Hacker News new | comments | show | ask | jobs | submit login
NSA slides explain the PRISM data-collection program (washingtonpost.com)
334 points by hermanywong 1626 days ago | hide | past | web | favorite | 86 comments

Wanted to take yet another opportunity to mention the nationwide Restore the Fourth demonstration happening this week. http://restorethe4th.net I hope everyone reading this attends their local rally.

It also needs to be said that another leak is coming soon that details a program that collects/stores the contents of 1 Billion cell phone calls every single day [1]. I submitted the link earlier but it got buried after only a few upvotes.

[1] http://www.businessinsider.com/greenwald-nsa-store-calls-eve...

While I support this protest, in my opinion, this is a non-media savvy day to have it. "Regular folks" use the day off for family, friends, and bbqs. It's a holiday so no one will be working at the government buildings, and it's typically a lousy news day since the skeleton crews are on.

But hopefully this event will start getting people together to keep the pressure on as new revelations come out. Protesting matters, phone calls matter, emails matter---I've seen it. Generally the rule is for every one constituent (that's key) call there's 100 more who think that. Right now you can start to see the official line fraying a bit with various actors attempting to cover their own asses. Maybe they don't care about the big picture, but they care about legacy, career, and ego. And no one wants to be on the wrong side of history.

These protests have not been well organized. From the outside it looks like a handful of Redditors who are thinking of hanging out together - and there seems to have been no PR or outreach to folks beyond Reddit. Most of the nation does not use Reddit.

My page for my New England city has nothing except a link to a conversation with half a dozen folks planning a preliminary meeting, with no follow up info posted. I could drive to Boston, but what's the point: the Boston group is only predicting an attendance of 40. I doubt it will get media coverage, and at that size I honestly hope it doesn't.

> I could drive to Boston, but what's the point: the Boston group is only predicting an attendance of 40

This defeatist attitude is why the predicted attendance is so low.

No, the predicted attendance is low because no one has heard about this.

Only organizing among Redditors, not bothering to reach out to people with more experience organizing protests, and not partnering with affiliated organizations (Tea Party, Occupy, various student groups) who might all come together to rally around this is why predicted attendance is so low.

Update: Added first sentence to emphasize point.

And yet we have armchair critics like yourself declining to get involved and help out, opting instead to bicker and put down the efforts of people trying to actually make a difference.

I'm sorry this has devolved into a back and forth. I was trying to offer the perspective of someone who believes passionately about this issue and is looking for ways to get more active, but who cannot get excited about these protests in my area. I do hope there are bigger protests in other cities and they make some impact.

I believe we are both frustrated that more is not happening, and unfortunately that frustration is being directed at each other instead of the real issue. I do applaud your enthusiasm and stepping forward to help advertise this.

Thank you for your support :) Please don't take my direct tone personally, I've been following Greenwald's twitter a lot recently and emulating the way he responds to critics. Generally it's been very effective at rallying support but can tend to alienate folks who disagree.

I find it much more likely that the lack of interest/poor organizing is why rather than a few skeptics on the internet. Their Twitter page has less than a thousand followers, their Facebook page has just over 2,000 likes. You can argue the people involved don't want to use social media, but the reality is no one is hearing the message besides a couple hundred insiders talking amongst themselves. It is hard to quash a movement with defeatists when there is no movement.

The supervisor must endorse the analyst's "reasonable belief," defined as 51 percent confidence, that the specified target is a foreign national who is overseas at the time of collection.

US citizens make up less than 50% of the world population. So given any target I can be more than 51% confident that they are not a US citizen, knowing nothing about the particular target whatsoever.

The United States makes up 4.46% of the world population [1], so there might be reason to believe that 95% of communications in transit are foreign. If you look at the users of facebook, there are more who are foreign (non-US) that US citizens [2].

[1] http://en.wikipedia.org/wiki/List_of_countries_by_population

[2] http://en.wikipedia.org/wiki/Facebook_statistics

The 51% threshold sounds to me like something set by some manager(s) who didn't actually know anything about statistics or probability.

Yep. If all analysts would target addresses with exactly 51% confidence and no higher, and their confidence is the exact statistical probability they're foreign, that would mean 49% of targets are US citizens.

Am I missing does something, or does "threshold of 51%" sound awfully like "false positive rate of 49%"? Imagine that with a spam filter. Just wow.

The only way that makes sense is that they whitelist the people they like, and simply don't give a flying fuck about anyone else, American or otherwise. Spy first, deny it later.

