

NSA slides explain the PRISM data-collection program - hermanywong
http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/?Post+generic=%3Ftid%3Dsm_twitter_washingtonpost

======
pvnick
Wanted to take yet another opportunity to mention the nationwide Restore the
Fourth demonstration _happening this week_.
[http://restorethe4th.net](http://restorethe4th.net) I hope everyone reading
this attends their local rally.

It also needs to be said that another leak is coming soon that details a
program that collects/stores the _contents_ of 1 Billion cell phone calls
every single day [1]. I submitted the link earlier but it got buried after
only a few upvotes.

[1] [http://www.businessinsider.com/greenwald-nsa-store-calls-
eve...](http://www.businessinsider.com/greenwald-nsa-store-calls-every-
day-2013-6)

~~~
skue
These protests have not been well organized. From the outside it looks like a
handful of Redditors who are thinking of hanging out together - and there
seems to have been no PR or outreach to folks beyond Reddit. Most of the
nation does not use Reddit.

My page for my New England city has nothing except a link to a conversation
with half a dozen folks planning a preliminary meeting, with no follow up info
posted. I could drive to Boston, but what's the point: the Boston group is
only predicting an attendance of 40. I doubt it will get media coverage, and
at that size I honestly hope it doesn't.

~~~
pvnick
> I could drive to Boston, but what's the point: the Boston group is only
> predicting an attendance of 40

This defeatist attitude is _why_ the predicted attendance is so low.

~~~
skue
No, the predicted attendance is low because _no one has heard about this._

Only organizing among Redditors, not bothering to reach out to people with
more experience organizing protests, and not partnering with affiliated
organizations (Tea Party, Occupy, various student groups) who might all come
together to rally around this is why predicted attendance is so low.

Update: Added first sentence to emphasize point.

~~~
pvnick
And yet we have armchair critics like yourself declining to get involved and
help out, opting instead to bicker and put down the efforts of people trying
to actually make a difference.

~~~
skue
I'm sorry this has devolved into a back and forth. I was trying to offer the
perspective of someone who believes passionately about this issue and is
looking for ways to get more active, but who cannot get excited about these
protests in my area. I do hope there are bigger protests in other cities and
they make some impact.

I believe we are both frustrated that more is not happening, and unfortunately
that frustration is being directed at each other instead of the real issue. I
do applaud your enthusiasm and stepping forward to help advertise this.

~~~
pvnick
Thank you for your support :) Please don't take my direct tone personally,
I've been following Greenwald's twitter a lot recently and emulating the way
he responds to critics. Generally it's been very effective at rallying support
but can tend to alienate folks who disagree.

------
samd
_The supervisor must endorse the analyst 's "reasonable belief," defined as 51
percent confidence, that the specified target is a foreign national who is
overseas at the time of collection._

US citizens make up less than 50% of the world population. So given any target
I can be more than 51% confident that they are not a US citizen, knowing
nothing about the particular target whatsoever.

~~~
hypersoar
The 51% threshold sounds to me like something set by some manager(s) who
didn't actually know anything about statistics or probability.

~~~
Nimi
Yep. If all analysts would target addresses with exactly 51% confidence and no
higher, and their confidence is the exact statistical probability they're
foreign, that would mean 49% of targets are US citizens.

------
eightyone
From the article:

"The program is court-approved but does not require individual warrants."

So does this mean that the number of government requests released by Facebook,
Microsoft, etc. within the last few weeks are essentially meaningless in
regards to PRISM and most likely other top secret government spying programs?

~~~
tptacek
This was known prior to the PRISM disclosure; they're (most likely) referring
to the FAA 702 process, in which a court certifies a target for which multiple
directives may then be issued. The certification establishing the target is
reviewed in the manner of a FISA warrant, but the individual directives that
flow from the certification aren't. Certifications have a 1:many relationship
with directives.

The reasonable expectation one would have about statistics released by (say)
Yahoo pursuant to this process is that they would capture every _directive_
received by the provider, since providers don't get the certifications.

Just a quick reminder: the USG does not need and has never needed and probably
will never need a warrant to spy on a foreign entity not on US soil. I'd be
interested in hearing about any country that had a signals intelligence
capability (Germany, France, Israel, UK, China, Japan, Brazil, &c) in which a
warrant was required to conduct foreign intelligence.

