How is the NSA accessing your data on Google, Facebook and more?

Does the government have 'direct access' to your data and information on Facebook and Google, or not?

Internet companies have long been monitoring the data that covers a person's entire life: e-mail, financial information, health-related searches, family members, and location information. It represents a level of surveillance that was never possible before.

Slides and leaked information provided to The Washington Post reveal that the government has tapped directly into it.

“Google is collecting all that stuff for themselves. Facebook is collecting all that stuff for themselves," Gary McGraw, CTO of software security firm Cigital Inc., told "Yahoo is doing the same thing. The question is, how much of it is the government getting?”

'Google does not have a 'back door' for the government to access private user data.'

— Google spokesman

According to The Washington Post, the answer is apparently all of it, through a system called PRISM. But how?

More On This...

In response to numerous media requests, several of the companies identified as willingly working with the National Security Agency to monitor their users -- including Google, Apple, Facebook, and Microsoft -- issued statements that appeared to deny any involvement.

A Google representative, for example, provided with a statement that said in part, "Google does not have a 'back door' for the government to access private user data." Several companies, including Apple, Yahoo, and Facebook, all used the phrase "direct access" in denying they were cooperating with the NSA. Some critics said that together, the denials look coordinated and scripted.

One possible reason for this is that orders authorized by the Foreign Intelligence Surveillance Court often preclude the company involved from revealing anything about the surveillance. Such an order would necessitate denials from each of the companies under threat of leaking classified information related to national security.

The other issue regards presenting an aura of plausible deniability with the repeated phrase that the government does not have "direct access" to servers at Facebook or Yahoo. In other words, it just depends on what you mean by the word "direct." There are many ways in which the NSA could have access to Google transactional data without it technically being considered "direct."

"You could have a server on the premises of the Internet company that interfaces with the company's own systems," Graham Cluley, a senior technology consultant at security firm Sophos, told Such systems would effectively act as a go-between, with the NSA sending direct commands only to their own servers, which in turn would communicate with the company's computers.

"That, I suspect wouldn't be considered 'direct' access," Cluley said.

Another method of data extraction could involve special software hooks that cull particular information, say, on messages to citizens or individuals in Canada or China. The information would then be automatically forwarded to NSA systems, which would in turn sort through the data looking for connections to other surveillance targets.

A similar approach was suggested by independent security researcher Ashkan Soltani in a Twitter posting. Soltani proposed that companies could give federal authorities a software API (application protocol interface) that would let the NSA look for specific targeted activity.

The target -- at least of NSA snooping -- is foreign nationals, rather than U.S. citizens. However, interaction online with individuals outside the U.S. could easily bring Americans under the purview of the NSA.

The ultimate goal of all this data collection is often referred to as datamining. Essentially, it entails using a sophisticated system of cross-referencing looking for previously undetected relationships. For example, Verizon's records might detail how one phone often called a few specific Canadian smartphone numbers. Smartphones have IP (Internet Protocol) addresses associated with them, which could then be cross referenced with any data traffic information gleaned from Facebook or Yahoo traffic to the same numbers.;

Furthermore, smartphones deliver location information, effectively providing a trail of where the person was when they contacted a Web site or store about the purchase of fertilizer.

In a press release following a Guardian story about the U.S. government maintaining phone records on all Verizon subscribers, James Clapper, the director of National Intelligence, took great pains to point out that "only a small fraction of the records are ever reviewed" by security analysts directly.

However, in order to determine which records should be reviewed by analysts, all of the phone records are scanned and searched by computer programs. This automated spying system is what government officials are now scrambling to defend.

The technology to conduct such surveillance dates back more that a decade to the pre-9/11 days. In 2000, a now-retired researcher at the NSA, Bill Binney, was working on a program called ThinThread. Rather than collecting gigabytes of data and sending it back to NSA computers, ThinThread would look at credit card transactions, travel information, Google searches, and other information in real time and determine if there were relationships between people that might be flagged.

In the past, many cyber security experts have described how such real-time reports and data can be passed along from a company to an outside firm -- or government -- without "direct access." However, many of the same sources declined to offer comment for this story.

So is Google handing over all or none of its data over to the NSA?

“Somewhere in-between is where the truth is,” says Cigital's McGraw.