US national security has become an issue for procurement managers in little old England after claims that a US military security agency has established direct access to the servers of firms including Apple, Google, Microsoft and Skype.
As the major IT suppliers call upon UK government bodies to entrust their systems and data to off-site cloud computing centres, this latest security scandal will reawaken concerns about US trampling of European data protection law.
The National Security Agency, the cyber intelligence arm of the US military, had established direct links to the servers of nine major US computing giants by the end of 2012, according to classified documents leaked to The Guardian and Washington Post newspapers.
The Prism snooping programme would extract email, chat, video, photos, stored data, voice over IP communications, file transfers, video conferencing, logins and other activity, social networking and special requests for intelligence agents, said excerpts from one of the documents.
The NSA established the last known link with Apple in December 2012, having already hooked into AOL, Skype, YouTube, PalTalk, Facebook, Google, Yahoo, and Microsoft. The targets specifically included Gmail and Hotmail.
Firms including Apple, Google, Microsoft claimed to know nothing about Prism. They said they only complied with intelligence requests for customer data when it was directed by law under a subpoena.
In a confirmation of the snooping programme yesterday, the US Director of National Intelligence James Clapper clarified that the US considered all European data travelling through its internet space as fair game for intelligence agents. Yet it took every effort to ensure US communications were not unduly trespassed.
The US had established Prism and other means of demanding intelligence from internet companies under Section 702 of the Foreign Intelligence Surveillance Act and related laws passed in 2007. Within a month of the original law passing in 2007, the NSA had established links to extract data from Microsoft.
Clapper said the law “is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States.
He assured his US audience: “It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States.”
The US Foreign Intelligence Surveillance Court, the US Congress and the Executive Branch of US government had taken special efforts “to ensure that only non-U.S. persons outside the U.S. are targeted”, said Clapper.
They would “minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons”. It granted no such dignities to European citizens.
The revelations are similar to the 2006 scandal that forced Society for Worldwide Interbank Financial Telecommunication (Swift) pulled its servers out of the US. US intelligence had been using US legal powers to subpoena data about banking transactions handled by Swift, the finance sector’s global transaction handler.
The US chased Swift back across the Atlantic with the Terrorist Finance Tracking Programme, a 2010 treaty that gave US agents powers to demand data from the data centres Swift had relocated to Europe.
The TFTP dispensed with European data protection and human rights law in order to allow US investigators to get data without a warrant.
The leaked Prism documents claimed the US would exploit the fact that the majority of the world’s internet traffic passed through servers within its legal jurisdiction.
Internet traffic is usually flows automatically along the quickest route between continents. But since the bandwidth of pipes between the US and other continents was far greater than between the continents themselves, the quickest route was usually through the US.