Mark Jaquith’s post The PRISM Details Matter is spot-on. Glenn Greenwald has misunderstood a key technical fact, one that removes the most explosive charge in the whole scoop. And for some reason, Greenwald refuses to correct it.
The crucial question is:
Are online service companies giving the government fully automated access to their data, without any opportunity for review or intervention by company lawyers?
Greenwald essentially says yes, they are. Yet nothing leaked so far indicates that this is the case, and the companies all vehemently deny it. They say they have humans in the chain. The information leaked so far supports this claim or is at least consistent with it.
It looks like Greenwald & co simply misunderstood an NSA slide, most likely because they don’t have the technical background to know that “servers” is a generic word and doesn’t necessarily mean the same thing as “the main servers on which a company’s customer-facing services run”. The “servers” mentioned in the slide are just lockboxes used for secure data transfer. They have nothing to do with the process of deciding which requests to comply with — they’re just a means of securely & efficiently delivering information once a company has decided to do so.
As Jaquith emphasizes, this is not merely a pedantic point. This is central to the story, and as far as I can tell, Greenwald continues to misunderstand and thus misrepresent it. It’s an epic botch in an important story :-(.
An email I sent to some friends yesterday, about this exact same point:
From: Karl Fogel To: <undisclosed recipients> Subject: Re: Cowards | Uncrunched Date: Mon, 10 Jun 2013 14:18:57 -0500 One of the above wrote: >Since the topic has taken over part of my morning, thought I'd share: >http://uncrunched.com/2013/06/07/cowards/ I read this post when it came out, yeah. I think it's mostly wrong. What is described here is just a delivery mechanism. *If* you're a company that's complying with government requests for data (and not all requests are abusive or unreasonable) a lockbox is a perfectly sensible way to do it. Sure, the lockbox may run on a server that belongs to the company, but this is not the same as -- indeed, is *totally unrelated to* -- giving the government direct access to your servers, the servers that are related to the actual service you provide as part of your business, which is how far too many bloggers are portraying it. Grrrrr. Uncrunched quotes Claire Cain Miller approvingly: "While handing over data in response to a legitimate FISA request is a legal requirement, making it easier for the government to get the information is not." What? This makes no sense. The lockbox may or may not make it easier for the government, but it sure makes it easier for the *company* to securely hand over data while lowering the risk of some unauthorized third party gaining access. If you're going to comply, might as well do it responsibly and without increasing the compliance burden on yourself. What the hell are the companies supposed to do? Put the data on a CD-ROM and mail it to Fort Meade? It's not like there aren't legitimate things to complain about here. I don't understand why Uncrunched is wasting time with non-problems.