The Guardian’s scoop last week suggested that America’s National Security Agency (NSA) is able to access personal information passing over online services provided by some of the biggest internet companies in the world. The UK’s Government Communications Headquarters (GCHQ) was also accused of using Prism to access records, although the prime minister and foreign secretary have both denied it violated UK laws in order to do so.
The full list of companies alleged to be involved in Prism also includes Yahoo!, Facebook, PalTalk, AOL, Google-owned YouTube and Microsoft-owned Skype. Twitter and Amazon appear to be notable exceptions.
The technology companies deny that any government has “direct access” to their servers and also claim never to have previously heard of Prism, but some are reported to have explored setting up digital ‘reading rooms’ that deliver information to intelligence officials when they request it. A US court order is supposed to be required for this, which could allow any non-US citizen located outside the US to be electronically surveilled for up to a year.
However, the source of The Guardian’s stories – now revealed as Edward Snowden, a contractor working for consultancy Booz Allen Hamilton on behalf of the NSA – claims that in practical terms “any analyst at any time can target anyone”. If that’s the case, then all sorts of private and commercially sensitive information could be available at the whim of individual analysts. Emails, documents, images – virtually anything hosted by these companies’ cloud-based services – are potentially vulnerable to misuse.
Indeed Snowden’s leak to The Guardian itself proves that sensitive intelligence information can be easily disclosed to others by those determined enough to do so. If businesses and consumers feel their personally or commercially sensitive information could be inappropriately acquired, they will turn away from web-based tools and cloud storage.
The best thing that technology companies could now do is fully explain the mechanisms they use to share intelligence-related data with governments. And the UK and US governments should be transparent about how much data is really collected and how often.
The alternative will be a crisis of confidence in doing business over the web.