I thought I'd write up a brief piece of journalists on reconciling the admissions by the NSA and the denials by the companies involved with the PRISM program.
The thing you need to look at is my Altivore program, a bit of code I wrote back in 2000 to explain the Carnivore controversy. Like the current issue, there were irreconcilable claims about Carnivore. One set of claims is that it eavesdropped on everyone's traffic, including "Echelon" style keyword searching of emails. The second set of claims is that it was just a law enforcement tool, that it only captured the traffic of a single person that was the subject of lawful warrant.
As my Altivore code shows, both competing claims are true. It both captures "everything" but is limited to only "one thing". You can download my code, compile it, and run it on your own computer to see for yourself (it works on Mac OS X, Windows, and Linux, and the little Raspberry Pi).
The confusion is where to draw the line between "everything" and "one-thing". If you give Yahoo a court order for the emails of "email@example.com" (a notorious hacker), they must first access a server that holds the emails of millions of people. There is a boundary between the starting point that sees everyone's emails, and the end product, which is just the emails of this hacker.
You see that boundary line in the Verizon court order for all data. As the NSA's clarification points out, that doesn't give the NSA immediate access to all that data. Instead, while it exists on NSA servers, agents still need separate court orders to get at data, limited to only the person specified in the order. Thus, we see that while they have "everything", they are still only allowed "one-thing" at a time. (By the way, I'm discussing this at face value -- the NSA is being highly deceptive here, their omnipresent surveillance is Orwellian and wrong, but that'll be the topic of a future post).
Carnivore (and my Altivore) are a network tap. In theory, they see everything going across the network wire, which means law enforcement is theoretically seeing everything. But, Canrivore is designed to only copy the data that is the target of the warrant. It uses "deep packet inspection" to find when "firstname.lastname@example.org" (the target of a warrant) logs on, then copies all the packets with her IP address until she logs out. Thus, as you see in the Altivore code, it sees "everything", but copies only the "one-thing" for law enforcement. Law enforcement personel only sees the end result, within the bounds of the court order, and not the starting data.
I'm betting that PRISM works the same way. On one hand, whatever it is, it could be described as "potential" access to everything, but that in practice, the only thing the NSA gets is "one-thing" at at a time for each court order.
Consider Facebook for the moment. When people access their Facebook accounts, the servers record the source IP address. However, in order to protect their privacy, some people use a proxy, so the servers won't know the real IP address of the user, just the IP address of the proxy. Proxies add a header like "X-Forwarded-For" that identify that original user. The problem is that Facebooks servers don't log that, so when the law enforcement asks Facebook for the IP address of a user identified in a warrant, Facebook can't tell them. What the government might do is go to Facebook and ask them to start logging that header, so that future warrants will get that information. Thus, we have a story where where government partners with Facebook to get direct access to more information, but yet, it's not what you thought those words meant, and both sides are telling the truth.
Here is what I'm betting: the PRISM program isn't all that we fear, but more than we find tolerable. For example, I find it interolerable that such companies would increase their logging in order to aid law enforcement.
To figure this out, you journalists are going to have to find the correct questions to ask these companies. Since we don't know the right answers, it is of course, hard finding the right questions. One question I would suggest is "Have you changed what you log at the request of law enforcement?" or "Do you log more things than you would otherwise had law enforcement not asked you?" Another question is "At any time has the government intimidated you, such as threatening investigations into business or whithholding regulatory approval, in order to get cooperation with law enforcement?".
By the way, among the things I'll bet you find is that Microsoft and Facebook are the ones helping law enforcement the most, and that Google and Apple are doing the least to help law enforcement. That would also be a good thread to investigate if I were you.