~~~
Joeri
> the USG does not need and has never needed and probably will never need a
> warrant to spy on a foreign entity not on US soil

The older i get the more these artificial boundaries of nationalism bother me.
Nationalism is cultural racism. I'm convinced that people will at one point
look back on it the same negative way we perceive genetic racism today.

~~~
msg
There is an internet generation gap here. It's more important to be a citizen
of the world than any particular place, and more important to think about the
influence of multinationals on government than to think about the influence of
one country on foreign policy.

------
md224
"The FBI uses _government equipment on private company property_ to retrieve
matching information from a participating company, such as Microsoft or Yahoo
and pass it without further review to the NSA." (emphasis mine)

Is it just me or is this a fairly bold claim? I don't see anything about
government equipment on private company property in the slides... wondering if
this is additional testimony from Snowden, or info from supplementary docs
that they haven't released.

Also: "The Foreign Intelligence Surveillance Court does not review any
individual collection request." Could I get some perspective on this
statement? Is this as bad as it sounds? Or are they saying the court approves
monitoring on an individual and doesn't need to give approval for every single
collection request on that individual?

~~~
mpyne
> I don't see anything about government equipment on private company property
> in the slides.

Given the interface already laid out in what we knew about PRISM before,
that's mostly an implementation detail. Maybe the company didn't want to have
to send the data over the open Internet on their own (even encrypted) and
wanted to pawn off that responsibility to the NSA?

I don't know where the info came from but I remember it being talked about
when the news first leaked so it may have been sent by Snowden with the
initial leak of slides.

I suppose the question is really how embedded into the company's subnet is the
government equipment?

> The Foreign Intelligence Surveillance Court does not review any individual
> collection request

Basically this part from the article introduction: "The program is court-
approved but does not require individual warrants. Instead, it operates under
a broader authorization from federal judges who oversee the use of the Foreign
Intelligence Surveillance Act (FISA)".

Keep in mind this is where the US/non-US inequality is at its most severe.
Almost the only reason the FISC really cares about this at all is to prevent
monitoring of _American_ citizens in a way that violates the 4th Amendment.
The program as constituted is less worried about ensuring the right person has
their data collected as it is about ensuring that a U.S. citizen does not have
their data collected.

So from that perspective such a warrant might appear rational on the part of
the court.

That's admittedly a pretty large inequity between US and non-US persons but
that's how the existing case law seems to approach it.

~~~
windexh8er
It's not just the companies listed here. It's the ISPs that provide the
treasure trove. The closer you can get to the subscriber wherein they must
pass only a handful of egress to upstream connectivity the better. I've
personally seen one of the NSAs mobile enclosures of which we were feeding
data via the Cisco law enforcement images. The provider I was working for at
the time had about 250k subscribers and was 49% owned by Comcast. The
enclosure the NSA gear was in was fully locked and encompasses in tamper tape
on any panel you could potentially remove. The ironic thing, however, was it
was sitting right at the front of the main data center door. Ballsy.

I can't wait until the documents come out showcasing the ties into carriers.
I've been waiting years for that validation.

~~~
jivatmanx
I was always wondering why the carriers enjoy such privileged monopoly
positions (with it's price, service quality consequences). Deep cooperation
with the NSA is a pretty logical reason.

In retrospect, the retroactive immunity thing should have been a hint...

------
moskie
_" On April 5, according to this slide, there were 117,675 active surveillance
targets in PRISM's counterterrorism database. The slide does not show how many
other Internet users, and among them how many Americans, have their
communications collected "incidentally" during surveillance of those
targets."_

I think something is inferred there that isn't necessarily true: there being
117,675 PRISM records does not necessarily refer to 117,675 different people
being targeted. The slides imply that there would be two different records for
the same person's Gmail account and their Facebook account. So the number of
individual people being targeted would actually be a good amount less. Yes,
still tens of thousands of people... but less that 117,675.

~~~
drivebyacct2
"targets in database" doesn't read as "PRISM case numbers" (to me). In fact,
it sounds specifically different in order to indicate unique individuals.

But who really knows, I guess.

