Through a PRISM darkly: Tracking the ongoing NSA surveillance story

It was a relatively quiet week for internet news until Guardian blogger Glenn Greenwald dropped a bombshell on Thursday, with a story that showed the National Security Agency was collecting data from Verizon thanks to a secret court order. But that was just the beginning: the Washington Post later revealed an even broader program of surveillance code-named PRISM, which involved data collection from the web’s largest players — including Google (s goog), Facebook (s fb) and Apple (s aapl) — and then the Wall Street Journal said data is also being gathered from ISPs and credit-card companies.

This story is moving so quickly that it is hard to keep a handle on all of the developments, not to mention trying to follow the denials and non-denials from those who are allegedly involved, and the threads that tie this particular story to the long and sordid history of the U.S. government’s surveillance of its own citizens. So we thought it would be useful to try and collect what we know so far in a single post, which will be updated as often as possible with new information.

1) The Guardian leak 5) Tracking down PRISM 9) Is there a back door?
2) The leak widens 6) The ripples spread 10) How it might work
3) The Washington Post leak 7) Google’s denial 11) For your own good
4) The fallout 8) Zuckerberg’s denial 12) The leaker revealed

The Guardian leak

Guardian blogger and former lawyer Glenn Greenwald reports that the NSA has gotten a secret order from the Foreign Intelligence Surveillance Court that allows it to collect data about phone calls made by “millions of customers” on the Verizon network: location data, time and other identifying info about the call — everything except the actual content of the calls themselves (the Guardian has a background piece about what kind of metadata is available with such an order).

“The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April. The order… requires Verizon on an ‘ongoing, daily basis’ to give the NSA information on all telephone calls in its systems, both within the US and between the US and other countries.”

Verizon court order

The leak widens

Other stories that follow the Guardian report quote anonymous sources saying the Verizon court order is a renewal of an order that has been in place for some time, and add that other telecom companies such as AT&T are also involved in similar programs. Greenwald notes in his story that the NSA started a program of bulk collection of telephone, internet and email records in 2001 under President Bush and this later caused controversy when it was reported in 2006 that the NSA had been saving all of this information and was analyzing it to try and detect terrorism.

Information-security experts and other industry watchers note after Greenwald’s story is published that the NSA and other government agencies have had these kinds of abilities for years thanks to laws such as the Protect America Act and the FISA Amendments Act. ProPublica has a roundup of what the government can find out about you and your behavior without a search warrant, and security expert Bruce Schneier says that what we don’t know about the government’s surveillance programs is even more frightening than what we do know.

Meanwhile, our Stacey Higginbotham wonders whether the NSA story will be a wakeup call about the power of big data, while Derrick Harris looks at how the security agency and other government entities analyze the vast amounts of information that come from such programs.

Ohanian tweet

Freelance journalist Joshua Foust argues that the NSA revelations won’t cause most people to change their behavior — including their habit of voting for politicians who enact the kind of legislation that permits such surveillance — because they simply don’t care enough about the issue. Some experts said the kind of data the NSA is getting can be very powerful when it comes to finding patterns of behavior, but research from the Cato Institute says that even mining large amounts of data can turn out to be not that helpful when it comes to catching terrorists.

The Wall Street Journal, meanwhile, said that the NSA’s surveillance program was “legal and necessary” and the furor over the disclosure of this program was misplaced:

“Nobody’s civil liberties are violated by tech companies or banks that constantly run the same kinds of data analysis. We bow to no one in our desire to limit government power, but data-mining is less intrusive on individuals than routine airport security. The data sweep is worth it if it prevents terror attacks that would lead politicians to endorse far greater harm to civil liberties.”

The Washington Post leak

Within hours of the Guardian story appearing, the Washington Post reports that it has been leaked an internal slide presentation from the NSA that describes a program it calls PRISM — which involves the collection of email and other personal data from internet companies including Google, Microsoft, Facebook, Apple and Yahoo. According to the Post report (and a subsequent Guardian report based on a similar leak), this program has been underway since at least 2007, and involves what one NSA slide refers to as “data collected directly from the servers” of the companies named.

prism screenshot

All of the companies who are reportedly involved in PRISM (which refers to them as “partners”) deny any knowledge of such a program, and say they only provide data when forced to do so by court order, and that they have no “back door” systems that would allow the NSA to do what it claims to be doing. These denials are met by widespread skepticism, and many observers — including TechCrunch founder turned VC Michael Arrington — wonder why insiders working at the tech giants allegedly involved in the program wouldn’t have leaked the information earlier.

