

Sources: NSA sucks in data from 50 companies - cpleppert
http://theweek.com/article/index/245311/sources-nsa-sucks-in-data-from-50-companies

======
brown9-2
Marc Ambinder (the author) posted a new article late last night which goes
into much more detail: [http://theweek.com/article/index/245360/solving-the-
mystery-...](http://theweek.com/article/index/245360/solving-the-mystery-of-
prism)

 _Each data processing tool, collection platform, mission and source for raw
intelligence is given a specific numeric signals activity /address designator,
or a SIGAD. The NSA listening post at Osan in Korea has the SIGAD USA-31.
Clark Air Force Base is USA-57.

PRISM is US-984XN.

Each SIGAD is basically a collection site, physical or virtual; the SIGAD
alphanumerics are used to indicate the source of intelligence FOR a particular
report.

The NSA often assigns classified code names to the product of SIGADs. These
can be confused with the nicknames or proper names of the collection platforms
themselves, which may or may not be classified. What PRISM does is classified;
the fact that there is a "PRISM" tool that does something is not.

...

So: An analyst sits down at a desk. She uses a tool, like PRISM, to analyze
information collected and deposited in a database, like CONTRAOCTAVE. Then she
uses another tool, perhaps CPE (Content Preparation Environment), to write a
report based on the analysis. That report is stored in ANOTHER database, like
MAUI. MAUI is a database for finished NSA intelligence products. Anchory is an
intelligence community-wide database for intelligence reports._

\---------------

And here is the core of it:

 _This is all very complicated, and that is on purpose. But this brief
tutorial is important. PRISM is a kick-ass GUI that allows an analyst to look
at, collate, monitor, and cross-check different data types provided to the NSA
from internet companies located inside the United States.

The programs that use PRISM are focused, as the government said yesterday, on
foreign intelligence. A lot of foreign intelligence runs through American
companies and American servers.

...

Now, these accounts are being updated in real-time. So Facebook somehow
creates a mirror of the slice of stuff that only the NSA can access. The
selected/court-ordered accounts are updated in real-time on both the Facebook
server and the mirrored server. PRISM is the tool that puts this all together.
Facebook has no idea what the NSA is doing with the data, and the NSA doesn't
tell them._

So, PRISM is the name of the software application(s) used by an analyst that
allows them to pull together all the various pieces of data that they receive
from these companies, along with other sources, for their analysis.

Which of course, explains why the companies have never heard of this name.
There is no reason for them to have.

And what the NSA has isn't necessarily "direct access" to the servers - PRISM
gives the analyst "direct access" to the data that has already been collected
by many different means.

~~~
danso
So the key question is, if this part is true:

> _Now, these accounts are being updated in real-time. So Facebook somehow
> creates a mirror of the slice of stuff that only the NSA can access. The
> selected /court-ordered accounts are updated in real-time on both the
> Facebook server and the mirrored server._

Does this "slice" contain material and accounts gathered only after the legal
review that Facebook claims that it performs?

If so, then this story gels with what the NYT reported, that some
organizations have built a secure framework to expedite the transmission of
requested data...which makes sense, depending on the nature of the
investigation...that is...if the NSA has requested data on a suspect on an
ongoing case...then they'd probably want that datastore to be updated...in the
same way that they want wiretaps to stay on the wire during the investigation.

Note: this is not to say that such surveillance is justified, but that this
program makes sense with what Facebook and Google said yesterday and with the
reports by the WaPo and the Guardian. Whether this is substantially worse than
the other apparatuses we have in place, such as NSL, is also up for debate.

~~~
omd
Facebook and Google have always been the least transparent imaginable AND
they're both in damage control mode AND they're obviously under some DHS gag
order. So why anyone would give any credence to a word they say is beyond me.

~~~
danso
It's not out of faith in Google or Facebook, it's that they have put up a
reasonably testable defense rather than what they could've done, which is to
remain mostly silent. Moreover, the very size and complexity that most people
distrust them for also means that their cooperation with any government
function is going to involve a lot of moving parts...it's not likely to be the
case that Zuckerberg can lie about something and be sure that those involved
all stick to the script.

So given that, I think it's worthwhile to actually test their assertion (I.e.
not rush to judgment) rather than patting ourselves on the back with the
logical fallacies of:

* "Well, the reports about Facebook and Google must be true because it comes from a group that is itself evil and who I would normally not believe" (the enemy of my enemy is my friend)

* "Well, what else would you expect an obviously evil entity to say after being accused of evil acts?" (circular reasoning).

Again, it's not because Google and Facebook are poor disenfranchised groups
that must be sympathized with, but because it feels a little dishonest to
subject them to the same kind of inescapable logical trap that our government
has used to go after and prosecute suspected enemies of the state

Just out of curiosity...can you really not imagine a less transparent
corporation than either Google or Facebook?