~~~
reeses
Part of the process is to unify targets across communications mechanisms. That
number would very likely mean distinct "individuals," although it could
include people using multiple accounts that had not yet been associated with
the same person/group.

It's easier when you can associate IP addresses with multiple accounts, of
course, but there are a lot of traits (and I'm sure NSA has more than I am
aware of) that can be used as similarity metrics to create a probabilistic
hierarchy of account agglomeration.

Throwing clique analysis into the mix, which is of course where the most
important analysis goes, also helps establish the probability that multiple
accounts may be controlled by one person.

------
grey-area
When looking at these new slides with commentary, I find them hard to
reconcile with the Google statements about access, but they're not completely
contradictory. This line from the slides _commentary_ in particular is new (I
wonder if it summarises other slides considered too compromising to reveal?):

Washington Post - _The FBI uses government equipment on private company
property to retrieve matching information from a participating company_

The statements by Google seem to contradict this on first reading:

Larry Page - _" Second, we provide user data to governments only in accordance
with the law. Our legal team reviews each and every request, and frequently
pushes back when requests are overly broad or don’t follow the correct
process. Press reports that suggest that Google is providing open-ended access
to our users’ data are false, period. Until this week’s reports, we had never
heard of the broad type of order that Verizon received—an order that appears
to have required them to hand over millions of users’ call records. We were
very surprised to learn that such broad orders exist. Any suggestion that
Google is disclosing information about our users’ Internet activity on such a
scale is completely false."_

David Drummond - _" Now, what does happen is that we get specific requests
from the government for user data. We review each of those requests and push
back when the request is overly broad or doesn't follow the correct process.
There is no free-for-all, no direct access, no indirect access, no back door,
no drop box."_

The slides and accompanying commentary from the WP imply that these statements
above are at best misleading and misdirection, but not necessarily untrue in a
strict sense. There are various qualifiers and ambiguities in the Google
statements which mean they could still be claimed to be true - the placement
of the apostrophe on _users’ data_ , which could be taken to mean all users as
a plurality rather than just a few tens of thousand, the use of _broad_ , and
_on such a scale_ to limit the denial to activities similar to those at
Verizon which was reporting all activity. They may well not have heard of a
PRISM program as there would be no reason to share the codename with them.
Taken together those denials could be taken to be simply denials of
participating in complete surveillance (with broad being defined as every
single user) or giving access (in some limited sense) to their servers - I'm
not sure they've ever denied access to data. The only thing which does puzzle
me is that they've claimed their legal team reviews each and every request -
that would be hard to do in an automated system or one in which the NSA has
their own equipment, though perhaps they do it in bulk or retrospectively.

So these statements could be true in some limited sense, but it'd be nice if
Google didn't feel the need to couch their denials in lawyerly evasions. The
main reason they have to do this and cannot release more data is that they're
not allowed to talk about these secret programs - that enforced secrecy is the
most damaging thing here, both for Google and for public debate - we can't
talk about them because they're secret, and neither the people affected, nor
even the US Congress are given the facts to decide whether they even approve
of this behaviour by the NSA/FBI, because the programs are secret. No-one can
have a meaningful debate on these programs without more information.

------
bulatb
The way this is presented really isn't cool. If the Post has evidence to back
their annotations, they should cite it or at least say it exists in other
sources they have access to.