The ongoing fallout

Some tech-industry observers say the denials from internet companies may be true, because they aren’t convinced the companies in question would even have to know about the NSA’s collection practices in order for them to work. The original Washington Post story is updated early Friday to note that it’s not clear whether “direct access” to the servers of those companies would be required, and quotes from another leaked document that says the program allows NSA officers to send “content tasking instructions directly to equipment installed at company-controlled locations,” which could mean boxes installed at ISP switches.

hippeau tweet

Several sources note that former AT&T employee Mark Klein revealed in 2007 that he had come across documents that showed the telecom company installed equipment — using glass prisms as “splitters” — that allowed the NSA to make a copy of the data stream coming from the AT&T network and send it to data-storage centers operated by the security agency. This was alleged to be part of a larger program that stored telephone calls, emails and other internet activity for the government and had been underway for years.

Some network analysts speculate that the NSA may be making use of equipment installed at CDNs (content delivery networks), which handle much of the data traffic for companies like Google and Yahoo. Laws passed in the U.S. require equipment makers such as Cisco to build into their products a way for law enforcement officials to tap into the streams they carry, and the NSA could be searching those streams directly instead of copying or storing all the data itself (since the cost of the program is a relatively cheap-sounding $20 million, according to the Post leak).

gore tweet

In a statement about the leaks, the Office of the Director of National Intelligence said that it does its best to work “within the constraints of the law” to collect information related to national security, and that unauthorized leaks such as those to the Guardian and Post “threatens potentially long-lasting and irreversible harm to our ability to identify and respond to the many threats facing our nation.”

Trying to track down PRISM

A search for entities that might be involved in the NSA program turns up software from a relatively secretive startup called Palantir — which has been funded by the CIA through its investment arm — that happens to be named PRISM. According to descriptions of the software, it allows clients of Palantir to sift through massive amounts of data and find patterns quickly.

Others are skeptical, however, that the software described could be used to do what the NSA appears to be doing, and security-industry sources say the NSA usually builds its own products and doesn’t like to use those from third parties. On Friday afternoon, Palantir told The Verge: “Palantir’s Prism platform is completely unrelated to any US government program of the same name.”

Former Reuters social-media editor Matthew Keys said on Twitter that he had found several references to the PRISM program in classified job listings dating back to 2007:

Matthew Keys tweet

Not wanting to be left out, the secretive activist group Anonymous released some classified documents that refer to Defense Department information technology — but they appear to be mostly jargon-filled descriptions of the department’s IT infrastructure, with little or no connection to PRISM or any NSA-related data collection practices.

baio tweet

The ripples spread outside the U.S.

As our man in Europe — David Meyer — noted in a couple of posts Friday morning, the repercussions from the PRISM and NSA revelations are being felt in Europe as well, with some critics calling for changes to the so-called “Safe Harbor” program, which allows data about EU citizens to be stored by non-EU companies. And the Guardian has reported that the U.K. government appears to have been getting information via the PRISM program, which was designed to focus on the communication activity of non-U.S. residents (since U.S. law still technically prevents the government from spying on its own citizens without a warrant).

Meanwhile, President Obama — whom many critics have accused of carrying on with surveillance programs started by his Republican predecessor, despite his disavowal of such methods while campaigning — said through a spokesman that he “welcomes the discussion” about privacy and security:

“The president welcomes the discussion of the trade-off between security and civil liberties. The close examination of some of these complicated issues could cause people to arrive at differing opinions… The president welcomes that debate.”

Jared Keller tweet

Late Friday, the Guardian posted another security-related scoop, publishing what it called a “secret presidential directive” that orders the U.S. government’s top national security and intelligence officials to draw up a list of potential overseas targets that the U.S. could hit with cyber-attacks. The story goes on to say this operation:

“can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”

Google denial and Sir Tim Berners-Lee

The creator of the world wide web, Sir Tim Berners-Lee, posted a statement at the Web Foundation blog saying:

“Today’s revelations are deeply concerning. Unwarranted government surveillance is an intrusion on basic human rights that threatens the very foundations of a democratic society. I call on all Web users to demand better legal protection and due process safeguards for the privacy of their online communications, including their right to be informed when someone requests or stores their data.”

And Google co-founder Larry Page posted a response Friday afternoon to the accusations in the Guardian and Post stories, written with Chief Legal Officer David Drummond, saying the company does not provide the government with “back door” access to its servers, and had never heard of the PRISM program until Thursday:

“Press reports that suggest that Google is providing open-ended access to our users’ data are false, period… Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.”

Soghoian tweet1

Zuckerberg denial

Facebook co-founder and CEO Mark Zuckerberg posted a statement about PRISM on his Facebook page late Friday, saying he wanted to respond personally to the “outrageous press reports” about his company’s involvement in the surveillance scheme. In language very similar to the Google denial, Zuckerberg said the network has not been part of any program to give the U.S. government “direct access” to its servers.

“Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively. We hadn’t even heard of PRISM before yesterday.”

Ashkan tweet

Does the NSA even need a back door?

