PRISM (surveillance program)
PRISM is a clandestine surveillance program under which the United States National Security Agency (NSA) collects internet communications from at least nine major US internet companies. Since 2001 the United States government has increased its scope for such surveillance, and so this program was launched in 2007.
PRISM is a government code name for a data-collection effort known officially by the SIGAD US-984XN. The PRISM program collects stored internet communications based on demands made to internet companies such as Google Inc. under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms. The NSA can use these PRISM requests to target communications that were encrypted when they traveled across the internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle, among other things.
PRISM began in 2007 in the wake of the passage of the Protect America Act under the Bush Administration. The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA). Its existence was leaked six years later by NSA contractor Edward Snowden, who warned that the extent of mass data collection was far greater than the public knew and included what he characterized as "dangerous" and "criminal" activities. The disclosures were published by The Guardian and The Washington Post on June 6, 2013. Subsequent documents have demonstrated a financial arrangement between NSA's Special Source Operations division (SSO) and PRISM partners in the millions of dollars.
Documents indicate that PRISM is "the number one source of raw intelligence used for NSA analytic reports", and it accounts for 91% of the NSA's internet traffic acquired under FISA section 702 authority." The leaked information came to light one day after the revelation that the FISA Court had been ordering a subsidiary of telecommunications company Verizon Communications to turn over to the NSA logs tracking all of its customers' telephone calls.
U.S. government officials have disputed some aspects of the Guardian and Washington Post stories and have defended the program by asserting it cannot be used on domestic targets without a warrant, that it has helped to prevent acts of terrorism, and that it receives independent oversight from the federal government's executive, judicial and legislative branches. On June 19, 2013, U.S. President Barack Obama, during a visit to Germany, stated that the NSA's data gathering practices constitute "a circumscribed, narrow system directed at us being able to protect our people."
PRISM is a secret government program...
As much as PRISM might sound like a comic book antagonist of S.H.I.E.L.D., it's the codename for a very real US government program. According to leaked documents, it went into effect in 2007, and has only gained momentum since. Its stated purpose is to monitor potentially valuable foreign communications that might pass through US servers, but it appears that in practice its scope was far greater.
PRISM information, according to the Post, accounts for nearly 1 in 7 intelligence reports. That's staggering.
...that gives the NSA unprecedented access to the servers of major tech companies...
Microsoft. Yahoo. Google. Facebook. PalTalk. AOL. Skype. YouTube. Apple. If you've interacted with any of those companies in the last six years, that information is vulnerable under PRISM. But how?
The initial reports from last night suggested that the process works as follows: The companies mentioned above (and who knows how many others) receive a directive from the attorney general and the director of national intelligence. They hand over access to their servers—and the tremendous wealth of data and communiques that passes through them every day—to the FBI’s Data Intercept Technology Unit, which in turn relays it to the NSA.
And that's when things get interesting.
...which may or may not be "direct"...
Much has been made over the phrase "direct access;" most of the implicated tech companiesvehemently deny providing it, and the government denies asking for it. The New York Times, though, reports that while access may not technically be "direct," the secure portals companies like Google and Facebook were going to build for the NSA amounted to as much. Moreover, a PRISM powerpoint slide released by the Guardian after its initial report clearly states that "direct access" is a part of the program.
However you want to parse it, there seems to be very little doubt that all of this is happening, and to an unfathomable degree.
...so that the agency can spy on unwitting US citizens...
It seems impossible that the NSA, an agency which by law is only allowed to monitor foreign communications, has so much access to domestic information. And yet!
There are, as you might expect, filters in place to help handle the fire hose of data that comes through daily, the trillions of bits and bytes that make up our online identities and lives. Something to ensure that only the bad guys are being tracked and not honest, everyday citizens. Actually, there's one filter, and it's ridiculous: an NSA analyst has to have "51 percent" confidence that a subject is "foreign." After that, it's carte blanche.
That's it. That's the only filter. And it's an ineffective one, at that; the PowerPoint slides published by the post acknowledge that domestic citizens get caught in the web, but that it's "nothing to worry about."
