Its irrelevant whether there is evidence that firms such as Microsoft or Yahoo are “minimizing” NSA access to metadata and content garned via the PRISM program – by insisting on the equivalent of court orders, individually reviewed by legal staff.
As folks are generally understanding, NSA is slowly revealing that its scope of interaction with these firms is NO LONGER restricted to national security matters. The scope includes (serious) crime (supporting FBI) and ALL CYBERSECURITY matters (supporting DHS). the latter is the insidious topic, being based on falsehoods and attempted systemic deception of the public.
So take a firm like Ping Identity, whose servers do important and even critical tasks like enable websso (guarding logon) for many a firm with a website wanting certain staff or other persons to have access. Those firms hosting the product may note that Ping Identities “critical infrastructure” servers just happen to come with a “certain grade of” remote logging capability, standardized as SIOC. Furthermore, Ping (on a privacy justification) removes “personal” information (for what are logs about logon events!) from the logging stream – in a rather “comprehensive manner’ , though it does not remove all the other juicy metadata from the VERY detailed logs about the protocol interaction between the authenticating user and others (entities such as where you are visiting, or the PC you are using, etc).
So what is going on here?
Well realize that cloud vendors, using Yahoo, Google, Microsoft Office, or Ping Identity’s servers, are required to SHARE THE LOG files with NSA IN REALTIME, with NSA in it’s cybersecurity role. And, being NSA, these logs are then secretly “re-purposed” to fulfill (next) a national security mission (vs a cybersecurity mission) – that essentially rebuilds from the contextual analysis that “personal information” that ping “nominally” stripped out (while having full knowledge – at least these days – that NSA can indeed rebuild it (by splicing multiple sources together)).
I find this a somewhat deceptive a position to take, since its done a false pretext (we supply logs to assist in cyber threat monitoring), a false privacy assurance (we supply missing information that we know can be easily rebuilt), and a false marketing (we supply SIOC to add the enterprise “management mission”, when its primary undisclosed motive to facilitate NSA mission).
Now I can forgive Ping – since they supply software to enterprises (who then do the NSA sharing thing). Indeed I can forgive any disclosed military contractor, or consultant. I cannot forgive the service clouds, who are sharing log data with NSA in massive amounts, in full knowledge that (a) personal data can be re-associated, (b) its true purpose is spying and surveillance (no different to prism), and (c) their public positions and protestations that they are so human rights centric (on the prism score) means they would never be caught circumventing those ennobled principles by the back door (which they are).