The information was released by the Washington Post today and shows a very shocking disregard for privacy and due process. Unfortunately PRISM is protected by the Foreign Intelligence Surveillance Act so although it is highly unethical, exceptionally intrusive and has a very high likelihood of being abused there is nothing illegal in what the NSA is doing. The system is pretty simple; someone at the NSA “tasks” it (puts in a search for information) looking for particular information. The search strings they use give a 51% chance of not getting a US citizen which is not all that great. From there the technician digs through the data and begins expanding the search by tracking down contacts, people that might have emailed the person or received email from the person under scrutiny. The techs are instructed to dig at least three levels deep on any contact the person has. This means that there is almost no way that data about US citizens is not being captured.
The information in question is quite extensive and includes chat conversations (even voice and video), audio, video, email, documents data packets, internet habits and more. The NSA can grab this from the servers at any cooperating internet company so if you are using ANY Microsoft, Google, Yahoo, Facebook, Apple etc. cloud service your information is subject to search without warrant or notification (makes the cloud sound less attractive). You also have no grounds to sue any of these companies as they are protected by their cooperation agreements. Google, on the other hand claims they are not and have never been aware of any “back doors” for surveillance on their systems saying: “We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
The public disclosure of PRISM shows very clearly that the systems many take as secure are not at all. Microsoft, Apple, Google and Yahoo are allowing the NSA to collect information about your conversations on their services and there is nothing that you can do about it at all. It is something that many privacy advocates have worried about for years and have always been put in the conspiracy nut category. Now there is no doubt that these services are not only susceptible to surveillance, but that the companies running them are cooperating with the people doing the spying (makes the “leaked” DEA note about iMessage look even more like a fake).
Outside of the business impact that this is sure to have on these clouds service providers we also wonder how this voluntary access affect HIPAA (The Health Insurance Portability and Accountability Act of 1996) compliance and the confidentiality of doctor/patient or lawyer/client. If patient records are not confidential and are subject to search by the NSA and potentially others does this mean that Google, Microsoft, Apple and Yahoo are not truly HIPAA compliant? It would seem so if you look over the standards. This group of cloud service providers is certain to lose some business over their involvement in PRISM and honestly it serves them right. We put our trust in them when they handle our communications and data and they violated it by allowing others to pick through it. It is this heavy handed approach to investigation that has many very worried about the way electronic commuication is treated. It is one thing to have suspicion and look for evidence. It is another to dig through data at random to see if there is anything to be found.
*** Update according to the Guardian, all of the companies involved are now denying cooperation. They all still state that they only give user data as required by law. This does not rule out cooperation with PRISM as it is fully legal and compannies caan be compelled to work with the system. ***