Only if you have no prior information. However, since the target has to be a specific person, and you have to have some reason to want to monitor them, you would have to have a good deal of prior information. At the very least, you know the networks on which they can be monitored, which already introduces a much more informative prior than "is-a human". The ratio of Americans to other people in your belief network would tend to be dominated by that other prior information.

Yes, the more you know about your target the more confident you become about their nationality. Though I don't think the target needs to be a specific person, it could just be an email address couldn't it? Given just an email address you could be more than 51% certain it belonged to a foreign national and start collecting their data.

Sure, you might have to tortuously stretch the legal wording here to justify collection of any particular target, but if there's one thing this Administration has proven adept at it's tortuous stretching of the law.

You are right on the topic of an email address, but even for that there has to be some context that would cause you to want to collect its information. I guess if that is a single post that states violent intentions, then if you studiously avoid any further information, you could easily hit that 51% number. Then again, once you open the email, presumably you'll quickly derive the person's location and nationality, and you might then have to close it again.

I don't know if that "tortuous reading" thing is really specific to this administration. And anyway, I'm still having trouble figuring out how this whole PRISM thing was unexpected given the laws that congress passed. It seems like a rather straightforward reading of the law to me.

You are assuming a representative distribution of users of whichever service they select. That may not be true.

These numbers can't possibly work for interceptions within the US telecom network. The fraction of Americans using the US telecom network approaches 100%, while the fraction of Liberians using it is probably much smaller.

Who supervises the supervisors?

From the article:

"The program is court-approved but does not require individual warrants."

So does this mean that the number of government requests released by Facebook, Microsoft, etc. within the last few weeks are essentially meaningless in regards to PRISM and most likely other top secret government spying programs?

This was known prior to the PRISM disclosure; they're (most likely) referring to the FAA 702 process, in which a court certifies a target for which multiple directives may then be issued. The certification establishing the target is reviewed in the manner of a FISA warrant, but the individual directives that flow from the certification aren't. Certifications have a 1:many relationship with directives.

The reasonable expectation one would have about statistics released by (say) Yahoo pursuant to this process is that they would capture every directive received by the provider, since providers don't get the certifications.

Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil. I'd be interested in hearing about any country that had a signals intelligence capability (Germany, France, Israel, UK, China, Japan, Brazil, &c) in which a warrant was required to conduct foreign intelligence.

> the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil

The older i get the more these artificial boundaries of nationalism bother me. Nationalism is cultural racism. I'm convinced that people will at one point look back on it the same negative way we perceive genetic racism today.

There is an internet generation gap here. It's more important to be a citizen of the world than any particular place, and more important to think about the influence of multinationals on government than to think about the influence of one country on foreign policy.


Yet we need a good protocol for experimenting with different models in order to arrive at a good system.

A balancing act. We certainly need more fluid borders in the world, like between the borders of our states.

> The reasonable expectation one would have about statistics released by (say) Yahoo pursuant to this process is that they would capture every directive received by the provider, since providers don't get the certifications.

Furthermore, Google etc. didn't just provide the number of directives, warrants, etc. served on them (within a range), they also listed the total number of accounts affected (again within a range, of course). The latter numbers were higher, but not 10×+ higher.

> Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil

And again, it's not actually super-obvious to most people that this applies to US cloud data. The USG apparently (IANAL) can't search the empty New York bachelor pad of a Russian oligarch or Saudi oil prince without a warrant - that apparently it can nonetheless turn over their GMail account (basically) at will is therefore pretty surprising.

There's also the matter that US cloud-data firms have been making true-but-misleading statements apparently calculated to give their users the impression that they have the ability (as well as the willingness) to contest demands for individual users' data without a court finding of probable cause or something like it, when for a large majority of the PRISM-company users this is not the case.

Finally, US citizens might like to check out the FISA appeals court's opinion about a foreign-intelligence exception to the Fourth Amendment. https://news.ycombinator.com/item?id=5923606

Exactly. It also means that the statements issued by those companies after the initial leak were misleading at best, and arguably, outright lies.

Really seems kind of amazingly stupid to release those statements if the details being published here are anything close to accurate - wouldn't they have known the WP knew and could prove they were lying? The amount of trust in these companies going forward should be zero.

There is going to be a huge market in replacing essentially any/all of these services with ones physically and legally outside of the USA, with companies that vow to never voluntarily cooperate with the American surveillance state.

It really seems like these companies and the government are seriously underestimating the amount of information that Glenn Greenwald and friends have. This is why I love the strategy of slowly leaking out information. It let's us catch the government and companies involved lying and making contradictions.

