Facebook, Google deny they gave feds direct access to their servers

So, who’s lying here: the Washington Post, WaPo‘s sources, or Facebook, Google, Microsoft, and Yahoo?

In the still-developing saga of PRISM, an alleged long-term government spying program, Facebook has e-mailed us the following statement:

“We do not provide any government organization with direct access to Facebook servers. When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law.”

A Googler also e-mailed the following:

“Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”

Similarly, we got this note from Yahoo:

Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or network.

And this from Microsoft:

We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data, we don’t participate in it.

All statements, while bland, flatly contradict the Post‘s claim that the NSA and FBI have direct connections into these companies’ data enters.

These statements are also consistent with typical “spy guide” wording found in any social media company’s transparency reports or government access documentation. Typically, when issued a subpoena, such companies will either hand over user data (such as e-mail address, activity logs, IP addresses) or push back.

In fact, we’ve reported favorably in the past on Google’s handling of such requests, noting that in spite of governments’ increased requests for information on citizens, the company actually turned over less user data in 2012 than ever before — and the company continues to disclose on how many such requests it gets, and what countries they come from.

Google, like Microsoft and Apple, says it doesn’t even have any knowledge of the PRISM program. However, there are certain cases, such as national security letters, where the U.S. government may issue a gag order that prevents Google or any other company from disclosing certain information publicly — like the existence of a secret digital backdoor or the fact that anyone is aware of or participating in such a program.

Facebook, for its part, does not disclose the number of law enforcement requests it receives via its law enforcement portal. That site lets law enforcement organizations — including federal agencies such as the NSA and FBI — make requests to Facebook’s legal department.

The Post wrote, speaking of the NSA, that “with a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation,” analysts can get access to a treasure trove of data on Facebook’s servers. Technically, that’s true of any law enforcement official using Facebook’s legal portal. However, those requests are then vetted by Facebook’s legal department before Facebook provides any data, according to the company’s guidelines for law enforcement.

The WaPo report paints a much different picture than these companies’ official statements. In these slides obtained by the newspaper, we find a story of collusion and cooperation, one in which Facebook and eight other companies voluntarily gave the U.S. government direct access to their servers:

The data siphoned off by the U.S. government allegedly includes photos, videos, e-mail, documents, audio files, and connection logs.

The companies named include Microsoft, Yahoo, Google, PalTalk, AOL, Skype, YouTube, and Apple, with DropBox cited as the next company to be targeted for the PRISM program. Other reports say AT&T and other mobile carriers are in on the scheme.

Curiously, there’s no mention of Twitter on the list — perhaps because of the reduced amount of data it collects or the smaller number of active users it claims.

Additional reporting by Dylan Tweney; image credit: Jolie O’Dell/VentureBeat