Does NSA have “direct access” to corporate servers from Google, Microsoft, and other companies? That’s what the initial reports said. Then the Washington Post reported that “the arrangement is described as allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.” But what does that mean? Today, the New York Times digs a little more:
Instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key….The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.
….FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms, lawyers who work with the orders said. There were 1,856 such requests last year, an increase of 6 percent from the year before.
Obviously this is still a little fuzzy, but the picture that’s developing is substantially different from the initial reporting. If tech companies have agreed only to build more secure ways of passing along data in response to individual FISA warrants, that explains why they’ve never heard of PRISM and why they deny being part of any program that allowed the government direct access to their data.
Technically speaking, this also makes a lot more sense. The process described by the Times sounds quite plausible, in contrast to the “direct access” story. Further reporting might clear this up even more, for example by explaining just how automated this system is and when human intervention is necessary.
For now, I’m just passing this along as interesting information. I suspect we’ll learn more over the next few days.