...with terrifying granularity...
It's something to worry about.
What's most troubling about PRISM isn't that it collects data. It's the type of data it collects. According to the Washington Post report, that includes:
…audio and video chats, photographs, e-mails, documents, and connection logs… [Skype] can be monitored for audio when one end of the call is a conventional telephone, and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.
Did you get all that? Similar depth of access applies to Facebook, Microsoft, and the rest. Just to be clear: this covers practically anything you've ever done online, up to and including Google searches as you type them.
...which is both different from and more aggressive than the Verizon scandal...
The news of PRISM broke soon after a separate report, about the NSA's having access to Verizon customer—and, according to an NBC report, everyone else's—phone logs. Surprisingly enough, this is a totally different program! And PRISM makes the Verizon thing look like an ACLU company picnic by comparison.
When the NSA monitors phone records, it reportedly only collects the metadata therein. That includes to and from whom the calls were made, where the calls came from, and other generalized info. Importantly, as far as we know, the actual content of the calls was off-limits.
By contrast, PRISM apparently allows full access not just to the fact that an email or chat was sent, but also the contents of those emails and chats. According to the Washington Post's source, they can "literally watch you as you type." They could be doing it right now.
...and has the full (but contested) cooperation of tech giants...
PRISM's first corporate partner was allegedly Microsoft, which according to the Post and Guardian signed on back in 2007. Other companies slowly joined, with Apple being the most recent enlistee. Twitter, it seems, has not complied.
But why would all of these companies agree to this? Mostly because they have no choice. Failure to hand over server data leaves them subject to a government lawsuit, which can be expensive and incredibly harmful in less quantifiable ways. Besides, they receive compensation for their services; they're not doing this out of charity. There is incentive to play ball.
Here's where things get a little complicated, though. Apple, Microsoft, Yahoo, and Google have all given full-throated denials of any involvement whatsoever. Most of them aren't just PR syntactical trickery, either; they are unequivocal.
...and which is, shockingly enough, totally legal.
What's most horrifying about PRISM might be that there's nothing technically illegal about it. The government has had this authority for years, and there's no sign that it's going to be revoked any time soon.
A little bit of history might be helpful for context. Back in 2007, mounting public pressure forced the Bush administration to abandon the warrantless surveillance program it had initiated in 2001. Well, abandon might be too strong a word. What the administration actually did was to find it a new home.
The Protect America Act of 2007 made it possible for targets to be electronically surveilled without a warrant if they were "reasonably believed" to be foreign. That's where that 51% comes in. It was followed by the 2008 FISA Amendments Act, which immunized companies from legal harm for handing information over to the government. And that's the one-two punch that gives PRISM full legal standing.
All of which is to say that PRISM is an awful violation of rights, but it's one that's not going to disappear any time soon. The government, including President Obama, is so far completely unapologetic. And why wouldn't they be? It's easy enough to follow the letter of the law when you're the one writing it.
You've been hearing about a top-secret government program reportedly giving the NSA access to digital consumer information held by large tech companies. But what is it, really, and how does it affect you? Reports are changing fast, so we created this FAQ to let you know what is known so far. We will continue to update it as the facts become clear.
What is PRISM?
PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management," and is a "data tool" designed to collect and process "foreign intelligence" that passes through American servers. Details about its existence were leaked to The Washington Post and The Guardian by Edward Snowden, a 29-year-old NSA contractor.
In the words of national security reporter Marc Ambinder, "PRISM [is] a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States."
It only targets foreigners?
PRISM "cannot be used to intentionally target any U.S. citizen (PDF), or any other U.S. person, or to intentionally target any person known to be in the United States, according to a statement released by Director Clapper on June 8.
Why would there be foreign intelligence on American servers?
A huge amount of foreign internet traffic is routed through or saved on U.S. servers. For instance, a majority of Facebook and Google users are not from the United States.
So how does this affect an American's data?
