As the fallout continues to rain down from recent reports about the NSA snooping on millions of phone calls and terabytes of web traffic, the spin campaign from both the government and the technology companies allegedly involved in the program has reached a fever pitch. First there were strenuous denials from the likes of Google (s goog), Yahoo (s yhoo) and Facebook (s fb), followed by broad hints that they only co-operated because they were trying to make things easier on their users — and then leaked reports that some were essentially forced at gunpoint to do the NSA’s bidding.
Whatever the case may be, agreeing to turn over data to the government might have seemed like a good idea at the time, but the potential downside risks of that particular slippery slope are fairly overwhelming.
The popular response to the NSA revelations may lie somewhere between mild disinterest and outright apathy, according to surveys like the one done by the Pew Center — in part because we seem to have gotten used to the idea that tech companies are monitoring our every move. But being seen as co-operating with the spy agency is still a fairly huge risk for cloud-based services. Not only that, but co-operating in even a small way makes those companies look like easy targets for further government pressure.
Who co-operated and to what extent is unclear
At this point, the actual truth of what is involved in the NSA’s so-called PRISM program remains a rapidly shifting target. The documents first published by the Guardian and the Washington Post a week ago seemed pretty cut and dried in their description of a system that allowed the spy agency “direct access” to the servers of Google, Yahoo, Facebook and about half a dozen other companies — something the Post originally said was provided voluntarily and gave the NSA broad access to information about user behavior.
Almost immediately, however, the details started to blur: not only did those companies deny providing “direct access” to their servers, but some sources said the data was only provided under duress, because of secret court orders related to the Foreign Intelligence Surveillance Act. As the days went on, other reports quoted anonymous sources saying the whole system (the one those companies had denied any knowledge of) was just an attempt to automate the processing of those legitimate FISA requests.
One report quoted anonymous staffers at several of the companies saying they only agreed to co-operate with the NSA because they were afraid if they didn’t do so, the government would demand even more of their data and that wouldn’t be fair to users. And finally, on Friday, the New York Times reported — using some conveniently leaked documents — that Yahoo had tried to resist the NSA’s attempts to compel it to provide user data, but was ultimately unsuccessful and was ordered by the court to comply.
User trust is a precious commodity
So what we have now are a broad range of conflicting reports about who did what — including semantic debates about what the term “direct access” actually means, as well as how much access was provided voluntarily vs. how much was provided under duress. So far, the only company that seems to have emerged unscathed is Twitter, which reportedly fought the government’s attempts to enrol the company in the PRISM program and succeeded, a tale that has burnished Twitter’s claim to be the “free-speech wing of the free-speech party”).
That said, however, there seems to be little doubt that many companies co-operated with the NSA, and may have set up “lockbox” or “clean room”-style facilities for providing data — and there are even suggestions that this group could go far beyond just Google and Yahoo and Facebook, and could include hundreds of other technology providers that have co-operated to some extent with the spy agency and given the NSA details about their equipment and/or products that could help its surveillance program.
These companies may have convinced themselves that co-operation was inevitable, or that they needed to do something to help the government catch terrorists, or that by automating the legally legitimate FISA process they could save themselves a lot of trouble and expense, or some combination of all the above. But in reality, they have not only shown themselves to be weak — which will encourage the NSA to pressure them even further because they know they can win — but also fundamentally untrustworthy, and that could cause them a lot more problems with users than they ever contemplated.