Prism is probably no more than a mail-merge program that will take your (i.e. NSA agent's) signed court order and convert it into whatever format each company requires. Then it will make the request quickly and easily - Say Google requires a PGP encrypted email, Microsoft wants a HTTPS PUT request, Facebook needs you to upload to SFTP server etc.
Have you read the full WashPo article (all four pages)[1] ? - it goes into extensive detail of how it's used including "live surveillance of [Google] search terms" and access to Skype audio streams. It's obviously far more extensive than a request uploader.
Google have also specifically stated that they don't provide a "drop box" facility for FISA requests.
Further more the fact that slide 2 of the deck is about network traffic routing implies that it isn't just about FISA requests for which such information would be irrelevant.
The WashPo has backed away [1] from the key claim of tech companies "knowingly" participating in PRISM. In addition, there's this paragraph that was added to the article after publication on page 2:
It is possible that the conflict between the PRISM slides and the company
spokesmen is the result of imprecision on the part of the NSA author.
In another classified report obtained by The Post, the arrangement
is described as allowing “collection managers [to send] content
tasking instructions directly to equipment installed at company-
controlled locations,” rather than directly to company servers.
I don't think slide 2 is relevant, though. The whole deck sounds like a presentation to senior govt officials who are not tech savvy at all, and is just introductory slide that reminds the audience, "The Internet is big and lots of the data flows through the US where we have legal powers." However, there are likely many more slides that were not been disclosed.
Also probably the same in reverse, takes the data back and sends it back in a useful format.
The other side though is this -- if you let such requests be quick and easy, you will get more of them. If you want to take a position against such surveillance you should make the process as long and drawn out as you legally can. Insist on hard copies hand-delivered. Insist on manual review by lawyers of hard copies, and the like.
But if you make it easy to get information you will get more requests for them.
The NSA doesn't require a signed court order for it's activities though. They're not allowed to spy on Americans (unless that American is communicating with a foreign person) at all. The FBI needs court orders, and is focused on Americans.
NSA is part of the Dept. of Defense, and there are lots of laws/rules/etc. that limit what it can do with US citizens.
> They're not allowed to spy on Americans...
> NSA is part of the Dept. of Defense, and there are lots of laws/rules/etc. that limit what it can do with US citizens.
Wrong. They limit what it can legally do. This really reminds me of Dr. Strangelove: "How could this happen (nuclear strike order)?" "Well, I don't want to jump to any conclusions before all the facts are in, but it appears that General Ripper exceeded his authority."
Sure they aren't allowed to do these things. But since no one is allowed to check up on them, they aren't prevented from doing those things.
The issue is the lack of transparency of the laws/rules/etc. and the review and checks and balances problem.
This NSA infrastructure is sufficient for an extremely effective domestic spying network and the only thing stopping them from starting up such a program is the FISA court, where EVERYTHING IS COMPARTMENTALIZED. Do you see a problem with that?
You misunderstand. I was merely pointing out that the existence, or lack thereof, of a court order, was completely beside the point as far as the National Security Agency is concerned.
The NSA is chartered and bound to not do domestic spying.
The only thing stopping anybody from doing anything is the law, and the threat of potentially violent enforcement of that law upon them. It's no different for the Agency.
This article itself says otherwise, that PRISM is a front-end to the data itself, providing a unified interface for searching through all the data types from the many sources they're coming in from.
One official likened the NSA's collection authority to a van full of sealed boxes that are delivered to the agency. A court order, similar to the one revealed by the Guardian, permits the transfer of custody of the "boxes." But the NSA needs something else, a specific purpose or investigation, in order to open a particular box. The chairman of the Senate intelligence committee, Sen. Dianne Feinstein, said the standard was "a reasonable, articulatable" suspicion, but did not go into details.
Legally, the government can ask companies for some of these records under a provision of the PATRIOT Act called the "business records provision." Initially, it did so without court cognizance. Now, the FISC signs off on every request.