I agree. Also companies that fully embrace encryption and not having access to your data. I deleted my Dropbox account the first day they were implicated as a "work in progress" or whatever. I've been using BitTorrent Sync and it's working pretty well. There is still some work to be done, though. I've been meaning to take a good look at SpiderOak.

> There is going to be a huge market in replacing essentially any/all of these services with ones physically and legally outside of the USA, with companies that vow to never voluntarily cooperate with the American surveillance state.

No. This shows the opposite. It shows that we can't place trust in jurisdiction anymore, and it shows that we can't trust companies who "vow" not to be evil.

If there is a "huge market" it is in replacing services with ones that provide cryptographic assurance that my data and communications are secure from any third party, and ideally, from the hosting company itself.

It would be nice if all these disclosures resulted in Eben Moglen's "Freedom Box" project getting a boost:


There doesn't seem to be any reason to believe these slides and whatnot are close to accurate at all.

My only question: with massive data centers owned by Google/Microsoft/FB etc, is onsite direct data retrieval really possible or practical?

Facebook, etc., said their numbers included requests that were not in response to individual warrants, so could include requests that originated through PRISM.


I think the uniformed response from the carriers is a diversion from the NSLs which they cannot speak about for the metadata or specific requests for information they have not obtained via fiber splitting.

I don't think that many people knew about the fiber splitting. Only the telecoms were granted immunity.

"The FBI uses government equipment on private company property to retrieve matching information from a participating company, such as Microsoft or Yahoo and pass it without further review to the NSA." (emphasis mine)

Is it just me or is this a fairly bold claim? I don't see anything about government equipment on private company property in the slides... wondering if this is additional testimony from Snowden, or info from supplementary docs that they haven't released.

Also: "The Foreign Intelligence Surveillance Court does not review any individual collection request." Could I get some perspective on this statement? Is this as bad as it sounds? Or are they saying the court approves monitoring on an individual and doesn't need to give approval for every single collection request on that individual?

In a report leaked 2 days ago [1], there is something on page 44 last paragraph that supports the FBI does the collection. If this is done via their machines on private property, this report doesn't speak to that.

In January 2009, the FBI, at NSA's request, assumed responsibility for the Domestic Content Order and became the declarant before the FISC.

[1] https://news.ycombinator.com/item?id=5952830

Per the equipment: http://www.wired.com/politics/security/news/2007/08/wiretap?...

And yes, the NSA tells the FISA court it wants a court order to spy on Al Qaeda in Pakistan or Chinese spies. Each one of those is a "court order". If it sounds like a general warrant, well, that's because that's what it is.

> I don't see anything about government equipment on private company property in the slides.

Given the interface already laid out in what we knew about PRISM before, that's mostly an implementation detail. Maybe the company didn't want to have to send the data over the open Internet on their own (even encrypted) and wanted to pawn off that responsibility to the NSA?

I don't know where the info came from but I remember it being talked about when the news first leaked so it may have been sent by Snowden with the initial leak of slides.

I suppose the question is really how embedded into the company's subnet is the government equipment?

> The Foreign Intelligence Surveillance Court does not review any individual collection request

Basically this part from the article introduction: "The program is court-approved but does not require individual warrants. Instead, it operates under a broader authorization from federal judges who oversee the use of the Foreign Intelligence Surveillance Act (FISA)".

Keep in mind this is where the US/non-US inequality is at its most severe. Almost the only reason the FISC really cares about this at all is to prevent monitoring of American citizens in a way that violates the 4th Amendment. The program as constituted is less worried about ensuring the right person has their data collected as it is about ensuring that a U.S. citizen does not have their data collected.

So from that perspective such a warrant might appear rational on the part of the court.

That's admittedly a pretty large inequity between US and non-US persons but that's how the existing case law seems to approach it.

It's not just the companies listed here. It's the ISPs that provide the treasure trove. The closer you can get to the subscriber wherein they must pass only a handful of egress to upstream connectivity the better. I've personally seen one of the NSAs mobile enclosures of which we were feeding data via the Cisco law enforcement images. The provider I was working for at the time had about 250k subscribers and was 49% owned by Comcast. The enclosure the NSA gear was in was fully locked and encompasses in tamper tape on any panel you could potentially remove. The ironic thing, however, was it was sitting right at the front of the main data center door. Ballsy.

I can't wait until the documents come out showcasing the ties into carriers. I've been waiting years for that validation.

