Such an application programming interface (API) would have given the NSA a web-based window to certain data elements within the servers of the tech companies.
When I described the API method of availing the data in the servers to USC law professor and privacy expert Jack Lerner, he said it sounded very "direct" to him. However, Lerner says there are other ways the tech companies may have provided "indirect" access to the NSA.
"They could have meant indirect' to say You can look at our data, but you can't use our interface to do it, you'll have to build your own.'" Lerner says.
And here's another way the conflicting stories might square: The tech companies may have hinged their denials on the places where the NSA was tapping into the data from their servers. For example, the NSA may have been tapping in via a path somewhere in the Internet backbone that connects to the servers. "It's conceivable that the NSA could have tapped into a major cable or fiber optic line through which the data was passing," Lerner says. The update from The Post today seems to support this possibility.
Robert Graham, CEO of Atlanta-based cybersecurity firm Errata Security, says that the NSA could have installed taps in many different places within the tech companies, or in the telecommunications network connecting the servers. "The NSA is probably tapping into the undersea fiber optic lines connecting to other countries," Graham says.
Such line tapping is certainly nothing new to network administrators, Graham says. And the gear being used by the NSA is probably not much different than the gear used by the tech companies for their own network monitoring. "Companies use sniffers' all the time for intrusion detection," he says. "They may install one to diagnose network problems, or they might install a sniffer to detect hackers."
Graham also points out the possibility that the tech companies could be providing access to the NSA while never being aware of the specific PRISM brand name. "It has a lot to do with the names they use," Graham says. "Google only knows what they're doing for them [the NSA], but they may be totally unaware of the names the NSA uses."
USC's Lerner says there may be yet another, more legally motivated, explanation of the tech companies' denials. "There may be a place in the law that requires them not to discuss it, so they would just be complying with the law," Lerner says. "For example, major service providers receive thousands of National Security Letters every year that they can't can't discuss."
In the midst of the spinning and he-said she-said coming from all sides, it's easy to lose sight of the real implications of the PRISM program. That is, that real data privacy doesn't exist.
Sign up for CIO Asia eNewsletters.