be expected — but that some of the telcos also make a profit on the deal.
Which ones? We don’t know, but these are the companies known to be working with British intelligence agency GCHQ (with codenames as listed by Germany’s Süddeutsche Zeitung):
- BT (Remedy)
- Verizon (Dacron)
- Vodafone (Gerontic)
- Level 3 (Little) and Level 3-owned Global Crossing (Pinnage)
- Viatel (Vitreous)
- Interoute (Streetcar)
Level 3 has also been highlighted because it runs the cables connecting Google and Yahoo’s data centers — connections that have likely been tapped by the NSA.
AT&T has also been named by the Wall Street Journal as being associated with the Blarney program (2013 fiscal year budget, according to WaPo: $65.96 million). Like AT&T, Verizon is also apparently collaborating with U.S. intelligence on American soil.
(UPDATE, 2 September: AT&T has also been implicated in a massive phone record collection scheme that involves the Drug Enforcement Agency.)
The Sydney Morning Herald has reported that Australia’s Telstra works closely with U.S. intelligence – a condition it had to meet in order to get an FCC licence for its Reach business in Asia, which also involves Hong Kong-based PCCW. (NOTE, 31 August: It appears Crikey broke this story.)
Such conditions appear to be a recurring theme when it comes to international firms merging or going into partnership with U.S. operators, or operators with cables in the U.S. The WSJ suggested this week that Japan’s SoftBank had to agree to honor U.S. authorities’ requests for access to some of its systems, because of its purchase of Sprint. Ditto Deutsche Telekom (2001’s VoiceStream Wireless takeover and the recent T-Mobile USA-MetroPCS merger) and Vodafone (the Verizon partnership).
The Sydney Morning Herald has also pointed a finger at Singapore’s government-owned SingTel. SingTel, which owns Australia’s Optus telco, is in a consortium with BT, Telstra and others to run the hugely important SeaMeWe-3 undersea cable, which connects Germany, the U.K., the Middle East, Singapore, China, Australia and Japan.
The U.S. CALEA law of 1994 is pretty crucial — it compels not only telcos to make sure law enforcement agencies can tap into communications in the U.S., but their equipment vendors too. So, any telecoms kit-maker who is sited in the U.S. or wants to sell its equipment to American telcos will need to play nice.
That’s a long list, but let’s highlight the name of Cisco, because it’s one of the U.S. tech vendors that is now being scrutinized by the Chinese authorities over fears of hidden security backdoors (yes, it’s Huawei in reverse).
The WSJ has also noted that — as with telcos merging with or taking over U.S. firms — some international vendors have also had to promise to give access to systems when asked. The article named Alcatel-Lucent (France’s Alcatel, merged with America’s Lucent), Nokia Solutions & Networks (which bought Motorola’s network assets) and Ericsson (which bought Nortel's wireless equipment assets).
(UPDATE, 9 September: No names have been named yet, but the NSA’s apparent breaking or weakening of many current cryptographic implementations likely involves security companies from around the world, on both software and hardware fronts.