I was always wondering why the carriers enjoy such privileged monopoly positions (with it's price, service quality consequences). Deep cooperation with the NSA is a pretty logical reason.

In retrospect, the retroactive immunity thing should have been a hint...

Have you contacted a journalist about your experiences? If not now is a good time to do so if you really have first-hand knowledge of tapping within ISPs.

> I don't know where the info came from but I remember it being talked about when the news first leaked so it may have been sent by Snowden with the initial leak of slides.

I first saw this in followup articles from the NYT and Washington Post quoting unnamed government sources.

I don't know if this is connected to the new information, but I seemed to remember articles about the FBI trying to set up backdoors and do something like extending the use of CALEA-type hardware to web companies. I don't know whatever became of it, but older articles on the subject can still be found.


"On April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database. The slide does not show how many other Internet users, and among them how many Americans, have their communications collected "incidentally" during surveillance of those targets."

I think something is inferred there that isn't necessarily true: there being 117,675 PRISM records does not necessarily refer to 117,675 different people being targeted. The slides imply that there would be two different records for the same person's Gmail account and their Facebook account. So the number of individual people being targeted would actually be a good amount less. Yes, still tens of thousands of people... but less that 117,675.

"targets in database" doesn't read as "PRISM case numbers" (to me). In fact, it sounds specifically different in order to indicate unique individuals.

But who really knows, I guess.

Part of the process is to unify targets across communications mechanisms. That number would very likely mean distinct "individuals," although it could include people using multiple accounts that had not yet been associated with the same person/group.

It's easier when you can associate IP addresses with multiple accounts, of course, but there are a lot of traits (and I'm sure NSA has more than I am aware of) that can be used as similarity metrics to create a probabilistic hierarchy of account agglomeration.

Throwing clique analysis into the mix, which is of course where the most important analysis goes, also helps establish the probability that multiple accounts may be controlled by one person.

The way this is presented really isn't cool. If the Post has evidence to back their annotations, they should cite it or at least say it exists in other sources they have access to.

If the annotations are correct, they basically confirm the worst and most extreme interpretations people could come up with when this story broke. But there's no evidence presented in these slides, at all, to support the notes they've "helpfully" added. Where's this information coming from?

And why did they hold back these slides from the original story when some of the content is contradicting?

They also posted a great diagram breaking down the process in simpler language:


Architecturally, it sounds remarkably similar to commercial social media monitoring platforms - not too surprising, since both are essentially about watching and searching the behavior of people around certain topics/groups/keywords.

Queries ('selectors') go in one end, are presumably translated into appropriate queries at each of the external 'data sources' (best-effort translation of the original selectors into whatever the source supports query-wise) and then the results are either alerted on in real-time (surveillance) or kept longer-term (stored comms).

Content returned varies on what the provider can support.

Finally there is a search interface on top (although it looks very basic in this case - simple boolean AND/OR) to provide historic search over the data collected.

Facebook blog: "Growing Beyond Regional Networks (June 2 2009)" https://blog.facebook.com/blog.php?topic_id=216284525139

Facebook joined PRISM on June 3, 2009.

The Washington Post articles keep referring to companies/providers as "participating", but no where in the slides does it say that internet companies are knowingly participating. It seems very likely that the companies listed are unaware of the surveillance, and the dates listed are when the NSA was able to tap and decode their data streams. I would really like to see evidence that companies are knowingly participating, otherwise this may be defamation by the Post.

Tech: All the companies listed have multiple sites/datacenters. While they use SSL/TLS to encrypt client-server connections, they may not be using encryption to protect server-server connections. Most of the database replication systems don't use encryption by default. Companies use circuit switched connections between sites, they don't own the fiber between two datacenters. That fiber is owned by the big telco providers, and passes through equipment owned by the telco providers.

We know big telco providers like AT&T and Verizon are very willing to give the NSA access to everything without putting up a fight. It seems very possible to me that the NSA is surveilling these companies without their knowledge.

For example it was reported that Dropbox was "coming soon" to PRISM. I don't believe for a second that Dropbox is knowingly giving access to the NSA. "Coming soon" may mean that the NSA has tapped Dropbox's communication, and they are working on decoding it, and converting it into a usable format for PRISM.

That's an unnecessary conspiracy theory. The companies all say that they comply with all legal orders, and secret FISA orders are legal. These slides all seem in line with what the CEOs and reps have said.