The key word is intentional. The NSA can't intentionally target an Americans data. But analysts need only be at least 51 percent confident of a target's "foreignness."
What is PRISM not?
It is apparently not the name for an overarching secret surveillance program in affiliation with certain large tech companies, as was originally reported by The Washington Post. Director of National Intelligence James Clapper has released a statement saying, "PRISM is not an undisclosed collection or data mining program." Instead, the name PRISM appears to refer to the actual computer program used to collect and analyze data legally requested by the NSA and divulged by Internet companies. This matches reports from CNET and The New York Times.
However, as the New York Times reported late Friday evening, it has come to light that the nine large tech companies first reported to be working with the NSA to divulge information have, in fact, made it easier for the government to access data from their servers.
Which companies are involved?
Microsoft, Yahoo, AOL, Facebook, Google, Apple, PalTalk, YouTube, and Skype. Dropbox is allegedly "coming soon." However, 98 percent of PRISM production is based on just Yahoo, Google, and Microsoft.
All nine of them have explicitly denied that the government has "direct access" to their servers. Reliable sources have confirmed to CNET that PRISM works on a request-by-request basis, rather than unfettered access, as was originally reported by the Washington Post. Here is a direct quote from our in-depth article on this issue:
Those reports are incorrect and appear to be based on a misreading of a leaked Powerpoint document, according to a former government official who is intimately familiar with this process of data acquisition and spoke today on condition of anonymity.
Still, it appears that though they may have withheld direct access to their servers, many did in fact agree to collaborate with the government on "developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests."
It's not entirely clear, but according to the New York Times, in at least two cases the companies discussed creating secure digital dropboxes where information sought by the NSA could be electronically deposited. Facebook reportedly actually built such a system.
On Tuesday, June 11, Google published a letter to the Justice Department, asking for permission to disclose the mechanism by which FISA requests are completed. A Facebook spokesperson joined the call, announcing that Facebook would "welcome the opportunity to provide a transparency report that allows us to share with those who use Facebook around the world a complete picture of the government requests we receive, and how we respond." After writing the letter to the Justice Department, Google discussed with Wired Magazine the ways it gets legal information to the government, insisting throughout that reports of "direct access" to Google servers have been erroneous. Jump to our How does it work? section for more details.
Why isn't Twitter a part of PRISM?
That's a very good question that at first no one was able to answer.
It now appears as though the answer is: Twitter simply said no.
Companies are legally obligated to comply with any legitimate government request for user data, but they are under no legal obligation to make that process easier. Twitter apparently refused to join the other nine in steam rolling the process.
On Friday, June 7, the New York Times wrote:
Twitter declined to make it easier for the government. But other companies were more compliant, according to people briefed on the negotiations. They opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests. And in some cases, they changed their computer systems to do so.
What type of data is monitored?
According to "slides and other supporting materials" given to the The Guardian and The Washington Post by Snowden: "e-mail, chat, videos, photos, stored data, VoIP, file transfers, video conferencing, notifications of target activity...log-ins, etc., online social networking details" -- so, everything.
For instance, Google data includes "Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."
The original report suggests that "NSA reporting increasingly relies on PRISM" as its leading source of raw material, accounting for nearly one in seven intelligence reports.
A reliable source tells CNET that both the contents of communications and metadata, such as information about who's talking to whom, can be requested.
Can they read my iMessage?
Theoretically, yes. That is the kind of data the program has access to.
So someone has read my e-mail?
Aside from the fact that Google's algorithms crawl your e-mail all the time to target ads at you, "someone" within the NSA may have read your e-mails.
Is it even legal?
Yes, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) of 2008 and the Protect America Act of 2007. Director of National Intelligence James Clapper released a statement Thursday night saying that "Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States." FISA was renewed last year by Congress.
According to the Post, "Late last year, when critics in Congress sought changes in the FISA Amendments Act, the only lawmakers who knew about PRISM were bound by oaths of office to hold their tongues." When the story broke, Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) released a letter they cowrote to the Justice Department expressing their concerns relating to the program.
How does it work?