Armed with what amounts to a rubber stamp court order, however, the NSA can collect and store trillions of bytes of electromagnetic detritus shaken off by American citizens. In the government's eyes, the data is simply moving from one place to another. It does not become, in the government's eyes, relevant or protected in any way unless and until it is subject to analysis. Analysis requires that second order.
So, the govt and NSA distinguish between 'having the data' (receiving a van full of boxes, in the metaphor above) and 'subjecting the data to analysis' (opening a box, in the metaphor). They have a broad order for having the data, but need more specific sign-off to process or analyse the data.
This differentiation between 'having data' and 'analysing data' is not one we'd generally make in the IT world - because if they already have the boxes in their possession, how do we know they are getting the right permission before they open the boxes? How is any oversight possible in that situation?
> This differentiation between 'having data' and 'analysing data' is not one we'd generally make in the IT world - because if they already have the boxes in their possession, how do we know they are getting the right permission before they open the boxes? How is any oversight possible in that situation?
I don't think it is possible: that's precisely why it's not a distinction made in the IT world: we don't have the apparatus of courts and judges. In the IT world, the primary issue is about security. You have a walled garden and you don't want to let bad people in. Logistics is secondary. Whereas in the IC world, logistics appears to be the harder problem, and keeping the bad people out is already solved to their satisfaction. The challenge is to make sure everyone who needs the data has it.
I think it is reasonable to question the levels of sophistication of people on the FISC and officials who have approved the policies.
In the past for instance the ACLU has pointed out that about 2/3 of the US population lives within 100 miles of a land or coastal border, and that border security law can be construed so that all of these people are subject to searches in a way not prohibited by the fourth amendment protections.
More than I think those searches are an issue right now is the possibility that legislators could have not recognized how much of the county's population is within 100 miles of a land or coastal border.
The terminology has been pretty folksy, but it seems absurd to imagine that are very many people who don't have someone adjacent to them in their social graph who is adjacent to a node that has been suspected of being a terrorist.
If the description of how they use the data is correct, then it probably is truthful that counting the number of people whose data have been collected would index those people in such a way that their privacy would be further compromised. However, it seems plausible to guess that the scope of the call data could be estimated, and that most people's data has been collected if not analyzed, indexed and mapped.
However, is the existence of all that data an enormous liability for the future?
During the 1930s the brightest minds in the country were asking fundamental questions about the very nature of how we should organize our country, including crazy ideas involving fascism or communism which probably seemed to make more sense in the context of possible societal collaps. Later in the 50s, the brightest minds were no longer as likely to be working on public service (or on a war effort) yet a paranoia of dunces filled the government, and the country had to deal with their efforts to blacklist people and shape the country as they pleased.
What percentage of interesting people doing the best things in the world right now weren't even heard of twenty years ago or even ten? How many of them unseated someone else's vested interests and who would have preferred not to be surpassed?
Though bad things will be done by people in the future who we've never heard of before, unknown people will also be stomped on by those who are already successful, using whatever tools they can find.
The point isn't that people with wealth and power or people unheard of are more likely to do good or bad things, but that powerful tools in the wrong hands, and anything that encourages self-censoring and slows the flow of information limits possibilities and the talent pool.
It is difficult to understand how unquestioning some of the trust is when top executives really didn't seem to see how anti-competive practices like gentleman's agreement's agreements about poaching each others' employees was wrong, and Congress has such a difficult time putting anything in place to effectively limit their insider trading privileges. And finally for those who do implicitly trust officials right now, did they notice how close people they'd trust less often get to winning elections?
It is not clear how the NSA interfaces with the companies. It cannot use standard law enforcement transmission channels to do, since most use data protocols that are not compatible with that hardware. Several of the companies mentioned in the Post report deny granting access to the NSA, although it is possible that they are lying, or that the NSA's arrangements with the company are kept so tightly compartmentalized that very few people know about it. Those who do probably have security clearances and are bound by law not to reveal the arrangement.