If the annotations are correct, they basically confirm the worst and most
extreme interpretations people could come up with when this story broke. But
there's no evidence presented in these slides, at all, to support the notes
they've "helpfully" added. Where's this information coming from?

~~~
brown9-2
And why did they hold back these slides from the original story when some of
the content is contradicting?

------
dmix
They also posted a great diagram breaking down the process in simpler
language:

[http://apps.washingtonpost.com/g/page/national/inner-
working...](http://apps.washingtonpost.com/g/page/national/inner-workings-of-
a-top-secret-spy-program/282/)

------
jka
Architecturally, it sounds remarkably similar to commercial social media
monitoring platforms - not too surprising, since both are essentially about
watching and searching the behavior of people around certain
topics/groups/keywords.

Queries ('selectors') go in one end, are presumably translated into
appropriate queries at each of the external 'data sources' (best-effort
translation of the original selectors into whatever the source supports query-
wise) and then the results are either alerted on in real-time (surveillance)
or kept longer-term (stored comms).

Content returned varies on what the provider can support.

Finally there is a search interface on top (although it looks _very_ basic in
this case - simple boolean AND/OR) to provide historic search over the data
collected.

------
logn
Facebook blog: "Growing Beyond Regional Networks (June 2 2009)"
[https://blog.facebook.com/blog.php?topic_id=216284525139](https://blog.facebook.com/blog.php?topic_id=216284525139)

Facebook joined PRISM on June 3, 2009.

------
antoncohen
The Washington Post articles keep referring to companies/providers as
"participating", but no where in the slides does it say that internet
companies are knowingly participating. It seems very likely that the companies
listed are unaware of the surveillance, and the dates listed are when the NSA
was able to tap and decode their data streams. I would really like to see
evidence that companies are knowingly participating, otherwise this may be
defamation by the Post.

Tech: All the companies listed have multiple sites/datacenters. While they use
SSL/TLS to encrypt client-server connections, they may not be using encryption
to protect server-server connections. Most of the database replication systems
don't use encryption by default. Companies use circuit switched connections
between sites, they don't own the fiber between two datacenters. That fiber is
owned by the big telco providers, and passes through equipment owned by the
telco providers.

We know big telco providers like AT&T and Verizon are very willing to give the
NSA access to _everything_ without putting up a fight. It seems very possible
to me that the NSA is surveilling these companies without their knowledge.

For example it was reported that Dropbox was "coming soon" to PRISM. I don't
believe for a second that Dropbox is knowingly giving access to the NSA.
"Coming soon" may mean that the NSA has tapped Dropbox's communication, and
they are working on decoding it, and converting it into a usable format for
PRISM.

~~~
andrewljohnson
That's an unnecessary conspiracy theory. The companies all say that they
comply with all legal orders, and secret FISA orders are legal. These slides
all seem in line with what the CEOs and reps have said.

No one is denying PRISM exists, it just needs to be abolished, and all things
like it should be subject to public scrutiny. Obviously it's not ineffective
when it's not a secret, so there is no reason for secrecy.

~~~
antoncohen
> The companies all say that they comply with all legal orders, and secret
> FISA orders are legal. These slides all seem in line with what the CEOs and
> reps have said.

That's not true, the slides describe a system that receives a raw data flow
and decodes it. Google and Facebook have both explicitly denied giving access
or even receiving a request for blanket or bulk access. They both say the have
only received requests for specific individuals, and every request is
individually reviewed by their legal team.

~~~
throwit1979
Oh, well if the companies denied complying with an order they're not allowed
to even disclose _the existence of_ , under penalty of treason, then that's
the God's honest truth. Case closed.

There's nothing to see here, people. The participating companies are not
actually participating at all, and a damage control press release is absolute,
unquestionable confirmation of this fact. Nothing is more truthful than a
press release.

------
leoc
The old parts of the WaPo's notes don't seem to have been revised. For
example, the 'PRISM' name probably doesn't have anything to do with fibre-
optic taps, since the You Should Use Both slide indicates that the PRISM name
refers only to the Web-company "direct collection" operation rather than the
"upstream collection" from the network.
[https://news.ycombinator.com/item?id=5887627](https://news.ycombinator.com/item?id=5887627)
(This Washington Post page still doesn't seem to have any mention of the You
Should Use Both slide, probably for the bad reason that it was the Guardian's
scoop.) Similarly, the Introduction slide seems to be mostly relevant to
upstream collection rather than PRISM.

------
rsingel
The FBI as the conduit makes sense. They've got a very sophisticated set of
private fiber connections to ISPs and phone companies.

So far as I can tell, this article from 2007 is the only comprehensive look at
the FBI's private spy architecture.

