NSA, FBI tapping Internet companies' data records

WASHINGTON -- The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, emails, documents, and connection logs that enable analysts to track one target or trace a whole network of associates, according to a top-secret document obtained by The Washington Post.

The program, code-named PRISM, has not been made public until now. It may be the first of its kind. The NSA prides itself on stealing secrets and breaking codes, and it is accustomed to corporate partnerships that help it divert data traffic or sidestep barriers. But there has never been a Google or Facebook before, and it is unlikely that there are richer troves of valuable intelligence than the ones in Silicon Valley.

Equally unusual is the way the NSA extracts what it wants, according to the document: "Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple." PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and Syria's civil war.

In a statement issued late Thursday, Director of National Intelligence James Clapper said "information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans."

Clapper added that there were numerous inaccuracies in reports about PRISM by the Post and Britain's The Guardian newspaper, but he did not specify any.

The PRISM program appears to resemble the most controversial of the warrantless surveillance orders issued by President George W. Bush after the al-Qaida attacks of Sept. 11, 2001. Its history, in which President Barack Obama presided over exponential growth in a program that candidate Obama criticized, shows how fundamentally surveillance law and practice have shifted away from individual suspicion in favor of systematic, mass collection techniques.

PRISM was launched from the ashes of Bush's secret program of warrantless domestic surveillance in 2007, after news media disclosures, lawsuits and the Foreign Intelligence Surveillance Court forced the president to look for new authority.

Congress obliged, with the Protect America Act in 2007 and the FISA Amendments Act of 2008, which immunized private companies that cooperated voluntarily with intelligence collection. PRISM recruited its first partner, Microsoft, and began six years of rapidly growing data collection beneath the surface of a roiling national debate on surveillance and privacy.

The court-approved program is focused on foreign communications traffic, which often flows through U.S. servers even when sent from one overseas location to another.

Several companies contacted by the Post said they had no knowledge of the program and responded only to individual requests for information.

"We do not provide any government organization with direct access to Facebook servers," said Joe Sullivan, chief security officer for Facebook. "When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law."

"We have never heard of PRISM," an Apple spokesman said. "We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."

Government officials and the document itself made clear that the NSA regarded the identities of its private partners as PRISM's most sensitive secret, fearing that they would withdraw from the program if exposed.

Twitter, which has cultivated a reputation for aggressive defense of users' privacy, is still conspicuous by its absence from the list of "private sector partners."

"Google cares deeply about the security of our users' data," a company spokesman said. "We disclose user data to government in accordance with the law, and we review all such requests carefully. . . . Google does not have a 'back door' for the government to access private user data."

Firsthand experience with these systems, and horror at their capabilities, is what drove a career intelligence officer to provide PowerPoint slides about PRISM and supporting materials to The Washington Post in order to expose what he believes to be a gross intrusion on privacy. "They quite literally can watch your ideas form as you type," the officer said.