NSA paying U.S. companies for access to communications networks
The National Security Agency is paying hundreds of millions of dollars a year to U.S. companies for clandestine access to their communications networks, filtering vast traffic flows for foreign targets in a process that also sweeps in large volumes of American telephone calls, e-mails and instant messages.
The bulk of the spending, detailed in a multi-volume intelligence budget obtained by The Washington Post, goes to participants in a Corporate Partner Access Project for major U.S. telecommunications providers. The documents open an important window into surveillance operations on U.S. territory that have been the subject of debate since they were revealed by The Post and Britain’s Guardian newspaper in June.
New details of the corporate-partner project, which falls under the NSA’s Special Source Operations, confirm that the agency taps into “high volume circuit and packet-switched networks,” according to the spending blueprint for fiscal 2013. The program was expected to cost $278 million in the current fiscal year, down nearly one-third from its peak of $394 million in 2011.
Voluntary cooperation from the “backbone” providers of global communications dates to the 1970s under the cover name BLARNEY, according to documents provided by former NSA contractor Edward Snowden. These relationships long predate the PRISM program disclosed in June, under which American technology companies hand over customer data after receiving orders from the Foreign Intelligence Surveillance Court.
In briefing slides, the NSA described BLARNEY and three other corporate projects — OAKSTAR, FAIRVIEW and STORMBREW — under the heading of “passive” or “upstream” collection. They capture data as they move across fiber-optic cables and the gateways that direct global communications traffic.
The documents offer a rare view of a secret surveillance economy in which government officials set financial terms for programs capable of peering into the lives of almost anyone who uses a phone, computer or other device connected to the Internet.
Although the companies are required to comply with lawful surveillance orders, privacy advocates say the multimillion-dollar payments could create a profit motive to offer more than the required assistance.
“It turns surveillance into a revenue stream, and that’s not the way it’s supposed to work,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a Washington-based research and advocacy group. “The fact that the government is paying money to telephone companies to turn over information that they are compelled to turn over is very troubling.”
Verizon, AT&T and other major telecommunications companies declined to comment for this article, although several industry officials noted that government surveillance laws explicitly call for companies to receive reasonable reimbursement for their costs.
Previous news reports have made clear that companies frequently seek such payments, but never before has their overall scale been disclosed.
The budget documents do not list individual companies, although they do break down spending among several NSA programs, listed by their code names.
There is no record in the documents obtained by The Post of money set aside to pay technology companies that provide information to the NSA’s PRISM program. That program is the source of 91 percent of the 250 million Internet communications collected through Section 702 of the FISA Amendments Act, which authorizes PRISM and the upstream programs, according to an 2011 opinion and order by the Foreign Intelligence Surveillance Court.
Several of the companies that provide information to PRISM, including Apple, Facebook and Google, say they take no payments from the government when they comply with national security requests. Others say they do take payments in some circumstances. The Guardian reported last week that the NSA had covered “millions of dollars” in costs that some technology companies incurred to comply with government demands for information.
Telecommunications companies generally do charge to comply with surveillance requests, which come from state, local and federal law enforcement officials as well as intelligence agencies.
Former telecommunications executive Paul Kouroupas, a security officer who worked at Global Crossing for 12 years, said that some companies welcome the revenue and enter into contracts in which the government makes higher payments than otherwise available to firms receiving re*imbursement for complying with surveillance orders.
These contractual payments, he said, could cover the cost of buying and installing new equipment, along with a reasonable profit. These voluntary agreements simplify the government’s access to surveillance, he said.
“It certainly lubricates the [surveillance] infrastructure,” Kouroupas said. He declined to say whether Global Crossing, which operated a fiber-optic network spanning several continents and was bought by Level 3 Communications in 2011, had such a contract. A spokesman for Level 3 Communications declined to comment.
In response to questions in 2012 from then-Rep. Edward J. Markey (D-Mass.), who was elected to the Senate in June, several telecommunications companies detailed their prices for surveillance services to law enforcement agencies under individual warrants and subpoenas. AT&T, for example, reported that it charges $325 to activate surveillance of an account and also a daily rate of $5 or $10, depending on the information gathered. For providing the numbers that have accessed cell towers, meanwhile, AT&T charged $75 per tower, the company said in a letter.
No payments have been previously disclosed for mass surveillance access to traffic flowing across a company’s infrastructure.
Lawyer Albert Gidari Jr., a partner at Perkins Coie who represents technology and telecommunications companies, said that surveillance efforts are expensive, requiring teams of attorneys to sift through requests and execute the ones deemed reasonable. Government agencies, meanwhile, sometimes balk at paying the full costs incurred by companies
“They lose a ton of money,” Gidari said. “And yet the government is still unsatisfied with it.”
The budget documents obtained by The Post list $65.96 million for BLARNEY, $94.74 million for FAIRVIEW, $46.04 million for STORMBREW and $9.41 million for OAKSTAR. It is unclear why the total of these four programs amounts to less than the overall budget of $278 million.
Among the possible costs covered by these amounts are “network and circuit leases, equipment hardware and software maintenance, secure network connectivity, and covert site leases,” the documents say. They also list in a separate line item $56.6 million in payments for “Foreign Partner Access,” although it is not clear whether these are for foreign companies, foreign governments or other foreign entities.
Some privacy advocates favor payments to companies when they comply with surveillance efforts because the costs can be a brake on overly broad requests by government officials. Invoices also can provide a paper trail to help expose the extent of spying.
But if the payments are too high, they may persuade companies to go beyond legal requirements in providing information, said Chris Soghoian, a technology expert with the American Civil Liberties Union who has studied government payments related to surveillance requests.
“I’m worried that the checks might grease the wheels a little bit,” he said.