Christopher Mims at the Atlantic business site Quartz quotes NSA veteran and whistle-blower William Binney — who was part of a group that asked the Defense Department to investigate the NSA in 2002 — saying the security agency could probably get its hands on about 80 percent of the web traffic that passes through the U.S. without even having direct access to the servers of companies like Google. That’s because the NSA has access to at least one of the largest communications hubs on the continent, as described by the Electronic Frontier Foundation.

Ambinder tweet

The Wall Street Journal posted a story that quoted unnamed security experts who said the tech companies mentioned in the PRISM presentation could be telling the truth about not providing “direct access” to their servers, but still have their data collected by the NSA. The Journal said U.S. officials told the paper that the NSA “receives copies of the data through a system they set up with a court order.”

“One industry executive familiar with the handling of data requests from U.S. intelligence agencies said companies have set up ways to cope with the volume of data by automating parts of the process. This method would allow data to be funneled to intelligence agencies without the need for manual steps by company employees.”

At The Daily Beast, writer Megan McArdle looked at the issue of whether tech company denials should be believed or not, and quoted privacy expert Julian Sanchez from the Cato Institute saying there are a number of ways that the NSA could get the data it wants without requiring direct access, including the “secret room” with splitter equipment that Mark Klein described at AT&T (mentioned above):

“Most likely… is that they’ve got something akin to the “Secret Room” that Mark Klein disclosed in AT&T hubs where traffic is being cloned (the companies would need to provide the relevant SSL encryption keys) split off into NSA’s own machines. It would be literally true, in that case, that the NSA does not have direct access to Google’s servers.”

How PRISM might work in practice

Late Friday, the New York Times posted a story that said some tech companies resisted the NSA’s demands to provide easier ways to get access to user data — including Twitter — but that some consented, opened up discussions with the security agency about developing methods to share that data, and even “changed their computer systems to do so.”

“In at least two cases, at Google and Facebook, one of the plans discussed was to build separate, secure portals, like a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers. Through these online rooms, the government would request data, companies would deposit it and the government would retrieve it.”

In other words, “companies were essentially asked to erect a locked mailbox and give the government the key” and Facebook actually built such a system, the NYT story said. Declan McCullagh at CNET explained in a post that according to his sources, all that the PRISM process does is automate something that is required under FISA (the Foreign Intelligence Surveillance Act) — so court orders are given to the tech companies and they have simply made the process of handing over that information easier.

Marc Ambinder, a security expert who writes for The Week, also described his understanding of how PRISM functions — in a nutshell, PRISM is just a piece of software that allows the NSA to collect and interpret data that is handed over under FISA. The actual software itself isn’t classified, which is why mentions of it show up online and in job postings. In McCullagh’s piece, a former NSA lawyer says that the slide presentation the Washington Post published is “suffused with a kind of hype that makes it sound more like a marketing pitch than a briefing.”

Meanwhile, for those trying to keep track at home, the Electronic Frontier Foundation has put together a comprehensive timeline of events related to NSA surveillance activity over the past decade:

EFF spying timelines

It was for your own good

First tech companies claimed they didn’t know anything about PRISM and weren’t supplying data (or at least not direct access), and now the story some sources close to those companies are telling is that they set up portals or some other method of complying with FISA requests in order to “protect the innocent,” according to a post at TechCrunch.

“The NSA may have wanted full firehoses of data from Google, Facebook and other tech giants, but the companies attempted to protect innocent users from monitoring via compliance systems that created segregated data before securely handing it over as required by law.”

The Guardian has responded to criticisms of its original description of PRISM and the whole notion of “direct access” — as well as the repeated denials from Google executives and others that this has been taking place — by posting another slide from the leaked NSA presentation. While some have speculated (as mentioned above) that PRISM could mean simply sucking data from ISP equipment, the NSA slide contrasts this method of getting data with PRISM’s, which it describes again as “collection directly from the servers” of the companies mentioned.

Guardian slide

The Director of National Intelligence released another statement on Saturday, calling the disclosures by the Guardian and Washington Post about NSA data collection “reckless” and filled with “significant misimpressions.” So DNI James Clapper said he had declassified some details about the program, published in a fact sheet (PDF link). Among other things, it says:

“PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act.”

The Washington Post published a follow-up story on Saturday that described the PRISM process in much the same way as earlier stories from the Guardian and the New York Times: as a system or software that allowed the NSA to process FISA requests for information more quickly — and the paper reiterated earlier statements that because the program was top secret, only a few individuals within those companies would even know about it, let alone be able to discuss it. According to the Post:

“Executives at some of the participating companies, who spoke on the condition of anonymity, acknowledged the system’s existence and said it was used to share information about foreign customers with the NSA and other parts of the nation’s intelligence community.”