No one is denying PRISM exists, it just needs to be abolished, and all things like it should be subject to public scrutiny. Obviously it's not ineffective when it's not a secret, so there is no reason for secrecy.

> The companies all say that they comply with all legal orders, and secret FISA orders are legal. These slides all seem in line with what the CEOs and reps have said.

That's not true, the slides describe a system that receives a raw data flow and decodes it. Google and Facebook have both explicitly denied giving access or even receiving a request for blanket or bulk access. They both say the have only received requests for specific individuals, and every request is individually reviewed by their legal team.

Oh, well if the companies denied complying with an order they're not allowed to even disclose the existence of, under penalty of treason, then that's the God's honest truth. Case closed.

There's nothing to see here, people. The participating companies are not actually participating at all, and a damage control press release is absolute, unquestionable confirmation of this fact. Nothing is more truthful than a press release.

I really think that this is the case. Splitting the data would involve considerably less people in the know than asking for cooperation. Also, only the telecoms were granted immunity. The NSLs really appear to be solely for metadata, and maybe the uniformed response to this program by the 9 companies listed is a diversion from the NSLs, and they have not given "direct access".


It makes even more sense when you consider the name of the program "prism" is an object that's capable of splitting light into it's colorful components, i.e. decoding the data streams into visible readable more colorful data streams. Each company is a color exposed by prism.

It's not an acronym. It's a play on words.

The Post describes FBI-maintained equipment on company premises. It doesn't seem likely that Google's controls on their own infrastructure (or, say, Facebook's) are so lax that a few racks full of stuff could show up at their data centers without anyone at the company being aware of it.

The Post says "government equipment on private company property", but the slides don't say that, they also don't say the private property is that of internet companies (Google, Facebook, etc.). The slides actually refer the FBI's Data Intercept Technology Unit, which passes the communications to the NSA, including a Protocol Exploitation system.

The old parts of the WaPo's notes don't seem to have been revised. For example, the 'PRISM' name probably doesn't have anything to do with fibre-optic taps, since the You Should Use Both slide indicates that the PRISM name refers only to the Web-company "direct collection" operation rather than the "upstream collection" from the network. https://news.ycombinator.com/item?id=5887627 (This Washington Post page still doesn't seem to have any mention of the You Should Use Both slide, probably for the bad reason that it was the Guardian's scoop.) Similarly, the Introduction slide seems to be mostly relevant to upstream collection rather than PRISM.

The FBI as the conduit makes sense. They've got a very sophisticated set of private fiber connections to ISPs and phone companies.

So far as I can tell, this article from 2007 is the only comprehensive look at the FBI's private spy architecture.


One question I've been wondering about: did the NSA/gov't ever ask the operators of large webmail providers to not deploy PGP/PKI?

So why didn't Apple just take P9?

Apple joined in Oct 2012. It could be that other companies have agreed to join and were allocated those codes, but are not yet up and running as of the date the slides were made. Just speculation. I recall that there was a slide saying "dropbox coming soon", so they are probably working on onboarding other companies.

Perhaps P9 was allocated to a company that is no longer part of the program.

No longer part of the program? Ha!

Companies do go bankrupt or get bought....

With only two characters for the source ID, somebody at the NSA is thinking long term and using more than just digits from now on. Many more providers will come in the future.

Yes, found this interesting too, some P (9,0?) are missing or someone is having fun, PA like 'P Apple' ?

"Think different"?

These slides look to be from the same deck. I wonder if there are more yet to come.

Oh, I'm pretty sure there are.

And though I'm dying to know just how deep the rabbit hole is, I'm thankful that the slides are being steadily released. In today's world I guess that's the only way to grab attention and gain momentum.

It also helps eliminate the credibility of the government and its corporate collaborators when they disclaim participation based on subset x. When subset y, released the next week, points out that they were in fact aware, then the people who are exposed make stupid statements such as the lovely,"We don't spy on US citizens."

I'm wondering what this theatrical sleight of hand is keeping us from seeing elsewhere. We've probably invaded Iran or sent another trillion dollars to the banking industry.

There are a total of 41 slides related to this particular slideshow.


It could easily be a typo in the slides, for all we know. Problem is, we do not know just how accurate the information presented in the slides is.

To me the most interesting thing about all this will be the level of integration between the systems and their ability to filter and record information, figuring out who is likely to have done/said/thought what (using very agressive machine learning algorithms) and tying that in to an email address as the key. There is no court order needed from an operative I'm certain to get my Internet history from the fibre optic side; why would they even need to bother requesting info from google etc. directly of they can just start filtering on certain cookies in real time. SSL might be difficult to break, but I can see that you could easily proxy SSL connections at the network level... Maybe someone can explain to me how a man in the middle attack against SSL can be prevented?

