Two sources within the computing industry have told CNET that the U.S. government frequently demands major online service providers to hand over their individual users’ passwords in order to access their private information or to impersonate account holders.
Microsoft, Google and Yahoo all declined to say whether they had received such requests from the Feds. But then, they all but revealed that they do, telling CNET that they don’t provide that kind of information whenever they’ve been approached with orders to do so in the past. Of course, nearly all of the Nation’s major email and online service providers similarly — and, it turned out, falsely — denied that the National Security Agency (NSA) had tapped into their servers under the so-called PRISM program.
It’s not that these companies are eager to work with the government to undermine privacy. The profit motive offers a good incentive to keep the confidence of their millions of users.
But the government has been demonstrated to operate much of its surveillance, even at the service provider level, in secret. Or it obscures what it’s really going after by requesting batch data dumps and using a different body of terminology when dealing with computer companies than that which it uses internally, as Edward Snowden’s leaked documents demonstrate.
Too, the incredibly esoteric tech involved in decrypting password information has been a big boon to the NSA. The fact that almost no one outside the tech world understands how a company can legally divulge “password information” without revealing a user’s actual password has created an immense grey area in which transgressing or abiding by the spirit of standing laws may be easy to discern, but stretching the meaning of — while still adhering to — the letter of the law is anything but.
According to CNET:
Some details remain unclear, including when the requests began and whether the government demands are always targeted at individuals or seek entire password database dumps. The Patriot Act has been used to demand entire database dumps of phone call logs, and critics have suggested its use is broader.
…If the government can subsequently determine the password, “there’s a concern that the provider is enabling unauthorized access to the user’s account if they do that,” [Stanford professor Jennifer] Granick said. That could, she said, raise legal issues under the Stored Communications Act and the Computer Fraud and Abuse Act.
The Justice Department has argued in court proceedings before that it has broad legal authority to obtain passwords.
Watch for a new round of test-case lawsuits from the Electronic Frontier Foundation (EFF) or the American Civil Liberties Union to suss out just how far the government can go in obtaining any level of an individual’s private account information without a warrant. The EFF already is suing the NSA over the agency’s interpretation of what’s permitted by the surveillance warrants it obtains from the secret, unConstitutional Foreign Intelligence Surveillance Court (FISC).