Essentially like this: The attorney general issues a secret order to a tech company to hand over access to its data to the FBI. The FBI then hands that information over to the NSA.
But many technical questions remain, such as: when given access, can the NSA tap directly into the companies' servers, as was originally alleged? Is the data printed out and handed to an NSA operative? Is an NSA operative stationed on the company's campus at a specific work station designed for such transactions?
On Tuesday, June 11, Google went to Wired Magazine in an attempt to answer some of these lingering questions. Google spokesman Chris Gaither flatly denied giving direct access to Google's servers, stating:
"When required to comply with these requests, we deliver that information to the US government -- generally through secure FTP transfers and in person. The US government does not have the ability to pull that data directly from our servers or network."
One thing to note about this answer is that in order for the secure FTP transfer to take place, it looks as though Google does have a special encrypted dropbox on campus -- which you could technically call a "company server" -- that stores and delivers the requested data.
Splitting hairs? Perhaps. It is very different from total, real-time access to Google's main servers.
Is this the same as the data Verizon is giving to the NSA?
No. This is separate. The data Verizon gives to the NSA is only metadata, so although the government can see who you call and how long you talk to them, they are not listening in on your voice mails and phone calls. But again, that's a separate NSA program. For more information on it, read this.
What's the fallout?
Well, so far respected human rights watchdog Freedom House has downgraded America's freedom ranking. Last time their survey was released, the United States was the second most free country on Earth in terms of Internet freedoms. That position is about to change.
How can I avoid this?
Should I be outraged?
Probably! But maybe not. President Obama addressed PRISM on Friday and essentially said, "Don't worry. You can trust us."
Who is to blame for this?
Well, let's let Anthony Romero of the American Civil Liberties Union sum it up. He is quoted by The New York Times as saying, "A pox on all the three houses of government. On Congress, for legislating such powers, on the FISA court for being such a paper tiger and rubber stamp, and on the Obama administration for not being true to its values."
What happens next?
A diplomatic circus. The Obama administration has prosecuted leakers at an unprecedented rate, but it's going to have at least a bit of a hard time getting its hands on the source of these leaks: Edward Snowden is apparently holed up in a hotel in Hong Kong.
The NSA contractor outed himself in an interview with The Guardian's Glenn Greenwald in which he says that he chose Hong Kong because, "[it] has a reputation for freedom in spite of the People's Republic of China. It has a strong tradition of free speech." Hong Kong is a Special Administrative Region of The People's Republic of China and has its own government distinct from, but ultimately subject to, Beijing. The United States does have a bilateral extradition treaty with Hong Kong, but a request from the U.S. based on political offenses could be vetoed by either Hong Kong or Beijing. For now Snowden says, "the only thing I can do is sit here and hope the Hong Kong government does not deport me."
Since September 11th, 2001, the United States government has dramatically increased the ability of its intelligence agencies to collect and investigate information on both foreign subjects and US citizens. Some of these surveillance programs, including a secret program called PRISM, capture the private data of citizens who are not suspected of any connection to terrorism or any wrongdoing.
In June, a private contractor working for Booz Allen Hamilton leaked classified presentation slides that detailed the existence and the operations of PRISM: a mechanism that allows the government to collect user data from companies like Microsoft, Google, Apple, Yahoo, and others. While much of the program — and the rest of the NSA’s surveillance efforts — are still shrouded in secrecy, more details are coming to light as the public, as well as its advocates and representatives, pressure the government to come clean about domestic spying.
What the hell is PRISM? PRISM is a tool used by the US National Security Agency (NSA) to collect private electronic data belonging to users of major internet services like Gmail, Facebook, Outlook, and others. It’s the latest evolution of the US government’s post-9/11 electronic surveillance efforts, which began under President Bush with the Patriot Act, and expanded to include the Foreign Intelligence Surveillance Act (FISA) enacted in 2006 and 2007.
There’s a lot we still don’t know about how PRISM works, but the basic idea is that it allows the NSA to request data on specific people from major technology companies like Google, Yahoo, Facebook, Microsoft, Apple, and others. The US government insists that it is only allowed to collect data when given permission by the secretive Foreign Intelligence Surveillance Court.
Why is PRISM a big deal?
Classified presentation slides detailing aspects of PRISM were leaked by a former NSA contractor. On June 6th, The Guardian and The Washington Post published reports based on the leaked slides, which state that the NSA has "direct access" to the servers of Google, Facebook, and others. In the days since the leak, the implicated companies have vehemently denied knowledge of and participation in PRISM, and have rejected allegations that the US government is able to directly tap into their users' data.
Both the companies and the government insist that data is only collected with court approval and for specific targets. As The Washington Post reported, PRISM is said to merely be a streamlined system — varying between companies — that allows them to expedite court-approved data collection requests. Because there are few technical details about how PRISM operates, and because of the fact that the FISA court operates in secret, critics are concerned about the extent of the program and whether it violates the constitutional rights of US citizens.
CRITICS HAVE QUESTIONED THE CONSTITUTIONAL VALIDITY OF PRISM
How was PRISM created?
As The Washington Post reported, The Protect America Act of 2007 led to the creation of a secret NSA program called US-984XN — also known as PRISM. The program is said to be a streamlined version of the same surveillance practices that the US was conducting in the years following 9/11, under President George W. Bush’s "Terrorist Surveillance Program."
The Protect America Act allows the attorney general and the director of national intelligence to explain in a classified document how the US will collect intelligence on foreigners overseas each year, but does not require specific targets or places to be named. As the Post reports, once the plan is approved by a federal judge in a secret order, the NSA can require companies like Google and Facebook to send data to the government, as long as the requests meet the classified plan's criteria.
Who is responsible for leaking PRISM?
Edward Snowden, a 29-year-old intelligence contractor formerly employed by the NSA, CIA, and Booz Allen Hamilton, confessed responsibility for leaking the PRISM documents. He revealed himself on June 9th, three days after reports on PRISM were published; in an interview with The Guardian, Snowden said, "I don’t want to live in a society that does these sort of things," and claimed he was motivated by civic duty to leak classified information.
Snowden left the United States prior to leaking the documents in order to avoid capture, taking refuge in Hong Kong — where he stayed until June 23rd. With the assistance of WikiLeaks, Snowden fled Hong Kong for Moscow, and has requested asylum in Ecuador, Russia, and other countries. He is still residing in a Moscow airport, waiting to be granted asylum.
What does the NSA collect?
While PRISM has been the most talked-about story to come out of Snowden’s leaks, the disclosures have shed light on a vast array of NSA surveillance programs. Broadly speaking, these can be split into two categories: "upstream" wiretaps, which pull data directly from undersea telecommunications cables, and efforts like PRISM, which acquire communications from US service providers. One of the slides in the leaked PRISM presentation instructs that analysts "should use both" of these sources.
NSA programs collect two kinds of data: metadata and content. Metadata is the sensitive byproduct of communications, such as phone records that reveal the participants, times, and durations of calls; the communications collected by PRISM include the contents of emails, chats, VoIP calls, cloud-stored files, and more. US officials have tried to allay fears about the NSA’s indiscriminate metadata collection by pointing out that it doesn’t reveal the contents of conversations. But metadata can be just as revealing as content — internet metadata includes information such as email logs, geolocation data (IP addresses), and web search histories. Because of a decades-old law, metadata is also far less well-protected than content in the US.
NSA PROGRAMS COLLECT TWO KINDS OF DATA: METADATA AND CONTENT
A leaked court order provided by Snowden showed that Verizon is handing over the calling records and telephony metadata of all its customers to the NSA on an "ongoing, daily basis." Mass collection of internet metadata began under a Bush-era program called "Stellarwind," which was first revealed by NSA whistleblower William Binney. The program was continued for two years under the Obama administration, but has since been discontinued and replaced with a host of similar programs with names like "EvilOlive" and "ShellTrumpet."
How does the NSA collect data?
Many crucial details on how and under what circumstances the NSA collects data are still missing. Legally speaking, surveillance programs rely on two key statutes, Section 702 of the FISA Amendments Act (FAA) and Section 215 of the Patriot Act. The former authorizes the collection of communications content under PRISM and other programs, while the latter authorizes the collection of metadata from phone companies such as Verizon and AT&T. However, multiple reports and leaked documents indicate the statutes have been interpreted in secret by the FISA intelligence courts to grant much broader authority than they were originally written to allow. They also indicate that the FISA courts only approve the NSA’s collection procedures, and individual warrants for specific targets are not required.
"INADVERTENTLY ACQUIRED" COMMUNICATIONS CAN STILL BE RETAINED AND ANALYZED FOR UP TO FIVE YEARS
An analyst starts by inputting "selectors" (search terms) into a system like PRISM, which then "tasks" information from other collection sites, known as SIGADs (Signals Intelligence Activity Designators). SIGADs have both classified and unclassified code names, and are tasked for different types of data — one called NUCLEON gathers the contents of phone conversations, while others like MARINA store internet metadata.
Leaked documents show that under the agency’s targeting and "minimization" rules, NSA analysts can not specifically target someone "reasonably believed" to be a US person communicating on US soil. According to The Washington Post, an analyst must have at least "51 percent" certainty their target is foreign. But even then, the NSA’s "contact chaining" practices — whereby an analyst collects records on a target’s contacts, and their contacts’ contacts — can easily cause innocent parties to be caught up in the process.
The rules state the analyst must take steps to remove data that is determined to be from "US persons," but even if they are not relevant to terrorism or national security, these "inadvertently acquired" communications can still be retained and analyzed for up to five years — and even given to the FBI or CIA — under a broad set of circumstances. Those include communications that are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed," or that contain information relevant to arms proliferation or cybersecurity. If communications are encrypted, they can be kept indefinitely.
So, what now?
In the weeks since the PRISM documents leaked, a widespread international public debate about the United States government’s surveillance and spying programs has engulfed the NSA, Congress, and the Obama administration in controversy. While outspoken supporters of NSA surveillance in Congress and the White House —including President Obama — have defended the legality and necessity of the programs, some US lawmakers are pushing back. In June, a bipartisan group of senators unveiled a bill that aims to rein in the problematic legal provisions that give US intelligence agencies nearly unfettered authority to conduct warrantless surveillance on domestic and foreign communications. Several other lawmakers have introduced their own measures, but legislative reform is still in early stages.
"AN ILLEGAL AND UNCONSTITUTIONAL PROGRAM OF DRAGNET ELECTRONIC SURVEILLANCE."
Meanwhile, a diverse coalition of interest groups and private organizations are directly challenging some of the NSA’s surveillance programs in court. On July 16th, a broad coalition of plaintiffs sued the US government for "an illegal and unconstitutional program of dragnet electronic surveillance," in which the NSA scoops up all telephone records handled by Verizon, AT&T, and Sprint in the US. Separate suits brought by the Electronic Privacy Information Center and the American Civil Liberties Union are also in the works, but the government hasn’t responded to the allegations in court yet.
The companies at the heart of PRISM’s controversy are also acting out, but the specific details regarding their involvement in government surveillance on US citizens is still unclear. Microsoft, Google, Yahoo, and others have stepped up pressure on the government in the past month to declassify the process which compels them to hand over user data to the government. In an impassioned plea made by Microsoft on July 16th, the company’s general counsel Brad Smith said: "We believe the US constitution guarantees our freedom to share more information with the public, yet the government is stopping us."
Finally, there’s the group of people most affected by PRISM and its sibling programs: the American public. On July 4th, "Restore the Fourth" rallies in more than 100 US cities protested the government’s surveillance programs, focusing on electronic privacy. It’s not clear if public outrage will result in reform, but thanks to the dramatic actions of a young intelligence contractor, we now at least have the opportunity to discuss what the US government has been hiding from the public in the name of national security.