This arrangement allows the U.S. companies to "stay out of the intelligence business," one of the officials said. That is, the government bears the responsibility for determining what's relevant, and the company can plausibly deny that it subjected any particular customer to unlawful government surveillance. Previously, Congressional authors of the FAA said that such a "get out of jail free" card was insisted by corporations after a wave of lawsuits revealed the extent of their cooperation with the government.
One has to wonder when the 'combating terrorists' (non-state actors) rhetoric will end, especially when it clearly is at the very bottom of the list of objectives regarding internet surveillance. All of this public-private cooperation seems to indicate that the USG is gearing up for an offensive against other state actors (or it's already in progress).
People who self-identify as 'pirates' sometimes refer to the internet as 'the open seas' (similarly representing freedom from oppression and authoritarianism) so it's interesting to see governments establishing 'internet navies' with offensive capabilities given as much attention as defensive capabilities.
You want to be authorized by a national government to conduct cyber-warfare activities on their behalf? I think these analogies are becoming a bit strained, U.S. Coast Guard handles law enforcement on the seas, not the Navy.
Well, not strictly cyber-warfare warfare. And military, not law enforcement; at least, military-like activities against non-state actors. (Ron Paul actually proposed this both as the response to 9-11 and the Somali Pirates...)
Isn't it alleged that the chinese government does exactly that?
I seem to remember stories about quasi-government hacker groups. Of course that may very well have been spin that allowed those doing that reporting to blame the chinese government for the actions of their civilians.
In particular, this explanation of what PRISM actually does-
"PRISM works well because it is able to handle several different types of data streams using different basic encryption methods, the person said. It is a "front end" system, or software, that allows an NSA analyst to search through the data and pull out items of significance, which are then stored in any number of databases. PRISM works with another NSA program to encrypt and remove from the analysts' screen data that a computer or the analyst deems to be from a U.S. person who is not the subject of the investigation, the person said."
It mostly sounds like a typical DB query front end, which accesses DBs built up from individual record requests from the tech companies.
But then there's the part about handling different kinds of encryption on the input side, which is puzzling.
The legal process, the person said, is akin to how law enforcement request information in criminal investigations: the government delivers an order to obtain account details about someone who's specifically identified as a non-U.S. individual, with a specific finding that they're involved in an activity related to international terrorism.
I don't think this is a conflict. Once the legal order is made and delivered to the company, the NSA receives a real-time feed of that user's data going forward (and all past data) and uses Prism to pull all the disparate data sources together for the analyst to analyze.
Surveillance isn't just about receiving your past activity and data that already exists - they want to watch suspects use these systems to communicate in realtime to find out who else they are talking to.
This article is two days old, but seems to contain details that contradict later reports from other sources.
> A FISA order is required to continue monitoring and analyzing these datasets, although the monitoring can start before an application package is submitted to the Foreign Intelligence Surveillance Court.
That doesn't seem to fit with more recent claims that PRISM is just a streamlined interface for presenting FISA warrants to companies. That might be one component, but there appears to be data collection (just not analysis) pre-warrant.
Each data processing tool, collection platform, mission and source for raw intelligence is given a specific numeric signals activity/address designator, or a SIGAD. The NSA listening post at Osan in Korea has the SIGAD USA-31. Clark Air Force Base is USA-57.
PRISM is US-984XN.
Each SIGAD is basically a collection site, physical or virtual; the SIGAD alphanumerics are used to indicate the source of intelligence FOR a particular report.
The NSA often assigns classified code names to the product of SIGADs. These can be confused with the nicknames or proper names of the collection platforms themselves, which may or may not be classified. What PRISM does is classified; the fact that there is a "PRISM" tool that does something is not.
...
So: An analyst sits down at a desk. She uses a tool, like PRISM, to analyze information collected and deposited in a database, like CONTRAOCTAVE. Then she uses another tool, perhaps CPE (Content Preparation Environment), to write a report based on the analysis. That report is stored in ANOTHER database, like MAUI. MAUI is a database for finished NSA intelligence products. Anchory is an intelligence community-wide database for intelligence reports.
