Saturday, June 08, 2013

Analyzing Yahoo's PRISM non-denial

Today, Yahoo's General Counsel posted a carefully worded denial regarding the company's alleged participation in the NSA PRISM program. To the casual observer, it might seem like a categorical denial. I do not believe that Yahoo's denial is as straightforward as it seems.

Below, I have carefully parsed Yahoo's statement, line by line, in order to highlight the fact that Yahoo has not in fact denied receiving court orders under 50 USC 1881a (AKA FISA Section 702) for massive amounts of communications data.

We want to set the record straight about stories that Yahoo! has joined a program called PRISM through which we purportedly volunteer information about our users to the U.S. government and give federal agencies access to our user databases. These claims are false. [emphasis added]

No one has claimed that the PRISM program is voluntary. As the Director of National Intelligence has confirmed, the PRISM program involves court orders granted using Section 702 of the Foreign Intelligence Surveillance Act.

By falsely describing PRISM as a voluntary scheme, Yahoo's general counsel is then able to deny involvement outright. Very sneaky.

Yahoo! has not joined any program in which we volunteer to share user data with the U.S. government. We do not voluntarily disclose user information.
Again, PRISM has nothing to do with voluntary disclosures. These are compelled disclosures, pursuant to an order from the FISA court.
The only disclosures that occur are in response to specific demands.
The government can make a specific demand for information about all communications coming to or from a particular country. This is an empty statement.
And, when the government does request user data from Yahoo!, we protect our users.
Claiming to "protect our users" means nothing.
We demand that such requests be made through lawful means and for lawful purposes. We fight any requests that we deem unclear, improper, overbroad, or unlawful.
When the law allows blanket surveillance, "lawful means and lawful purposes" doesn't mean anything.
We carefully scrutinize each request, respond only when required to do so, and provide the least amount of data possible consistent with the law.
When a FISA court order demands blanket surveillance, responding only when required to do so is an empty promise, as is providing the least amount of data possible.
The notion that Yahoo! gives any federal agency vast or unfettered access to our users’ records is categorically false.

Elsewhere in the post, Yahoo's uses the terms "user data" and "user information". Why the sudden switch to the term "users' records"? This seems to deny participation in a Section 215 metadata disclosure program (see: the Verizon Business order revealed earlier this week), which has nothing to do with PRISM.

In any case, the PRISM scandal is not about unfettered access to users' data. It is about giving the government data in which one party of the communication is not in the US. Yahoo is not accused of giving the government unfettered access to communications where all parties are in the US.

Of the hundreds of millions of users we serve, an infinitesimal percentage will ever be the subject of a government data collection directive.
Note the use of the word directive in this statement, which does not mean voluntary. Now see below.
Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested.
Here, Yahoo switches to using the term "requests" which are voluntary, not demands. The government is not obligated to describe "a specific legal purpose" when it has obtained a court order compelling the disclosure of data. It is only when the government is making a voluntary request of Yahoo that the company has the ability to set terms for the disclosure.
Then, and only then, do our employees evaluate the request and legal requirements in order to respond—or deny—the request.
Yahoo has flexibility when the government makes a request for data. The company has far less flexibility when it receives a court order demanding the disclosure of data.
We deeply value our users and their trust, and we work hard everyday to earn that trust and, more importantly, to preserve it.
If that were true, Yahoo would protect the privacy and security of its customers by enabling HTTPS by default for Yahoo Mail. Yahoo was the last big email provider to even offer HTTPS as an opt-in option, and has still not enabled it by default.


Anonymous said...

You're being a large douche. Is there any statement that could've been written that your wouldn't have been compelled to do a line by line "analysis" of in order to validate your own feelings of insecurity and betrayal. Those with no information about both the government or the companies that run the services that much of the Internet use always seem to bark the loudest on matters like privacy and security.

James said...

Are you suggesting that, having received a lawful court order, that tech companies should disobey the law?

James said...

The claim in Greenwald's article was the they were given "direct access" to the servers. Google and Apple -- everyone but America Online (I think they were closed for the weekend, all three of them.) denied it in no uncertain terms. I presume also that giving specific access in response to a court order would not count as what was alleged in the article. It seems the leak came from someone who didn't understand what he was seeing. Or by an unscrupulous "crusader" like Greenwald, or the idiots who worked for years to make "Whitewater" into a scandal.

Anonymous said...

I think he's suggesting that, having received a court order, companies should not lie to the very users they claim to be protecting, by saying that they have not.

Or use clever and ambiguous language that they know will mislead their users into believing this.

Anonymous said...

@Anonymous. Yahoo's statement was a official document written by a senior lawyer, so it's fair to assume the words were chosen with precision. These were not off-the-cuff remarks. So a legalistic analysis was wholly appropriate.