~~~
philwelch
With PRISM, if the allegations were false, Facebook and Google would deny
them, but if they were true, Facebook and Google would still deny them. So the
denial carries no information in and of itself. Parsing the denial might bear
some clues--for instance, all these companies use the same technicalities and
talking points.

~~~
danso
What are the similar talking points? They both do strongly deny knowledge or
participation in PRISM, but that's not really a talking point.

And I don't think it's an either-or situation: either it's the truth and they
deny, or it's false and they deny. There's a third option: it's true, and they
remain silent.

~~~
shardling
Also, is it such a crazy idea that Facebook, Google, etc. would get together
and come up with their _own_ talking points? That was my first reaction on
seeing the similar statements -- that they're acting with a common purpose and
agenda, but one that's their own, not the governments.

~~~
philwelch
Why would companies who aren't collaborating with the NSA suddenly start
collaborating with each other to deny collaborating with the NSA? Wouldn't
they issue their own denials in their own words?

~~~
shardling
I don't really understand your question. It seems like you're asking why
several groups, under attack in the same way, might get together to defend
themselves, but I'd have thought that self-evident so -- what _are_ you
saying?

~~~
philwelch
When you're issuing denials, you don't have to get together and figure out how
to phrase your denials unless you're trying to hide something.

------
codeulike
Here's a section that seemed important to me:

 _One official likened the NSA 's collection authority to a van full of sealed
boxes that are delivered to the agency. A court order, similar to the one
revealed by the Guardian, permits the transfer of custody of the "boxes." But
the NSA needs something else, a specific purpose or investigation, in order to
open a particular box. The chairman of the Senate intelligence committee, Sen.
Dianne Feinstein, said the standard was "a reasonable, articulatable"
suspicion, but did not go into details.

Legally, the government can ask companies for some of these records under a
provision of the PATRIOT Act called the "business records provision."
Initially, it did so without court cognizance. Now, the FISC signs off on
every request.

Armed with what amounts to a rubber stamp court order, however, the NSA can
collect and store trillions of bytes of electromagnetic detritus shaken off by
American citizens. In the government's eyes, the data is simply moving from
one place to another. It does not become, in the government's eyes, relevant
or protected in any way unless and until it is subject to analysis. Analysis
requires that second order._

So, the govt and NSA distinguish between 'having the data' (receiving a van
full of boxes, in the metaphor above) and 'subjecting the data to analysis'
(opening a box, in the metaphor). They have a broad order for having the data,
but need more specific sign-off to process or analyse the data.

This differentiation between 'having data' and 'analysing data' is not one
we'd generally make in the IT world - because if they already have the boxes
in their possession, how do we know they are getting the right permission
before they open the boxes? How is any oversight possible in that situation?

~~~
saraid216
> This differentiation between 'having data' and 'analysing data' is not one
> we'd generally make in the IT world - because if they already have the boxes
> in their possession, how do we know they are getting the right permission
> before they open the boxes? How is any oversight possible in that situation?

I don't think it is possible: that's precisely why it's not a distinction made
in the IT world: we don't have the apparatus of courts and judges. In the IT
world, the primary issue is about security. You have a walled garden and you
don't want to let bad people in. Logistics is secondary. Whereas in the IC
world, logistics appears to be the harder problem, and keeping the bad people
out is already solved to their satisfaction. The challenge is to make sure
everyone who needs the data has it.

------
Jabbles
I think the best explanation is given here:
[https://news.ycombinator.com/item?id=5844576](https://news.ycombinator.com/item?id=5844576)

Prism is probably no more than a mail-merge program that will take your (i.e.
NSA agent's) signed court order and convert it into whatever format each
company requires. Then it will make the request quickly and easily - Say
Google requires a PGP encrypted email, Microsoft wants a HTTPS PUT request,
Facebook needs you to upload to SFTP server etc.

~~~
count
The NSA doesn't require a signed court order for it's activities though.
They're not allowed to spy on Americans (unless that American is communicating
with a foreign person) at all. The FBI needs court orders, and is focused on
Americans.

NSA is part of the Dept. of Defense, and there are lots of laws/rules/etc.
that limit what it can do with US citizens.

~~~
akiselev
The issue is the lack of transparency of the laws/rules/etc. and the review
and checks and balances problem.

