The NSA's Prism & its Capabilities

It has been two days now since the Guardian and the Washington Post reported that the US National Security Agency has "obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document." As part of a surveillance program called Prism, the NSA and the FBI, the Post reported, are "extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets."

But since the initial reports, the Internet companies have all denied this "direct access" claim [1], which prompted the Guardian on Saturday to publish the secret source document showing the NSA's description of Prism as program enabling "collection directly from the servers of these service providers: Microsoft, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube, Apple."

So what exactly is Prism and how does it work?

In my view, it is possible too much has been read into the NSA's description of Prism as enabling "collection directly from the servers." Taken in isolation, this statement does not necessarily mean that the NSA has direct and unrestricted access to these companies' central computers to sift through troves of private data whenever they feel like it, which is what the initial reporting seemed to imply. "Collection directly from the servers" could feasibly mean Prism is the codename the NSA uses for a "separate, secure portal" that is linked to or located within the servers of these companies. As the New York Times reported on Friday:

[I]nstead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said. [...] In at least two cases, at Google and Facebook, one of the plans discussed [with the government] was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it, people briefed on the discussions said.

This could still be understood as "collection directly from the servers," but the distinction is that it is not "open-ended access." Under this system, the NSA — or the FBI on behalf of the NSA — would obtain a court order under the Foreign Intelligence Surveillance Act and use it to demand the respective company turn over various data into its "separate, secure portal." The scale of the data grab, though somewhat limited in scope by the court order, could still be huge. As was separately disclosed earlier this week, for instance, a single FISA order can be used to obtain millions of phone records.

The confusing thing about this picture of Prism, however, is that it still conflicts a little bit with how the system was portrayed by the newspapers that reported on the secret documents. The description of a "separate, secure portal" like an "online room" where companies "deposit" data for the government suggests that the transaction happens in static, incremental stages: data is requested by the government, data is passed over by the company, then the government sifts through it. But the Washington Post's reporting suggests the transaction does not occur in static stages because it can involve real-time monitoring:

According to a separate “User’s Guide for PRISM Skype Collection,” that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.

Additionally, the source who disclosed the document, described as a career intelligence officer, told the Post: “They quite literally can watch your ideas form as you type.”

So this means that if the companies are not providing "direct access" to their servers to mine data indiscriminately, then the "separate, secure portal" can also be used not just to "deposit" data, but also to obtain access to real-time communication flows, presumably authorized by a FISA order and implemented by the respective company that receives it (Google, Apple, Facebook, etc). Indeed, in a statement Sunday, the US director of national intelligence James Clapper said in a statement that Prism was authorized under Section 702 of FISA and he described the program as an "internal government computer system used to facilitate the government's statutorily authorized collection of foreign intelligence information from electronic communication service providers."

The question, then, is how sweeping the FISA orders are. The Post reported that "from inside a company’s data stream the NSA is capable of pulling out anything it likes" and also said that the NSA's spies use Prism through a "Web portal" that entails entering “'selectors,' or search terms, that are designed to produce at least 51 percent confidence in a target’s 'foreignness'." This suggests to me that we are talking about dragnet FISA orders that oblige the companies to turn over huge amounts of data, some in real time, handled by the NSA on a system codenamed Prism, which may involve the NSA having its own "secure portal" within or at least linked to company servers.

The companies would not know that they were participating in anything named "Prism" — that is just the NSA's internal codename for the program. From the companies' perspective, all they are doing is responding to court-authorized FISA orders. What I would like to hear each of the companies publicly explain is whether they have any kind of interface for facilitating government FISA orders built within or linked to their server infrastructure. (See this update below.)

I should note that all of the above is my own speculation based on an analysis of the available facts. Other theories I have heard proposed include that the NSA has essentially secretly "hacked" the respective companies' servers by spoofing encryption certificates. But I think that is far-fetched and that what I have suggested here is likely more in line with what is happening, though, again, I am only speculating. Without access to the full leaked source documents, it is difficult to comprehensively analyse the details. Only a fraction of the secret documents has been published so far, presumably for legal and/or editorial reasons. There are reportedly 41 top-secret leaked PowerPoint slides in total related to Prism but only about four or five have been made available by the Guardian and the Post. It is my hope that they will all surface eventually so we can get a better and more accurate understanding of what this controversial surveillance program entails.

*****

[1] Facebook said it does not "provide any government organization with direct access to Facebook servers." Apple said "we do not provide any government agency with direct access to our servers." Microsoft said "If the government has a broader voluntary national security program to gather customer data we don’t participate in it.” Yahoo said "We do not provide the government with direct access to our servers, systems, or network.” Paltalk said it "does not provide any government agency with direct access to its servers.” AOL said that it does not "provide any government agency with access to our servers.” And Google, too, said that it had "not joined any program that would give the U.S. government — or any other government — direct access to our servers."

*****

UPDATE, 9 June 2013: A new report from the Washington Post has some additional interesting details about Prism. The Post has spoken with anonymous executives at some of the companies linked to the program, who "acknowledged the system’s existence and said it was used to share information about foreign customers with the NSA and other parts of the nation’s intelligence community." The report adds:

According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.

That unit then sends the query to the FBI’s data intercept technology unit, which connects to equipment at the Internet company and passes the results to the NSA.

PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.

This seems in line with my theory above about the functionality of the system — that it is a "secure portal" within or at least linked to the companies' servers. What is particularly notable is the role of the FBI in reviewing the search terms, and the fact that the companies apparently do not see what the NSA is searching for. I think this hammers home the point regarding the sweeping scope of the FISA orders, which we need to know much more about. Even without any further information, however, it is clear to me that Prism has huge ramifications — in particular for all non-US citizens using services like Gmail, Skype, and Hotmail.