I didn’t say much about Prism in my post yesterday as it didn’t seem quite as clear as the Verizon court order. (Compare the two here.) Additionally, the complete slideset was not posed by the Guardian, unlike the Verizon court order. We now have some additional information. (Update: The Guardian has now published a single additional slide.)
First, the program obviously exists. See this job ad requiring expertise in it, and this datasheet from Cryptome indicating its use since 2003; and this senior intel officer’s online resume at LinkedIn mentioning Prism expertise.
I did think it odd that it was only funded at $20m. My guess right now based on additional reporting by Declan McCullagh, Chief Political Correspondent at CNET, is that it is software that facilitates data extraction/interface with the named companies. Additionally, Marc Ambinder, who I mentioned in my post, says “PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from internet companies located inside the United States.”
It obviously works within the law, but if we accept tech company pronouncements, does not provide the sort of continuous “direct access” to company servers that has been discussed. The “fact of” Prisms’ existence is not classified, but what it does, is. McCullagh’s argument that “Prism is an unclassified web tool” is completely misleading.
Nevertheless, these are really a technical clarifications. The main points remain, I think:
1. Tech companies work with the government/NSA within the law to provide user data. We should still be concerned , even if this is just one small part of US surveillance. Most immediately, we need to rethink the law, especially FISA and the Patriot Act. Do not pay attention to tech company pronouncements that they operate within the law. No one said otherwise. But that’s the problem.
2. The government can obtain access to user records from these companies. Saying that it is overseen by the FISA Court is irrelevant–who’s going to appeal? The Court’s deliberations are secret. And if you did appeal, good luck: the Supreme Court recently refused to hear an appeal by Amnesty International because they “lack standing” ie don’t know for a fact that they were affected by the law. And as McCullagh concedes “How much oversight and review the Foreign Intelligence Surveillance Court actually provides is less than clear.”
3. The amount of data collected is still considerable. Consider this scenario laid out by Ambinder:
Under the FISA Amendments Act of 2008, the NSA and the attorney general apply for an order allowing them to access a slice of the stuff that a company like Facebook keeps on its servers. Maybe this order is for all Facebook accounts opened up in Abbottabad, Pakistan. Maybe there are 50 of them. Facebook gets this order.
Now, these accounts are being updated in real-time. So Facebook somehow creates a mirror of the slice of stuff that only the NSA can access. The selected/court-ordered accounts are updated in real-time on both the Facebook server and the mirrored server. PRISM is the tool that puts this all together. Facebook has no idea what the NSA is doing with the data, and the NSA doesn’t tell them.
The companies came online at different points, according to the documents we’ve seen, maybe because some of them were reluctant to provide their data and others had to find a way to standardize their data in a way that PRISM could understand. Alternatively, perhaps PRISM updates itself regularly and is able to accept more and more types of inputs.
What makes PRISM interesting to us is that it seems to be the ONLY system that the NSA uses to collect/analyze non-telephonic non-analog data stored on American servers but updated and controlled and “owned” by users overseas. It is a domestic collection platform USED for foreign intelligence collection. It is of course hard to view a Facebook account in isolation and not incidentally come into contact with an account that is owned by an American. I assume that a bunch of us have Pakistani Facebook friends. If the NSA is collecting on that account, and I were to initiate a Facebook chat, the NSA would suck up my chat. Supposedly, the PRISM system would flag this as an incidental overcollect and delete it from the analyst’s workspace. Because the internet is a really complicated series of tubes, though, this doesn’t always happen. And so the analyst must sometimes “physically” segregate the U.S. person’s data.