0 comments

What does Prism tell us about privacy protection?

00:48
Barack Obama holding a spy glassPresident Obama has defended US surveillance tactics, but whistleblower Ed Snowden said he was "horrified" by the activities

.

Last night Ed Snowden, a 29-year-old former technical worker for the CIA, revealed himself to be the source of the leaks in an interview with the Guardian news website.
US director of national intelligence James Clapper described the leaks as "extremely damaging" to national security, but Mr Snowden said he had acted because he found the extent of US surveillance "horrifying".
What could the US government see?
According to the documents revealed by Ed Snowden, the US National Security Agency (NSA) has access on a massive scale to individual chat logs, stored data, voice traffic, file transfers and social networking data of individuals.
The US government confirmed it did request millions of phone records from US company Verizon, which included call duration, location and the phone numbers of both parties on individual calls.


According to the documents, Prism also enabled "backdoor" access to the servers of nine major technology companies including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.
These servers would process and store a vast amount of information, including private posts on social media, web chats and internet searches.
All the companies named have denied their involvement, and it is unknown how Prism actually works.
Some experts question its true powers, with digital forensics professor Peter Sommer telling the BBC the access may be more akin to a "catflap" than a "backdoor".
"The spooks may be allowed to use these firms' servers but only in respect of a named target," he said.
"Or they may get a court order and the firm will provide them with material on a hard-drive or similar."

How surveillance came to light

  • 5 June: The Guardian reports that the National Security Agency (NSA) is collecting the telephone records of millions of US customers of Verizon, under a top-secret court order
  • 6 June: The Guardian and the Washington Post report the NSA and the FBI are tapping into US internet companies to track online communication, in a scheme known as Prism
  • 7 June: The Guardian reports President Obama has asked intelligence agencies to draw up a list of potential overseas targets for US cyber-attacks
  • 7 June: President Obama defends the programmes, saying they are closely overseen by Congress and the courts
  • 8 June: US director of national intelligence James Clapper calls the leaks "literally gut-wrenching"
  • 9 June: The Guardian names former CIA technical worker Edward Snowden as the source of the leaks
What about data-protection laws?
Different countries have different laws regarding data protection, but these tend to aim to regulate what data companies can hold about their customers, what they can do with it and how long they can keep it for - rather than government activity.
Most individual company privacy policies will include a clause suggesting they will share information if legally obliged - and include careful wording about other monitoring.
Facebook's privacy policy, for example, states: " We use the information [uploaded by users] to prevent potentially illegal activities".
Are we all being watched?

"You can't have 100% security and also then have 100% privacy and zero inconvenience," said US President Barack Obama, defending US surveillance tactics on Sunday.The ways in which individual governments monitor citizen activity is notoriously secretive in the interests of national security, and officials generally argue that preventing terrorism over-rides protecting privacy.
William Hague
Speaking to the BBC UK Foreign Secretary William Hague said that "law abiding citizens" in Britain would "never be aware of all the things... agencies are doing to stop your identity being stolen or to stop a terrorist blowing you up".
Does it make a difference which country you live in?
User data (such as emails and social media activity) is often not stored in the same country as the users themselves - Facebook for example has a clause in its privacy policy saying that all users must consent to their data being "transferred to and stored in" the US.
The US Patriot Act of 2001 gave American authorities new powers over European data stored in this way.
This method of storage is part of cloud computing, in which both storage and processing is carried out away from the individual's own PC.
"Most cloud providers, and certainly the market leaders, fall within the US jurisdiction either because they are US companies or conduct systematic business in the US," Axel Arnbak, a researcher at the University of Amsterdam's Institute for Information Law, told CBS News last year after conducting a study into cloud computing, higher education and the act.
"In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for US authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the US, with little or no transparency obligations for such practices - not even the number of actual requests."
Are other governments involved?
UK Foreign Secretary William Hague has so far refused to confirm or deny whether British government surveillance department GCHQ has had access to Prism but is expected to give a statement to Parliament today.
It is not known whether other governments around the world have been either aware of or involved in the use of Prism, which is reported to have been established in 2007.
In a statement, the EU Justice Commission said it was "concerned" about the consequences of Prism for EU citizens and was "seeking more details" from the US authorities.
"Where the rights of an EU citizen in a Member State are concerned, it is for a national judge to determine whether data can be lawfully transmitted in accordance with legal requirements (be they national, EU or international)," said a spokesperson for Justice Commissioner Vivane Reding.
What does this mean for internet use?

William Hague insists that law-abiding citizens have nothing to worry about, and there is no legal way of "opting out" of monitoring activity carried out in the name of national or global security.
Edward Snowden (picture courtesy of the Guardian)
However privacy concerns about information uploaded to the internet have been around for almost as long as the internet itself, and campaign group Privacy International says the reported existence of Prism confirms its "worst fears and suspicions".
"Since many of the world's leading technology companies are based in the US, essentially anyone who participates in our interconnected world and uses popular services like Google or Skype can have their privacy violated through the Prism programme," saysPrivacy International on its website.
"The US government can have access to much of the world's data, by default, with no recourse."
Edward Snowden, the source of the leaked documents, said he had acted over concerns about privacy.
"I don't want to live in a society that does these sort of things… I do not want to live in a world where everything I do and say is recorded," he told the Guardian.

What data could Prism possibly access?

CompanyWhat kind of data which could be collected?
Microsoft logo
Some Microsoft sites collect email address, name, home or work address, or telephone numbers. Some services require sign-in with email and password. Microsoft also receives information sent by web-browsers on sites visited, together with IP address, referring site address and time of visit. The company also uses cookies to provide more information about pages views
Yahoo logo
Yahoo collects personal information when users sign up for products or services including name, address, birth date, post code and occupation. It also records information from users' computers, including IP addresses.
Google logo
Personal details are required for sign-up to Google accounts, including name, email address and phone number. Google email - Gmail - stores email contacts and email threads for each account, which have a 10 GB capacity. Search queries, IP addresses, telephone log information and cookies which uniquely identify each account are also stored. Chat conversations are also collected unless a user selects 'off the record' option.
Facebook logo
Facebook requires personal information on sign-up, such as name, email address, date of birth and gender. It also collects status updates, photos or videos shared, wall posts, comments on others posts, messages and chat conversations. Friends' names, and the email details of those friends who have provided addresses on their profiles, are also recorded. Tagging information about users from friends is recorded, and GPS or other location information is also stored.
Paltalk logo
Paltalk is an instant chat, voice and video messaging service. Users must provide contact information including email address. The company employs cookies to track user behaviour, with the aim of delivering targeted advertising.
YouTube logo
YouTube is owned by Google and the company applies the same data collection methods. Users logged in via their Google accounts will have their YouTube searches, playlists and subscriptions to other users' accounts recorded.
Skype logo
Skype is part of Microsoft, and its instant messaging service replaced Microsoft's Messenger this year. Users submit personal data including name, username, address when signing up. Further profile information such as age, gender and preferred language are also recorded as options. Contacts lists are stored, as is location information from mobile devices. Instant messages, voicemail and video messages are generally stored by Skype for between 30 and 90 days, though users can opt to preserve their instant messaging history for longer.
AOL
AOL collects personal information for users signing up or registering for its products and services, but its privacy policy states that users who do not make themselves known to the company by these methods are "generally anonymous."
Apple
Users signing up for Apple ID's - required for services such as iTunes , or to register products - must submit personal data including name, address, email address and phone number. The company also collects information about the people who Apple users share content with, including their names and and email addresses.
 
Toggle Footer
Top