To answer your question - yes, it would have been possible to write the document so as to leave no room for doubt. For example, "Yahoo has not received court orders under 50 USC 1881a (AKA FISA Section 702) for communications data."

Anonymous said...

Anonymous@1:31AM: This statement from Yahoo! isn't just any statement. You seem to be completely naive about how the PR game is played. In a crisis such as this one, lawyers and PR people carefully construct public statements, judiciously selecting each word to thread the needle just so. Public statements are designed to sound pleasing to the layperson but often contain half-truths and qualifications which are always subject to semantic parsing by people who know how the PR game is played.

Anonymous said...

From what I understand, possibly- data mining at this level encapsulates a passive legal pass. Not all parties involved may be aware , nor required to report to notify said party- and do so under the specifics of the .... Nice angle btw. I think several pertinant points are made.

Anonymous said...

Have you bought your new tinfoil hat yet?

Yahoo, Google, et al have to comply with FISA orders, period. It is not cheap to do so. Therefore, they give the minimum required, and have their corporate sharks review it so they can avoid giving anything they don't have to, because it is a PITA.

IMO, PRISM is the name for the NSA's database+hadoop analysis software that takes raw data and tries to get intel from it.

Seriously, when you don't understand what is involved, don't default to hysteria.

raganRAGEAN said...

For f*cks sake, ragan. That's not the issue. Read the comment above again:

"I think he's suggesting that, having received a court order, companies should not lie to the very users they claim to be protecting, by saying that they have not.
Or use clever and ambiguous language that they know will mislead their users into believing this."

Get it now?

Anonymous said...

I am amazed no one has yet been amazed how everyone in the US does not give a damn about people from other countries. People are freaking out because these programs or law orders sometimes involve 1 party that is a US citizen.. What about the other party and his privacy? What about the other inter-foreigner communications? Does no one give a damn about their privacy?

You know, just because the company is US based input does not mean it should ignore other countries laws.

I assume these companies, by answering US court orders, are constantly breaking laws in other countries they operate...

When people freak out so selfishly, something is very wrong I'm the values of a country.

Anonymous said...

Attacking this post by saying Yahoo! has to provide the data by law is meaningless - I don't think anyone is arguing that they shouldn't.

Rather, it is about pointing out they are probably misrepresenting their involvement in the program - in other words: lying through misdirection and omission.

From what I understand they're also required by law to not tell people about what they're doing. So the only way for the public to glean the truth is actually through analyses such as these.

Anonymous said...

To the naive folks saying the program is legal and companies were forced to comply: then why and how could Twitter (and potentially LinkedIn) refuse it? And why did it take Apple 5 years to agree?

The only explanation is that PRISM really gives the government unfettered access to servers whereby the companies' cooperation isn't needed anymore. Once installed they could suck the whole server and the company wouldn't even know.

Anonymous said...

> because it is a PITA.
Something being a "PITA" might be a good reason for providing an interface that works more automated in the background.

> "direct access" to the servers […] denied it in no uncertain term
What does direct even mean? What if there is a nice interface in-between?

> Is there any statement
"I want you to listen to me. I'm going to say this again: I did not have direct access to that database"

Anonymous said...

Fantastic article. Thank you!
To the commenters: he just wants the people who take our money to provide services to be honest and open instead of hiding behind word screens.

Anonymous said...

@anonymous 1:31, @ravan -- it's not being a douche and hardy hysteria to study carefully a legal statement coming from one of the few massive titans on the Internet. if you don't realize Yahoo's legal spent even more time crafting the message than he did parsing it, then you don't understand law.

stop pretending you understand things others don't. unless you work for Yahoo and can set the record straight....but you don't. you're just another nobody on the Internet like the rest of us.

Anonymous said...

As an ACLU spokesperson, why are you trying to cast aspersions on the corporations involved? They have to comply under the law. Period. The problem is with the government and the law itself. You're complicit in this if you continue to make it seem like the companies did anything wrong; you're just distracting the public from the real problem.

Anonymous said...

FB's (Zuck's) response seems pretty unambiguous

"Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received."

Not Anonymous Anymore said...

There's a lot of room for manipulation in Zuckerberg's announcement too:

"Facebook is not and has never been part of any program to give the US or any other government direct access to our servers."
-It's not direct. It's indirect via a secure portal that performs queries. Just like Google gives you indirect access to millions of websites.

"We have never received a blanket request or court order from any government agency asking for information or metadata in bulk,"
-Of course not. You have only received a request to install a device, which could then extract information in bulk on its own.

"like the one Verizon reportedly received."
-It's not like it, because it covers content and not just metadata.

Anonymous said...

