Revelations about the Internet spying system PRISM have put the international spotlight on the extent of the U.S. government’s secret surveillance. But the disclosures also raise important questions about the role the world’s largest Internet companies played in hoodwinking the public over the controversial spying.
Last week, the Guardian and the Washington Post reported that Internet giants including Google, Microsoft, Facebook, and Yahoo are involved in an NSA program that enables the government to monitor emails, file transfers, photos, videos, chats, and other private data. The companies have denied providing the NSA with “direct access” to their servers. However, executives from unnamed companies linked to PRISM have since acknowledged some level of participation in the NSA program—which appears to involve using broad court orders issued under the Foreign Intelligence Surveillance Act to gain access to foreigners’ private communications.
There were many striking details in the Washington Post’s scoop about PRISM and its capabilities, but one part in particular stood out to me. The Post, citing a top-secret NSA PowerPoint slide, wrote that the agency has a specific “User’s Guide for PRISM Skype Collection” that outlines how it can eavesdrop on Skype “when one end of the call is a conventional telephone and for any combination of 'audio, video, chat, and file transfers' when Skype users connect by computer alone.” (Emphasis added.)
This piece of information is significant for a number of reasons. Last year, speculation arose in the hacker community that Skype, which was purchased by Microsoft in 2011 and had been difficult to wiretap, had become compliant with law enforcement demands. I pressured Skype to disclose its eavesdropping capabilities, but the company refused to discuss the matter. After a range of advocacy groups published an open letter calling for more clarity on the issue, Microsoft eventually released a transparency report detailing information about law enforcement requests for user data. The report devoted an entire section to Skype and claimed that in 2012, it hadn’t handed any communications content over to authorities anywhere in the world. Microsoft also said in notes accompanying the transparency report that calls made between Skype-Skype users were encrypted peer-to-peer, implying that they did not pass through Microsoft’s central servers and could not be eavesdropped on—except maybe if the government deployed a spy Trojan on a targeted computer to bypass encryption.
But the NSA “PRISM Skype Collection” guide casts doubt on whether any Skype communications are beyond the NSA’s reach. That the NSA claims to be able to grab all Skype users’ communications also calls into question the credibility of Microsoft’s transparency report—particularly the claim that in 2012 it did not once hand over the content of any user communications. Moreover, according to a leaked NSA slide published by the Post, Skype first became part of the NSA’s PRISM program in February 2011—three months before Microsoft purchased the service from U.S. private equity firms Silver Lake and Andreessen Horowitz.
The PRISM system operates under FISA, which can be used to secretly demand user data and force gag orders on companies so that they cannot disclose their involvement in the surveillance. Microsoft told me in an emailed statement that it “went as far as it was legally able in documenting disclosures in its Law Enforcement Requests Report,” adding that “there should be greater transparency on national security requests and Microsoft would like the government to take steps to allow companies to do that.”
However, even if Microsoft were under a FISA gag, it could still have put a vague disclaimer on its Skype transparency report noting that for unspecified national security reasons it could not provide details of all cases in which it handed over communications content. True, no other companies disclose FISA requests, either, but at least they acknowledge handing over some communications when presented with search warrants. Microsoft portrayed Skype communications as totally beyond the reach of the government. Indeed, the company apparently chose to claim that it handed over the content of zero communications in 2012—while at the same time complying with a FISA surveillance program that enables the NSA to sift through Skype communications. If reports of Microsoft’s participation in secret FISA-PRISM surveillance are accurate, the company disingenuously created a false sense of security by implying that users’ communications were not being turned over to the government.
Following the revelations about PRISM, Microsoft has joined forces with other Internet giants to call on the U.S. government to be more transparent on FISA surveillance. But Microsoft—like Google, Facebook, and others—cannot claim to be a passive victim in this story. Unlike Twitter, it did not push back against excessive U.S. government surveillance requests until the leaked documents were disclosed, and in some cases may have been complicit in misleading the public over the extent of the snooping. That is why it is crucial that while the U.S. government is the center of international attention in the PRISM saga, the companies linked to the program should feel the full heat of the spotlight, too.