By Lawrence Hurley and Joseph Menn
WASHINGTON/SAN FRANCISCO (Reuters) - U.S. Internet companies that want to resist government demands to hand over customer data for intelligence investigations have few legal options, due to the classified nature of such probes and a court review process shrouded in secrecy.
Google Inc, Facebook Inc and Microsoft Corp are among the big U.S. technology companies that were outed this week as key sources of data for the National Security Agency (NSA), under a surveillance program referred to inside the spy agency as Prism.
While the companies have uniformly denied knowledge of Prism and said they had not given the NSA direct access to their servers, U.S. officials have confirmed the existence of the program, which President Barack Obama defended as "a modest encroachment" on privacy that was necessary to protect national security.
The program relies on section 702 of the 2008 amended version of the Foreign Intelligence Surveillance Act (FISA), which lets the government collect electronic communications for the purpose of acquiring intelligence on non-U.S. targets that pose a threat to national security.
For electronic service providers, the law says the Foreign Intelligence Surveillance Court in Washington can authorize a company to provide "all information, facilities, or assistance necessary." In return for compliance, the company is compensated for its work and receives immunity from potential lawsuits.
Section 702 is a "broad tool to get the information they are looking for," said Matt Zimmerman, a lawyer at the Electronic Frontier Foundation, a San Francisco civil liberties group critical of the law.
The Foreign Intelligence Surveillance Court overwhelmingly approves FISA requests from the NSA, according to Justice Department reports. In 2012, the court received 1,856 applications for electronic surveillance and physical searches. All were approved except for one, which the government withdrew before the court could rule.
All of the court's cases are kept secret, including rulings, and companies are not given details about the investigations they have been asked to provide information for, legal experts familiar with the process say. That encourages compliance as corporate lawyers do not want to hinder probes that may help prevent a terrorist attack, for example.
Any company that objects to a judge's order can appeal to the entire Foreign Intelligence Surveillance Court, but there is no public data on whether they have ever done so. The law allows for further appeals to the Foreign Intelligence Surveillance Court of Review and ultimately the U.S. Supreme Court.
"It's possible there have been challenges, but if so they are still secret," said Alex Abdo, a lawyer with the American Civil Liberties Union, which unsuccessfully tried to overturn the 2008 law as unconstitutional.
Although the Justice Department is required to report to Congress each year on the number of applications it makes to the Foreign Intelligence Surveillance Court, a department spokesman said on Friday he was not aware of any requirement to disclose the number of challenges that companies brought to the court.
The disclosure this week of the NSA's secret and vast phone and email surveillance programs - involving major U.S. telecom and Internet companies - has prompted top Silicon Valley executives to demand greater transparency.
"We understand that the U.S. and other governments need to take action to protect their citizens' safety — including sometimes by using surveillance," Google Chief Executive Officer Larry Page and Chief Legal Officer David Drummond said in a joint statement. "But the level of secrecy around the current legal procedures undermines the freedoms we all cherish."
The technology companies, including Apple Inc, Yahoo Inc, Microsoft's Skype, AOL and PalTalk, said they had not heard of Prism before. Former intelligence analysts said that was likely because the NSA only used that name internally.
The Washington Post first reported that Prism had voluntary cooperation from the companies but later wrote that they had been directed to comply with requests for help from the Attorney General. The Post initially reported that the companies gave officials access to their servers, then later cited a classified memo stating that analysts instead could issue queries to equipment installed at the companies.
On Saturday, the New York Times reported that the equipment had been strenuously negotiated with the companies and was the computer equivalent of a locked room for sharing data.
"Historically, you hear about such 'partnerships,' and intelligence has been doing things like this for a very long time," said former NSA analyst Ron Gula, now chief executive of Tenable Network Security. "What's changed is the volume."
The extent of that change in volume remains unknown. Though executives at the technology companies vigorously denied handling bulk requests, mechanical queries by agencies could still produce large amounts of data.
Google and Twitter, which is notably absent from the NSA slides about Prism that were published by the Washington Post, have gone to regular courts to oppose some other requests for data on their users.
These requests include National Security Letters, which are issued by the FBI and do not need to be approved by a court. Though more than 90 percent of those letters have come with a prohibition on their disclosure, a federal judge in San Francisco ruled recently those gag orders are unconstitutional.
Fights like these are rare. For instance, Section 215 provision of the 2001 USA Patriot Act requires companies to turn over business records. The Justice Department said in a 2009 letter to Congress that between 2004 and 2007, no recipient such requests "has ever challenged the validity of the order."
Civil-liberties groups that have sued the government over suspected call-record programs and wiretapping, said they would use this week's new disclosures to bolster existing cases and possibly file new suits.
In particular, they plan to argue against two of the main defenses used by the Justice Department to date: that a full trial on the issues would be impossible without revealing "state secrets" and that consumers lack standing to sue because they cannot show impact from the spying programs. Privacy advocates say this week's disclosures puncture these defenses.
One factor that could become critical to any challenges against the NSA's domestic surveillance program is what the agency does with the information after it is collected.
"The NSA gathers a lot," said Stewart Baker, former general counsel of the NSA. "There are some fact patterns where there's no way you're going to catch terrorists without pooling this information somewhere where the government has access to it. It's likely that you impose restrictions not on the collection of the data, but on the search."
(Reporting by Joseph Menn in San Francisco and Lawrence Hurley and David Ingram in Washington; Editing by Tiffany Wu and Sandra Maler)