Bob said: "All phenomena are real in some sense, unreal in some sense, meaningless in some sense, real and meaningless in some sense, unreal and meaningless in some sense, and real and unreal and meaningless in some sense."

Let's pose both the Guardian piece and the company denials are both true and meaningful. What do we learn?

Prism is the name of an NSA program for NSA users.
Prism is not a program Yahoo, Google or Facebook joined, at least not under that name.
There does not have to be direct access to the servers. Guardian document claimed: Data collected directly from the servers.

How is it possible for the NSA to get access to this data without direct access?
The data is probably collected at the ISP-level (room 641a-style), Hardware level, Content Delivery level, or by the companies themselves (data retention laws).

NSA can get access to this data by using a warrant or court order. Prism is a program to help with part of this process. It could format the requests for the different legal departments, format the log-data to actionable data like the raw mail contents and even linguistic analysis on those contents.

Google and Facebook have not been getting blanket or huge requests like the ones Verizon received:
...we had never heard of the broad type of order that Verizon received
Yahoo probably has or it doesn't deny it:
...Where a request for data is received, we require the government to identify in each instance specific users and a specific lawful purpose for which their information is requested.
This can still be a huge overbroad list. But luckily:
...We fight any requests that we deem unclear, improper, overbroad, or unlawful.
Which means they have probably received overbroad requests, including those they can not disclose.

Yahoo and other companies didn't offer a non-denial. They denied direct access without a warrant/request/order. They denied knowing the internal code-name for a NSA project that involved them.

Between the lines they don't deny: Getting requests. Getting requests with a gag-order. Having to retain all their communications for a period of time to stay in accordance with the law. That the NSA probably has access to this data pile. In the case of non-Americans it has free lawful direct access to this data pile (not the servers).

Obama even said as much as that all non-US phonecalls and internet communication are analyzed.

I hope Google and Facebook can keep saying stuff like:
...We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received.

It sounds like a canary of sorts. If they have received such an order they wouldn't be able to talk about that anymore.

But if NSA has access to the back-up/retention data pile/ISP data/Content delivery data (again.. not the servers) in accordance with the law, they wouldn't even need to request access anymore. As in: Google and Facebook would not receive a request like the one Verizon got, the NSA would just get it with a court order.

Anonymous said...

@Anonymous at 10:15 AM: He isn't taking issue with their compliance, he's challenging their voluntary, implicit denial of it. FISA/NSL requests contain a gag order preventing those served from acknowledging receipt of such requests, so the corporations involved would be excused for staying mute; but here Yahoo has gone on record with insinuations of non-collusion. They could have said, for instance, that legal constraints prevent them from acknowledging the scope of their involvement with PRISM, "taking the Fifth," figuratively speaking, which would've deflected public criticism up to where it truly belongs: the state. Instead, they chose to frame themselves as non-participants. Yahoo's statement is arguably a lie, but as Sogohian points out, contains enough shrewdly selected verbiage to stop short of an actual denial.

Anonymous said...

Notice Zuckerberg's carefully crafted statement. He only copped to not doing it in the past. He didn't say Facebook would NEVER do it.

Anonymous said...

For largely the same reasons as CS has set out in th OP I think this statement is not a denial, but I don't think they're lying, and I also don't think they're being sneaky. - I think the language is completely intentional - along the lines of "We do not do anything voluntarily here. We are being forced to provide data and forced to keep quite about this abusive and absolutely crazy interference by government in our business and breach of trust with our customers. Pay attention, people, thank G you're finally asking questions!". And fb is the same. Don't blame the providers , no one is "asking" them to cooperate as if there's a choice to say "no". I think this message from Yahoo is honest and well crafted to deliver a specific message. Look at what they actually said.

Anonymous said...

Sorry for english.

As a previous post said, it appears in this story that disclosures for foreigns users are not to be blamed ? Even a US citizen should not trust a company that tells seriously not using data of US users but without care of foreign users data.
More, deciding data is 'relevant' (part of a foreign exchange) is a myth - where is and how to set a border ?

Then, IMO, the major threat is from companies themselves : we all know, except being naive, that data are disclosed for commercial and advertising purposes (Yahoo officially claims it !). Why being so confident with private companies and not with supposed-so democratic state ?

So, no way, if information is really sensitive, we should not spread it over the web. Dot.

Anonymous said...

What about Google's "What the ...?" blog post?

He says:
First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

This can't be a blank statement. If the above statement is true, Yahoo might as well be saying the truth.

Anonymous said...

It's two different situations.

1. NSA freely has access to Yahoo data? False

2. The Feds sometimes go knocking at Yahoo's (or any internet company for that matter) door asking for specific data and sometimes get access to that data (only after having the "proper paper work" filled out)? True

Anonymous said...

Actually the weasel words were correctly parsed in what was a strawman.

Mr. Nam said...