Much of the criticism about the original Post story and the Guardian story has focused on the description of PRISM as allowing “direct access” to the servers of companies like Google, Facebook and Yahoo — something the leaders of those companies have strenuously denied providing. The most recent Post story suggests that at least some of the debate over this term is semantic, and that its sources say PRISM did allow the NSA to get data from those companies directly:

“Intelligence community sources said that this description, although inaccurate from a technical perspective, matches the experience of analysts at the NSA. From their workstations anywhere in the world, government employees cleared for PRISM access may ‘task’ the system and receive results from an Internet company without further interaction with the company’s staff.”

NSA whistle-blower reveals his identity

In another bombshell, the Guardian revealed the identity of the whistle-blower who sent them the leaked documents about PRISM and the NSA surveillance program: he is Edward Snowden, a 29-year-old former technical assistant at the Central Intelligence Agency, and he is now living in Hong Kong and expects he will “never see home again.” He said his family doesn’t know about his activities, and that he fully expects to be charged and potentially face jail time for his actions.

In an interview with the Guardian, Snowden says that he gradually became frustrated with what the NSA was doing and believed it was wrong — but originally held off on leaking anything because he thought Barack Obama would change those policies when he was elected president. But Snowden says the president continued with “the policies of his predecessor” and so he decided to come forward and let the American public know what was happening behind closed doors:

“I don’t want to live in a society that does these sort of things … I do not want to live in a world where everything I do and say is recorded. That is not something I am willing to support or live under.”

Snowden also said the documents he leaked clearly show that “the NSA routinely lies in response to Congressional inquiries about the scope of surveillance in America” and that the abilities that he had as a contractor with the CIA were beyond what most people can even imagine:

“You are not even aware of what is possible. The extent of their capabilities is horrifying. We can plant bugs in machines. Once you go on the network, I can identify your machine. You will never be safe whatever protections you put in place.”

The reaction

In a post written for The Atlantic magazine, James Fallows said that the most frightening and important part about PRISM and the rest of the NSA surveillance activity revealed by Snowden is that it is all legal under the Foreign Intelligence Surveillance Act and other legislation.

“That these programs are legal — unlike the Nixon “Plumbers” operation, unlike various CIA assassination programs, unlike other objects of whistle-blower revelations over the years — is the most important fact about them. They’re being carried out in “our” name, ours as Americans, even though most of us have had no idea of what they entailed.”

Fallows — and others such as Talking Points Memo founder Josh Marshall — raised some question marks about the wisdom of Snowden’s choice of Hong Kong, which is still part of China and therefore not particularly open to harboring whistle-blowers. However, according to some experts in the law, Hong Kong might be a good place to seek asylum because of a loophole that could allow Snowden to remain there indefinitely.

Icelandic MP Birgitta Jonsdottir, an early supporter of WikiLeaks and of freedom-of-information laws in general, told Forbes magazine that she plans to try and get her country to offer Snowden political asylum. But observers of the political scene in Iceland say this might be more difficult than it would have been in the past, since the new Conservative government is seen as more friendly to the Obama administration.

Daniel Ellsberg — the man who leaked the famous “Pentagon Papers” in 1971 and revealed that the government had been lying about the Vietnam War — said in a piece written for the Guardian that Snowden’s leaks give the United States a chance to “roll back what is tantamount to an executive coup against the U.S. constitution.” Ellsberg said that Snowden’s revelations were the most important leak in the history of the United States, including his own.

“Since 9/11, there has been, at first secretly but increasingly openly, a revocation of the bill of rights for which this country fought over 200 years ago. In particular, the fourth and fifth amendments of the US constitution, which safeguard citizens from unwarranted intrusion by the government into their private lives, have been virtually suspended.”

Meanwhile, David Kirkpatrick — author of the book “The Facebook Effect” — asked whether the secrecy and privacy invasions involved in the PRISM program might impair the growth of social networks and cloud services like Facebook.

“Do we really want to impair such powerful tools for spreading dialogue, political discourse, and U.S. values? Is it worthwhile to impair the extraordinary financial and commercial success of these great flagships for the American economy? Does Obama want Facebook et al just to be seen as tools of American power?”

Politico took a look at some of the things that we still don’t know about PRISM and the activity involved in the NSA’s surveillance program — including how much data the spy agency has been collecting from phone companies as well as tech companies like Google, whether this data collection has actually thwarted any specific terrorist attempts or not (something that is the subject of much debate) and how exactly the PRISM program works in practice.

Meanwhile, the Daily Beast has a piece that looks at the group within the U.S. intelligence apparatus that hunt down leakers like Snowden, a kind of internal police force called the Associate Directorate for Security and Counterintelligence — or the Q Group for short. And Salon magazine has a feature and interview with Laura Poitras, the documentary film-maker who was contacted by Snowden and later helped both the Post and the Guardian write their stories about the leak.

Got anything I am missing? Let me know at [email protected]

Post and thumbnail images courtesy of Shutterstock / Lightspring and the Washington Post