[http://www.wired.com/politics/security/news/2007/08/wiretap?...](http://www.wired.com/politics/security/news/2007/08/wiretap?currentPage=all)

------
leot
One question I've been wondering about: did the NSA/gov't ever ask the
operators of large webmail providers to _not_ deploy PGP/PKI?

------
segacontroller
So why didn't Apple just take P9?

~~~
shadowmatter
"Think different"?

These slides look to be from the same deck. I wonder if there are more yet to
come.

~~~
glitchdout
Oh, I'm pretty sure there are.

And though I'm dying to know just how deep the rabbit hole is, I'm thankful
that the slides are being steadily released. In today's world I guess that's
the only way to grab attention and gain momentum.

~~~
reeses
It also helps eliminate the credibility of the government and its corporate
collaborators when they disclaim participation based on subset x. When subset
y, released the next week, points out that they were in fact aware, then the
people who are exposed make stupid statements such as the lovely,"We don't spy
on US citizens."

I'm wondering what this theatrical sleight of hand is keeping us from seeing
elsewhere. We've probably invaded Iran or sent another trillion dollars to the
banking industry.

------
andy_ppp
To me the most interesting thing about all this will be the level of
integration between the systems and their ability to filter and record
information, figuring out who is likely to have done/said/thought what (using
very agressive machine learning algorithms) and tying that in to an email
address as the key. There is no court order needed from an operative I'm
certain to get my Internet history from the fibre optic side; why would they
even need to bother requesting info from google etc. directly of they can just
start filtering on certain cookies in real time. SSL might be difficult to
break, but I can see that you could easily proxy SSL connections at the
network level... Maybe someone can explain to me how a man in the middle
attack against SSL can be prevented?

------
sixothree
What is interesting is the cost of the program is surprisingly low compared to
their budget.

------
stefanix
From the last slide it appears M$ pretty much volunteered first, ahead of
everybody else.

------
rasterizer
Interesting. Some insight, some contradiction and confusion especially when
compared to earlier reportings on the first slides:

\- The "direct access" claim is replaced with "FBI interception unit" which is
"government equipment on private company property to retrieve matching
information from a participating company" that detail isn't mentioned in
slides but provided in annotations.

\- The case format notation points to "real-time notification" when a target
logs in or sends emails/IM/VOIP etc:

" _Depending on the provider_ , the NSA may receive live notifications when a
target logs on or sends an e-mail, or may monitor a voice, text or voice chat
as it happens (noted on the first slide as "Surveillance").

The "Depending on the provider" bit is interesting as it suggests that there
are potentially different levels of "participation".

\- "On April 5, according to this slide, there were 117,675 active
surveillance targets in PRISM's counterterrorism database." can a FISA order
cover a target across service providers or each provider requires its own
order? the number of targets could dramatically be revises downwards depending
on that.

~~~
ics
I would imagine that the "depending on the provider" bit has more to do with
their existing infrastructure than participation per se. A live notification
for when someone is on Facebook or even Google would probably be much easier
to get (and more useful I suppose) than their iCloud sync.

Edit: Also note that Apple is a late addition on their graph and Microsoft is
the first. Don't mean I think that says much about one versus the other, but
if MS has been a provider since '07 they probably have much better access
either through influence or better understanding than they do at Apple _at the
time this was presented_.

~~~
rasterizer
Obviously there is plenty of room for speculation but what seems to emerge, at
least as I see it, is that even the worst case scenario doesn't entail actual
"direct access".

In the case of activity timestamps (which I'm sure legally don't get the same
protection as content) they would be _sent_ by the companies to the FBI/NSA
not have their actual servers monitored by them.

~~~
Spearchucker
There's a line between the provider and the FBI. That linesis explained as
pull, rather than push. That nuance notwithstanding, how is this _not_ direct
access?

~~~
rasterizer
You want me to speculate about arrow direction?! alright, generally speaking
the access is not "direct" because the "boxes" act as buffers. I can't say if
they "pull" the boxes or they just serve subpoenas to them and get the data
pushed back.

~~~
Spearchucker
Quite the opposite - no speculation is required. The NSA has direct access.
Any discussion that focuses on how is a discussion of semantics, and as such
is of anecdotal interest.

