PRISM revelations continue: Microsoft bug access and court order workarounds

Fresh revelations about the NSA's PRISM surveillance program continue to emerge, with Microsoft admitting it pre-notifies the government about potential bugs and backdoors in software before they're patched, while lawmakers confirmed the security agency does not need a court order to sift through call data culled from Verizon and other carriers. Seemingly confirming the suggestions of one US House representative briefed on the NSA programs this week that the original PRISM leaks by Edward Snowden were merely "the tip of the iceberg", the new information underscores just how much access the government has to data many would assume is private.

Multiple companies not only assist the NSA by handing over data they hold, but by giving the National Security Agency insider information on how it could infiltrate computers using flaws in code. Microsoft, for instance, hands over details on bugs in its Windows OS and other software to government agencies, insiders tell Bloomberg, ahead of releasing its own fixes and patches. According to Microsoft spokesperson Frank Shaw, that data is to give the government "an early start" on patching its own machines, but two US officials claim the software giant is very much aware that such access has been used to infiltrate systems used by foreign governments.

Microsoft isn't the only one, however. Information on firewalls, data management hardware, and other equipment is routinely given to the government through clandestine channels, tipsters say, with Intel-owned McAfee cited as an example. The anti-virus and anti-malware specialist admits it supplies "threat intelligence" to the government, but says it does "not share any type of personal information."

Cosying up with the security agencies can have its benefits, the sources suggest. Google, for instance, was supposedly tipped that it was the Chinese People's Liberation Army that had attempted a hack back in 2010, in return for Google's contribution to PRISM. Co-founder Sergey Brin was reportedly given temporary security clearance to attend a confidential briefing. Earlier this month, Google CEO Larry Page denied having heard of PRISM, as well as any "back-door access" to the search giant's servers.

Meanwhile, while Verizon Wireless and T-Mobile are reportedly exempt from direct data collection as part of PRISM, the WSJ reports, because the carriers are partly owned by foreign firms, the NSA still believes it has roughly 99-percent access to US call information using other workarounds. For instance, although only AT&T and Sprint provide direct participation – as well as reportedly giving more insight into systems, because they must be vetted for NSA contracts – since most traffic at some point uses a US-company-owned backbone, that gives security services their access.

One such component of the overall communications pathway is Verizon Business Network Services Inc., a fully-US subsidiary of Verizon Communications, and the company cited in the original PRISM leak as handing over call log data to the NSA. That business, along with AT&T, provides much of the US telecoms backbone.

Exactly how the masses of collected data is used is also in question. Earlier this month, National Intelligence Chief James Clapper slammed the early PRISM leaks for "inaccuracies" in reporting, claiming that rigorous checks were in place that meant, even if the data had been amassed, few might ever actually see it.

However, according to Senate Intelligence Committee Chairwoman Dianne Feinstein, there are multiple stages to accessing the NSA's database, Politico reports. "To search the database, you have to have reasonable, articulable cause to believe that that individual is connected to a terrorist group," she told reporters following an NSA briefing this week. "Then you can query the numbers. There is no content. You have the name, and the number called, whether it's one number or two numbers."

Anything more – such as gathering actual content – requires a court order, but that initial metadata sift does not, Feinstein said, having had the systems explained by, among others in the intelligence community, Clapper himself.

"I have tasked Director Clapper to consider the program, to present some changes if he feels it necessary" she concluded, though given Clapper's outspoken statements last week – in which he blasted the leaks as potentially damaging to US interests and counterterrorism efforts – it seems unlikely he will find much at fault with the current system.

Feinstein said that new information is expected to be released on Monday next week, giving examples of "the cases where [NSA programs] have stopped a terrorist attack, both here and other places."