---------------
And here is the core of it:
This is all very complicated, and that is on purpose. But this brief tutorial is important. PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from internet companies located inside the United States.
The programs that use PRISM are focused, as the government said yesterday, on foreign intelligence. A lot of foreign intelligence runs through American companies and American servers.
...
Now, these accounts are being updated in real-time. So Facebook somehow creates a mirror of the slice of stuff that only the NSA can access. The selected/court-ordered accounts are updated in real-time on both the Facebook server and the mirrored server. PRISM is the tool that puts this all together. Facebook has no idea what the NSA is doing with the data, and the NSA doesn't tell them.
So, PRISM is the name of the software application(s) used by an analyst that allows them to pull together all the various pieces of data that they receive from these companies, along with other sources, for their analysis.
Which of course, explains why the companies have never heard of this name. There is no reason for them to have.
And what the NSA has isn't necessarily "direct access" to the servers - PRISM gives the analyst "direct access" to the data that has already been collected by many different means.
> Now, these accounts are being updated in real-time. So Facebook somehow creates a mirror of the slice of stuff that only the NSA can access. The selected/court-ordered accounts are updated in real-time on both the Facebook server and the mirrored server.
Does this "slice" contain material and accounts gathered only after the legal review that Facebook claims that it performs?
If so, then this story gels with what the NYT reported, that some organizations have built a secure framework to expedite the transmission of requested data...which makes sense, depending on the nature of the investigation...that is...if the NSA has requested data on a suspect on an ongoing case...then they'd probably want that datastore to be updated...in the same way that they want wiretaps to stay on the wire during the investigation.
Note: this is not to say that such surveillance is justified, but that this program makes sense with what Facebook and Google said yesterday and with the reports by the WaPo and the Guardian. Whether this is substantially worse than the other apparatuses we have in place, such as NSL, is also up for debate.
Facebook and Google have always been the least transparent imaginable AND they're both in damage control mode AND they're obviously under some DHS gag order. So why anyone would give any credence to a word they say is beyond me.
It's not out of faith in Google or Facebook, it's that they have put up a reasonably testable defense rather than what they could've done, which is to remain mostly silent. Moreover, the very size and complexity that most people distrust them for also means that their cooperation with any government function is going to involve a lot of moving parts...it's not likely to be the case that Zuckerberg can lie about something and be sure that those involved all stick to the script.
So given that, I think it's worthwhile to actually test their assertion (I.e. not rush to judgment) rather than patting ourselves on the back with the logical fallacies of:
* "Well, the reports about Facebook and Google must be true because it comes from a group that is itself evil and who I would normally not believe" (the enemy of my enemy is my friend)
* "Well, what else would you expect an obviously evil entity to say after being accused of evil acts?" (circular reasoning).
Again, it's not because Google and Facebook are poor disenfranchised groups that must be sympathized with, but because it feels a little dishonest to subject them to the same kind of inescapable logical trap that our government has used to go after and prosecute suspected enemies of the state
Just out of curiosity...can you really not imagine a less transparent corporation than either Google or Facebook?
With PRISM, if the allegations were false, Facebook and Google would deny them, but if they were true, Facebook and Google would still deny them. So the denial carries no information in and of itself. Parsing the denial might bear some clues--for instance, all these companies use the same technicalities and talking points.
What are the similar talking points? They both do strongly deny knowledge or participation in PRISM, but that's not really a talking point.
And I don't think it's an either-or situation: either it's the truth and they deny, or it's false and they deny. There's a third option: it's true, and they remain silent.
Also, is it such a crazy idea that Facebook, Google, etc. would get together and come up with their own talking points? That was my first reaction on seeing the similar statements -- that they're acting with a common purpose and agenda, but one that's their own, not the governments.
Why would companies who aren't collaborating with the NSA suddenly start collaborating with each other to deny collaborating with the NSA? Wouldn't they issue their own denials in their own words?
I don't really understand your question. It seems like you're asking why several groups, under attack in the same way, might get together to defend themselves, but I'd have thought that self-evident so -- what are you saying?
Google has been by far unquestionably, undeniably the MOST transparent. They were the ones that started disclosing government requests in the first place. They are the ones currently fighting against National Security Letters as being unconstitutional in the courts.
If you can find a more transparent company when it comes to government data requests I would love to know about that company.
And no shit Facebook and Google are in damage control mode. They'd be in damage control mode regardless of if they are guilty or innocent, this is a huge PR disaster for both of them and nobody seems to give a shit what the facts are - this went from a few bad power point slides to national panic overnight.
> And what the NSA has isn't necessarily "direct access" to the servers - PRISM gives the analyst "direct access" to the data that has already been collected by many different means.
Right, the data may be provided directly from the servers rea time to the collection that the analyst uses, but the NSA wouldn't directly access the provider's servers. In fact, that would be counterproductive, as then users with privileged access to the provider's servers (provider side admins) could monitor what the NSA was doing with the data.
Some people are saying that the new slide just revealed [1] using the phrase "direct collection" is somehow a smoking gun but it is clear that the context of the slide shows it is for a non-technical audience of analysts (i.e. you should use both) and is contrasting "direct" with passive collection.
Of course, it could be that Google and everyone else is just lying for no reason at all and people who have talked about PRISM to marc and others in the media are spreading disinformation but I doubt it.
So isn't that then the same PRISM program people were talking about here that was some startup in valley that was used to collect data at one place from multiple sources?
I think this will largely fix itself over time. The reason is that the U.S. no longer needs the Middle East for oil. The price of oil has gone and stayed high enough that extraction from oil shale is now economical, and most of the majors are going that route. Which country has the largest oil shale reserves? The U.S, with total oil reserves roughly 3x greater than Saudi Arabia. We simply don't need the Middle East any more - I think that over the next couple years you'll see a complete U.S. pull-out from the region, and we'll leave them to their traditional customs and autocratic rulers.
Source: my sister's a petroleum geologist. When she was training in the mid-00s, all the attention was on light, sweet crude from Venezuela or Saudi Arabia. Now, virtually everything she does is fracking in Colorado or Wyoming, or work with the Athabasca tar sands.
Certainly the West should repair their relationship with others that have been affected by imperialist policies.
But that's not a panacea either. Islamist goals of introducing Sharia are incompatible with Western-style democracy so it may be possible to 'get along' but it won't be as simple as making nice on our side. Of course, we'll only 'get along' right up until the next citizen of a Western democracy draws an image of the Prophet Muhammad....
Likewise there remain nations with aggressive dreams of going above-and-beyond UN convention regarding resource rights, which is obviously incompatible with Western ideals.
There remain nations trapped under totalitarian governments strongly opposed to the West. However weak they might be we can't drop our guard completely.
So while I agree that the West has some apologies and amends to make I don't agree that would completely solve world peace, and I don't agree that all violence expressed against the West is "our fault".
I wish more people used Bitmessage. It makes communications encrypted, secret (with deniability) and it also has built-in spam minimization in the protocol itself. It also includes broadcast messages (like Twitter) and chan boards. It makes email look like an old technology.
The NSA is not only instrusive to the point of ridiculous, it's also, as typical of large government organizations, obscenely wasteful of taxpayer resources: http://en.wikipedia.org/wiki/Trailblazer_Project
> The officials would not disclose the names of the companies because, they said, doing so would provide U.S. enemies with a list of companies to avoid.
Any centralized, aggregated data will attract both good and bad guys. The responsibility of safeguarding data also falls on individuals. We are also a party to the whole episode.
Prism is probably no more than a mail-merge program that will take your (i.e. NSA agent's) signed court order and convert it into whatever format each company requires. Then it will make the request quickly and easily - Say Google requires a PGP encrypted email, Microsoft wants a HTTPS PUT request, Facebook needs you to upload to SFTP server etc.