• Top-secret files show first evidence of financial relationship • Prism companies include Google and Yahoo, says NSA • Costs were incurred after 2011 Fisa court ruling
Ewen MacAskill in New York
- The Guardian, Thursday 22 August 2013
The National Security Agency paid millions of dollars to cover the costs of major internet companies involved in the Prism surveillance program after a court ruled that some of the agency’s activities were unconstitutional, according to top-secret material passed to the Guardian.
The technology companies, which the NSA says includes Google, Yahoo, Microsoft and Facebook, incurred the costs to meet new certification demands in the wake of the ruling from the Foreign Intelligence Surveillance (Fisa) court.
The October 2011 judgment, which was declassified on Wednesday by the Obama administration, found that the NSA’s inability to separate purely domestic communications from foreign traffic violated the fourth amendment.
While the ruling did not concern the Prism program directly, documents passed to the Guardian by whistleblower Edward Snowden describe the problems the decision created for the agency and the efforts required to bring operations into compliance. The material provides the first evidence of a financial relationship between the tech companies and the NSA.
The intelligence agency requires the Fisa court to sign annual “certifications” that provide the legal framework for surveillance operations. But in the wake of the court judgment these were only being renewed on a temporary basis while the agency worked on a solution to the processes that had been ruled illegal.
An NSA newsletter entry, marked top secret and dated December 2012, discloses the huge costs this entailed. “Last year’s problems resulted in multiple extensions to the certifications’ expiration dates which cost millions of dollars for Prism providers to implement each successive extension – costs covered by Special Source Operations,” it says.
The disclosure that taxpayers’ money was used to cover the companies’ compliance costs raises new questions over the relationship between Silicon Valley and the NSA. Since the existence of the program was first revealed by the Guardian and the Washington Post on June 6, the companies have repeatedly denied all knowledge of it and insisted they only hand over user data in response to specific legal requests from the authorities.
An earlier newsletter, which is undated, states that the Prism providers were all given new certifications within days of the Fisa court ruling. “All Prism providers, except Yahoo and Google, were successfully transitioned to the new certifications. We expect Yahoo and Google to complete transitioning by Friday 6 October.”
An earlier undated newsletter after the Fisa court ruling on certifications. Photograph: guardian.co.ukThe Guardian invited the companies to respond to the new material and asked each one specific questions about the scale of the costs they incurred, the form of the reimbursement and whether they had received any other payments from the NSA in relation to the Prism program.
A Yahoo spokesperson said: “Federal law requires the US government to reimburse providers for costs incurred to respond to compulsory legal process imposed by the government. We have requested reimbursement consistent with this law.”
Asked about the reimbursement of costs relating to compliance with Fisa court certifications, Facebook responded by saying it had “never received any compensation in connection with responding to a government data request”.
Google did not answer any of the specific questions put to it, and provided only a general statement denying it had joined Prism or any other surveillance program. It added: “We await the US government’s response to our petition to publish more national security request data, which will show that our compliance with American national security laws falls far short of the wild claims still being made in the press today.”
Microsoft declined to give a response on the record.
The responses further expose the gap between how the NSA describes the operation of its Prism collection program and what the companies themselves say.
Prism operates under section 702 of the Fisa Amendments Act, which authorises the NSA to target without a warrant the communications of foreign nationals believed to be not on US soil.
But Snowden’s revelations have shown that US emails and calls are collected in large quantities in the course of these 702 operations, either deliberately because the individual has been in contact with a foreign intelligence target or inadvertently because the NSA is unable to separate out purely domestic communications.
Last week, the Washington Post revealed documents from Snowden that showed the NSA breached privacy rules thousands of times a year, in the face of repeated assurances from Barack Obama and other senior intelligence figures that there was no evidence of unauthorised surveillance of Americans.
The newly declassified court ruling, by then chief Fisa judge John Bates, also revealed serious issues with how the NSA handled the US communications it was sweeping up under its foreign intelligence authorisations.
The judgment revealed that the NSA was collecting up to 56,000 wholly US internet communications per year in the three years until the court intervened. Bates also rebuked the agency for misrepresenting the true scope of a major collection program for the third time in three years.
The NSA newsletters say the agency’s response to the ruling was to work on a “conservative solution in which higher-risk collection would be sequestered”. At the same time, one entry states, the NSA’s general counsel was considering filing an appeal.
The Guardian informed the White House, the NSA and the office of the director of national intelligence that it planned to publish the documents and asked whether the spy agency routinely covered all the costs of the Prism providers and what the annual cost was to the US.
The NSA declined to comment beyond requesting the redaction of the name of an individual staffer in one of the documents.
UPDATE: After publication, Microsoft issued a statement to the Guardian on Friday afternoon.
A spokesperson for Microsoft, which seeks reimbursement from the government on a case-by-case basis, said: “Microsoft only complies with court orders because it is legally ordered to, not because it is reimbursed for the work. We could have a more informed discussion of these issues if providers could share additional information, including aggregate statistics on the number of any national security orders they may receive.”