Bombshell revelations this week about two sweeping surveillance programs in the United States are shining a light on just how much information U.S. intelligence agencies are gathering on foreigners and American citizens.
According to The Guardian newspaper, intelligence agencies have been collecting information about all phone calls passing through Verizon servers since the issuing of a top-secret court order in late April. As part of another program, dubbed Prism, those agencies have been gathering data about users from nine of the biggest technology companies in the world, including Apple, Google and Microsoft. The agencies collected this information by tapping directly into the companies' servers.
Prism appears to be an extension of a similar program put in place during the last days of the George W. Bush presidency. According to classified presentation slides obtained by The Washington Post and The Guardian, Microsoft was the first of the major companies to be included in the program, back in late 2007, followed by Yahoo in 2008, Google, Facebook and PalTalk in 2009, YouTube in 2010, and Skype and AOL in 2011. Most recently, Apple was added in October of 2012. On Friday, U.S. President Barack Obama defended the surveillance, saying it was approved by Congress and subject to judicial oversight.
The companies respond
Many of the technology companies have denied involvement with the Prism project. In a statement sent to The Globe by a Microsoft spokesman, the company said, "We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don't participate in it."
Google echoed the statement, saying: "We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a 'back door' for any government to access private user data."
The most vehement denial came from Apple: "We have never heard of Prism. We do not provide any government agency with direct access to our servers, and any government agency requesting data must get a government order."
All three companies have reason to worry about the implications of being seen to co-operate with Prism, in large part because cloud computing is a lucrative revenue generator. Should customers start to worry that their data is being made available wholesale to U.S. intelligence agencies, many may opt to ditch cloud-computing services altogether.
What was collected?
In the case of the Verizon warrants, the information gathered is referred to as "metadata," or information about information. Intelligence agencies did not collect the content of the conversations between callers – "Nobody is listening to your telephone calls," Mr. Obama said Friday in assuring Americans – but did gather almost everything else, including both incoming and outgoing numbers and location.
In many cases, metadata can be more informative than the content itself, in part because it allows for the building of relationship networks. For example, some insurance companies have automated computer systems that try to pinpoint fraud by looking at the connections between customers and claims for unusual patterns, such as a link between unrelated parties and the same home or car. With Prism, the names of the callers were not disclosed, but it isn't hard to determine an identity once in possession of a phone number.
It appears that intelligence agencies had access to a massive trove of data from Prism, including everything from e-mails to chat logs to documents. Mr. Obama said the data collected from the program did not apply to U.S. citizens or people living in the United States. The data was allegedly obtained directly from the servers of the nine companies, including Microsoft, Google, Apple, Yahoo and multiple services owned by those companies. Asked by The Globe if they intended to go to court or use other measures to find out if their servers had been accessed without consent, Microsoft, Google and Apple would not comment.
Were Canadians targeted?
The possibility that Canadians were caught up in one or more of the surveillance programs appears to be very high. In the case of the Verizon warrant, calls between Canada and the U.S. would have been subject to collection. With Prism, many of the cloud services offered to Canadians by the technology companies in question are built on servers that are physically located in the United States.
The Canadian government would not say Friday whether its eavesdropping agency has access to the massive databanks of information that U.S. intelligence agencies have gathered from cellphone and Internet companies. The Guardian reported that Britain's signals-intelligence agency has access to the information. But Ottawa did not answer questions about whether the Canadian counterpart, the Communications Security Establishment, also has access to the data. The U.S., Britain, Canada, Australia and New Zealand are part of a "five-eyes" intelligence-sharing arrangement.
"The revelations of the past two days are stunning and raise huge concerns about Canadian participation in such surveillance efforts as well as the prospect that Canadian communications are being swept up as part of U.S. surveillance efforts," said Michael Geist, a law professor and Canadian privacy-law expert.
"Indeed, when the U.S. says only non-U.S. citizens are targeted in some instances, that certainly suggests that Canadians are a potential target."
With a report from Campbell Clark in Ottawa