What is interesting is the cost of the program is surprisingly low compared to their budget.

From the last slide it appears M$ pretty much volunteered first, ahead of everybody else.

When looking at these new slides with commentary, I find them hard to reconcile with the Google statements about access, but they're not completely contradictory. This line from the slides commentary in particular is new (I wonder if it summarises other slides considered too compromising to reveal?):

Washington Post - The FBI uses government equipment on private company property to retrieve matching information from a participating company

The statements by Google seem to contradict this on first reading:

Larry Page - "Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."

David Drummond - "Now, what does happen is that we get specific requests from the government for user data. We review each of those requests and push back when the request is overly broad or doesn't follow the correct process. There is no free-for-all, no direct access, no indirect access, no back door, no drop box."

The slides and accompanying commentary from the WP imply that these statements above are at best misleading and misdirection, but not necessarily untrue in a strict sense. There are various qualifiers and ambiguities in the Google statements which mean they could still be claimed to be true - the placement of the apostrophe on users’ data, which could be taken to mean all users as a plurality rather than just a few tens of thousand, the use of broad, and on such a scale to limit the denial to activities similar to those at Verizon which was reporting all activity. They may well not have heard of a PRISM program as there would be no reason to share the codename with them. Taken together those denials could be taken to be simply denials of participating in complete surveillance (with broad being defined as every single user) or giving access (in some limited sense) to their servers - I'm not sure they've ever denied access to data. The only thing which does puzzle me is that they've claimed their legal team reviews each and every request - that would be hard to do in an automated system or one in which the NSA has their own equipment, though perhaps they do it in bulk or retrospectively.

So these statements could be true in some limited sense, but it'd be nice if Google didn't feel the need to couch their denials in lawyerly evasions. The main reason they have to do this and cannot release more data is that they're not allowed to talk about these secret programs - that enforced secrecy is the most damaging thing here, both for Google and for public debate - we can't talk about them because they're secret, and neither the people affected, nor even the US Congress are given the facts to decide whether they even approve of this behaviour by the NSA/FBI, because the programs are secret. No-one can have a meaningful debate on these programs without more information.

Interesting. Some insight, some contradiction and confusion especially when compared to earlier reportings on the first slides:

- The "direct access" claim is replaced with "FBI interception unit" which is "government equipment on private company property to retrieve matching information from a participating company" that detail isn't mentioned in slides but provided in annotations.

- The case format notation points to "real-time notification" when a target logs in or sends emails/IM/VOIP etc:

"Depending on the provider, the NSA may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens (noted on the first slide as "Surveillance").

The "Depending on the provider" bit is interesting as it suggests that there are potentially different levels of "participation".

- "On April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database." can a FISA order cover a target across service providers or each provider requires its own order? the number of targets could dramatically be revises downwards depending on that.

I would imagine that the "depending on the provider" bit has more to do with their existing infrastructure than participation per se. A live notification for when someone is on Facebook or even Google would probably be much easier to get (and more useful I suppose) than their iCloud sync.

Edit: Also note that Apple is a late addition on their graph and Microsoft is the first. Don't mean I think that says much about one versus the other, but if MS has been a provider since '07 they probably have much better access either through influence or better understanding than they do at Apple at the time this was presented.

Re: apple vs microsoft. Almost certainly Microsoft was added early because of MSN messenger and Hotmail. MSN Messenger was pretty big internationally, notably in China. It would be interesting to know if all Chinese messages were routed through US based servers. Apple wasn't as significant a player in the email and instant messaging space until more recently.

Obviously there is plenty of room for speculation but what seems to emerge, at least as I see it, is that even the worst case scenario doesn't entail actual "direct access".

In the case of activity timestamps (which I'm sure legally don't get the same protection as content) they would be sent by the companies to the FBI/NSA not have their actual servers monitored by them.

There's a line between the provider and the FBI. That linesis explained as pull, rather than push. That nuance notwithstanding, how is this not direct access?

You want me to speculate about arrow direction?! alright, generally speaking the access is not "direct" because the "boxes" act as buffers. I can't say if they "pull" the boxes or they just serve subpoenas to them and get the data pushed back.

Quite the opposite - no speculation is required. The NSA has direct access. Any discussion that focuses on how is a discussion of semantics, and as such is of anecdotal interest.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact