Marc Ambinder, the author, is known for having good sources in the security and defense communities. Government officials often work with him to communicate their perspectives anonymously. His article on "NSA sucks in data from 50 companies" [1] is worth reading as well.
At a first reading, this seems consistent with what's been reported and with the carefully-worded denials from tech companies. A few thoughts:
Under the FISA Amendments Act of 2008, the NSA and the attorney general apply for an order allowing them to access a slice of the stuff that a company like Facebook keeps on its servers. Maybe this order is for all Facebook accounts opened up in Abbottabad, Pakistan. Maybe there are 50 of them.
As we saw with the Verizon case, the FISA court is willing to approve very broad collection. Could an order extend as far as all Facebook accounts opened up in all of Pakistan?
It is of course hard to view a Facebook account in isolation and not incidentally come into contact with an account that is owned by an American. I assume that a bunch of us have Pakistani Facebook friends. If the NSA is collecting on that account, and I were to initiate a Facebook chat, the NSA would suck up my chat. Supposedly, the PRISM system would flag this as an incidental overcollect and delete it from the analyst's workspace. Because the internet is a really complicated series of tubes, though, this doesn't always happen. And so the analyst must sometimes "physically" segregate the U.S. person's data.
This is the kind of overcollection that those of us fighting the FISA Amendments Act expressed concern about and were assured wouldn't happen. So now the goalposts have been moved, with the government arguing that it's okay to overcollect.
As Marc points out later in the article, they can also do initial analysis, and pass to the FBI. His example is in terms of a terrorist threat ... but suppose they found evidence of other crimes? Less than 1% of the Section 213 "sneak and peak" Patriot Act authorizations have been terrorism-related (most of them are drug-related) [2], so there's certainly plenty of precedence for using this kind of data for ordinary law enforcement.
In a real world situation, I wouldn't assume that the NSA would just hand over evidence to the FBI unless it was pertinent to the NSA's mission. The two agencies are completely different and belong to different arms of the bureaucracy.
The NSA analyst's job is to root out foreign enemies (who sometimes are within U.S. borders). What does she gain if the FBI uses something she's collected under a super-secret system to prosecute someone on, let's say, on a grand larceny charge? The NSA doesn't get credit for that. On the other hand, she's on the hook in several ways...one, she has to do such sharing discreetly. Second, she has to deal with the FBI's requests for "just a little more info". And third, she has to depend on the FBI agent not fucking up and dragging her into court.
This is not to say that NSA/FBI sharing should be kosher...it's just pointing out that even if it is, bureaucratic barriers would impede it, and even if thhey dont, that would be the least of our worries...much more likely that the NSA goes overboard in its own investigation and snares those who should not be in the dragnet, which it can do without the FbBI's help
This is a great overview (assuming it's based on some knowledge, and not a total work of fiction). It puts things in context, and asks the right questions.
This is the most detailed and plausible explanation I've seen and Marc Ambinder has been writing some really great stuff on this topic over the past few days. He should be getting a lot more attention.
At a first reading, this seems consistent with what's been reported and with the carefully-worded denials from tech companies. A few thoughts:
Under the FISA Amendments Act of 2008, the NSA and the attorney general apply for an order allowing them to access a slice of the stuff that a company like Facebook keeps on its servers. Maybe this order is for all Facebook accounts opened up in Abbottabad, Pakistan. Maybe there are 50 of them.
As we saw with the Verizon case, the FISA court is willing to approve very broad collection. Could an order extend as far as all Facebook accounts opened up in all of Pakistan?
It is of course hard to view a Facebook account in isolation and not incidentally come into contact with an account that is owned by an American. I assume that a bunch of us have Pakistani Facebook friends. If the NSA is collecting on that account, and I were to initiate a Facebook chat, the NSA would suck up my chat. Supposedly, the PRISM system would flag this as an incidental overcollect and delete it from the analyst's workspace. Because the internet is a really complicated series of tubes, though, this doesn't always happen. And so the analyst must sometimes "physically" segregate the U.S. person's data.
This is the kind of overcollection that those of us fighting the FISA Amendments Act expressed concern about and were assured wouldn't happen. So now the goalposts have been moved, with the government arguing that it's okay to overcollect.
As Marc points out later in the article, they can also do initial analysis, and pass to the FBI. His example is in terms of a terrorist threat ... but suppose they found evidence of other crimes? Less than 1% of the Section 213 "sneak and peak" Patriot Act authorizations have been terrorism-related (most of them are drug-related) [2], so there's certainly plenty of precedence for using this kind of data for ordinary law enforcement.
[1] https://news.ycombinator.com/item?id=5844972
[2] http://irregulartimes.com/index.php/archives/2012/02/06/unde...;