This NSA infrastructure is sufficient for an extremely effective domestic
spying network and the only thing stopping them from starting up such a
program is the FISA court, where EVERYTHING IS COMPARTMENTALIZED. Do you see a
problem with that?

~~~
count
You misunderstand. I was merely pointing out that the existence, or lack
thereof, of a court order, was completely beside the point as far as the
National Security Agency is concerned.

The NSA is chartered and bound to not do domestic spying.

The only thing stopping anybody from doing anything is the law, and the threat
of potentially violent enforcement of that law upon them. It's no different
for the Agency.

------
steven2012
To me, these are the relevant paragraphs:

It is not clear how the NSA interfaces with the companies. It cannot use
standard law enforcement transmission channels to do, since most use data
protocols that are not compatible with that hardware. Several of the companies
mentioned in the Post report deny granting access to the NSA, although it is
possible that they are lying, or that the NSA's arrangements with the company
are kept so tightly compartmentalized that very few people know about it.
Those who do probably have security clearances and are bound by law not to
reveal the arrangement.

This arrangement allows the U.S. companies to "stay out of the intelligence
business," one of the officials said. That is, the government bears the
responsibility for determining what's relevant, and the company can plausibly
deny that it subjected any particular customer to unlawful government
surveillance. Previously, Congressional authors of the FAA said that such a
"get out of jail free" card was insisted by corporations after a wave of
lawsuits revealed the extent of their cooperation with the government.

------
ihsw
One has to wonder when the 'combating terrorists' (non-state actors) rhetoric
will end, especially when it clearly is at the very bottom of the list of
objectives regarding internet surveillance. All of this public-private
cooperation seems to indicate that the USG is gearing up for an offensive
against other state actors (or it's already in progress).

People who self-identify as 'pirates' sometimes refer to the internet as 'the
open seas' (similarly representing freedom from oppression and
authoritarianism) so it's interesting to see governments establishing
'internet navies' with offensive capabilities given as much attention as
defensive capabilities.

~~~
rdl
If so, I want my Letter of Marque and Reprisal. Even if I have to sign it
myself.

~~~
mpyne
You want to be authorized by a national government to conduct cyber-warfare
activities on their behalf? I think these analogies are becoming a bit
strained, U.S. Coast Guard handles law enforcement on the seas, not the Navy.

~~~
rdl
Well, not strictly cyber-warfare warfare. And military, not law enforcement;
at least, military-like activities against non-state actors. (Ron Paul
actually proposed this both as the response to 9-11 and the Somali Pirates...)

 _Nothing_ could go wrong with this :)

------
waterlesscloud
More detail here than I've seen elsewhere.

In particular, this explanation of what PRISM actually does-

"PRISM works well because it is able to handle several different types of data
streams using different basic encryption methods, the person said. It is a
"front end" system, or software, that allows an NSA analyst to search through
the data and pull out items of significance, which are then stored in any
number of databases. PRISM works with another NSA program to encrypt and
remove from the analysts' screen data that a computer or the analyst deems to
be from a U.S. person who is not the subject of the investigation, the person
said."

It mostly sounds like a typical DB query front end, which accesses DBs built
up from individual record requests from the tech companies.

But then there's the part about handling different kinds of encryption on the
input side, which is puzzling.

~~~
mtgx
Could be why this only costs $20 million a year maintaining and upgrading it.
Now we need to find out what's really powering this front-end program.

------
moultano
Cnet reports the exact opposite, according to another anonymous government
source: [http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-
of...](http://news.cnet.com/8301-13578_3-57588337-38/no-evidence-of-nsas-
direct-access-to-tech-companies&#x2F);

 _The legal process, the person said, is akin to how law enforcement request
information in criminal investigations: the government delivers an order to
obtain account details about someone who 's specifically identified as a
non-U.S. individual, with a specific finding that they're involved in an
activity related to international terrorism._

~~~
brown9-2
I don't think this is a conflict. Once the legal order is made and delivered
to the company, the NSA receives a real-time feed of that user's data going
forward (and all past data) and uses Prism to pull all the disparate data
sources together for the analyst to analyze.

Surveillance isn't just about receiving your past activity and data that
already exists - they want to watch suspects use these systems to communicate
in realtime to find out who else they are talking to.

------
waterphone
This article is two days old, but seems to contain details that contradict
later reports from other sources.

> A FISA order is required to continue monitoring and analyzing these
> datasets, although the monitoring can start before an application package is
> submitted to the Foreign Intelligence Surveillance Court.

That doesn't seem to fit with more recent claims that PRISM is just a
streamlined interface for presenting FISA warrants to companies. That might be
one component, but there appears to be data collection (just not analysis)
pre-warrant.

------
gasull
I wish more people used Bitmessage. It makes communications encrypted, secret
(with deniability) and it also has built-in spam minimization in the protocol
itself. It also includes broadcast messages (like Twitter) and chan boards. It
makes email look like an old technology.

[https://bitmessage.org](https://bitmessage.org)

~~~
betterunix
So it does everything that Email and Usenet can do?

~~~
gasull
Pretty much.

You can't distribute large files like in Usenet, though. Look into I2P +
BitTorrent for that, or GnuNet.

------
aswanson
The NSA is not only instrusive to the point of ridiculous, it's also, as
typical of large government organizations, obscenely wasteful of taxpayer
resources:
[http://en.wikipedia.org/wiki/Trailblazer_Project](http://en.wikipedia.org/wiki/Trailblazer_Project)

------
jthol
> The officials would not disclose the names of the companies because, they
> said, doing so would provide U.S. enemies with a list of companies to avoid.

I too would like to avoid these companies.

------
hisabness
what are the name of the 50 companies?

------
dcguy
Any centralized, aggregated data will attract both good and bad guys. The
responsibility of safeguarding data also falls on individuals. We are also a
party to the whole episode.

