TORONTO – Canadians using services from any one of nine U.S.-based Internet titans may have had their personal information scrutinized by the U.S. National Security Agency for years.
PRISM, a once top-secret program revealed Thursday by the Washington Post and the Guardian, suggested the agency can track the activity of foreign nationals overseas who use services from companies such as Google, Microsoft, Facebook and Apple.
Global News spoke with Tamir Israel, cyber security expert and staff lawyer at the Canadian Internet Policy and Public Interest Clinic, to break down how the NSA may be using Internet surveillance and how it affects Canadians.
What is PRISM?
It lets the NSA run surveillance on foreign citizens using services from Google, Facebook, Apple, Microsoft, AOL, Skype, PalTalk or YouTube.
Israel says the program at its scariest form would give the NSA back end access to these companies’ servers, where user information is stored.
“The worst case scenario … is that basically they get an order under this foreign intelligence act that mandates these companies to allow the NSA to plug in directly to their servers and run search queries directly on the servers and have the data flow right to the NSA,” he said.
“If you are plugged right into the server itself it’s just like having the server on your own computer, so you don’t need to go through any process – the practical obstacles that would usually be involved with having to contact someone at the company and convince them to do this and respond are gone.”
What information’s vulnerable?
In a word, everything.
“Being plugged into the back end like that, you get at information that you wouldn’t otherwise get,” Israel said.
“For example, think of Google Docs. Say I’m typing on a Google Doc and I delete a paragraph – that paragraph is gone now and no one has access to it. But if they are plugged into the back end they are recording everything I am doing in real time – they would have that paragraph even though I deleted it.”
Information that lives on these servers is not encrypted – only information in transit is encrypted, Israel said.
This means that once someone is plugged into a server from the back end, they’re able to read and record things live. A similar example can be used for Facebook chat – if the NSA was allowed access to Facebook’s sever, they could be reading your conversation in real time.
“With back door access you could just set something up to mirror and record and take snapshots every five minutes and just record it all forever, to go back to it later and look at it,” Israelsaid .
“I think that’s really bad, particularly for Canadians.”
Global News contacted Google, Apple, Microsoft, Yahoo! and Facebook and asked them all this question:
Here’s what they had to say:
“We provide customer data only when we receive a legally binding order or subpoena to do so, and never on a voluntary basis. In addition we only ever comply with orders for requests about specific accounts or identifiers. If the government has a broader voluntary national security program to gather customer data we don’t participate in it.”
“Yahoo! takes users’ privacy very seriously. We do not provide the government with direct access to our servers, systems, or networks.”
“We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
“Google cares deeply about the security of our users’ data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government ‘back door’ into our systems, but Google does not have a ‘back door’ for the government to access private user data.”
How could that cause Canadians problems?
“Beyond the baseline that I don’t want other people collecting and storing my information like that there are consequences,” Israel said.
Use keywords that set off security alarm bells, for example, and you could end up on police watch lists or worse.
“What you start relying on is algorithms and keyword searches to trigger levels of concern – you can very quickly move from saying that Tamir sent an email to John Smith, who sent an email to someone who is on our watch list – now Tamir and John Smith are on our suspicion list.”