Digging Deeper into PRISM, Part 2

Things have only gotten murkier since I wrote about PRISM, the National Security Agency’s recently-revealed digital surveillance program, on Friday. For starters, the Washington Post has drastically altered its original story since publication, expanding it from two pages to four and rewriting key assertions. (Some of the changes can be seen here, although further ones are likely.) Among the most significant changes was a tweak of its opening paragraph (emphasis mine):

[Original] The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.

[Revised] The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.

While everyone knows the NSA surveils foreign targets — it is, after all, their mandate — they’re constitutionally prohibited from spying on domestic targets. Changing those few words radically affects whether or not the NSA has overstepped its legal bounds. It’s not a good sign for what could be one of the most important news stories of our generation.

Soon after the Guardian and the Post‘s original articles, The New York Times published its own piece that, while confirming the program’s existence, also directly challenged the two newspapers’ assertions about its scope and nature:

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.

The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

This is a far cry from the unfettered direct access that had been suggested elsewhere. Other outlets, speaking with deep-background sources in both the tech companies and in the intelligence community, echoed this description. CNET blamed it on a misunderstanding of the PRISM PowerPoint slides:

Recent reports in The Washington Post and The Guardian claimed a classified program called PRISM grants “intelligence services direct access to the companies’ servers” and that “from inside a company’s data stream the NSA is capable of pulling out anything it likes.”

Those reports are incorrect and appear to be based on a misreading of a leaked Powerpoint document, according to a former government official who is intimately familiar with this process of data acquisition and spoke today on condition of anonymity.

“It’s not as described in the histrionics in The Washington Post or The Guardian,” the person said. “None of it’s true. It’s a very formalized legal process that companies are obliged to do.”

Mashable also concurred: “In short, there are no back doors, but perhaps there are side doors — although these might very well be standard procedures in cases of wiretap requests.” (In other words, the all-seeing, all-knowing Surveillance State might just be government bureaucrats and tech lawyers cutting down on paperwork.) Mother Jones speculated that if Google, Apple, Facebook, and other Silicon Valley giants “have agreed only to build more secure ways of passing along data in response to individual FISA warrants, that explains why they’ve never heard of PRISM and why they deny being part of any program that allowed the government direct access to their data.”

The real kicker came in a follow-up article on Saturday, where the Post dialed back on its earlier claims almost completely (quoted at length in case of changes):

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.

Crucial aspects about the mechanisms of data transfer remain publicly unknown. Several industry officials told The Post that the system pushes requested data from company servers to classified computers at FBI facilities at Quantico. The information is then shared with the NSA or other authorized intelligence agencies.

According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.

That unit then sends the query to the FBI’s data intercept technology unit, which connects to equipment at the Internet company and passes the results to the NSA.

The system is most often used for e-mails, but it handles chat, video, images, documents and other files as well.

“The server is controlled by the FBI,” an official with one of the companies said. “We do not offer a download feature from our server.”

Significant inconsistencies still remain between the system described by The New York Times and the system described by The Washington Post. This could be due to different company policies; i.e. Facebook might impose fewer intermediate steps between the NSA and the data they request than Google does. But what no longer remains are the original bombshell claims of direct, unfettered NSA access to Silicon Valley servers and data, nor is there supporting evidence for the claims of widespread digital surveillance of American citizens. (In fact, the Post‘s newest article says an entire FBI unit screens data requests to ensure that no U.S. citizens are targeted.)

The Washington Post, which sadly eliminated its decades-old ombudsman position earlier this year, has yet to comment on or even acknowledge the many changes in its PRISM reporting just within the past few days. The Guardian, meanwhile, has renounced nothing. As of right now, their article still includes the following claims:

It also opens the possibility of communications made entirely within the US being collected without warrants.
[…]
The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.

TechCrunch, Mashable, and CNet have explicitly or implicitly ruled this out, as have The New York Times and now The Washington Post in their own reporting. Perhaps the most damning indication is that no news outlet has independently confirmed the Guardian‘s depiction of PRISM.

So what does this all mean? We now know PRISM and a few other NSA programs exist, even if their details remain murky and incomplete. We now know James Clapper, the Director of National Intelligence, probably lied to the Senate when he said the NSA does not collect massive amounts of data on U.S. citizens. (If not through PRISM, then definitely through the disturbing Verizon metadata court order that has seemingly been all but forgotten.) We’re also finally having a serious, frank discussion about the FISA system, digital privacy, over-classification, the growth of the security-industrial complex, the protections of the Fourth Amendment, and the extent to which we should reshape our society to defend that society. That can only be a good thing after twelve long years.

But ultimately, all we’ve done is gone from knowing nothing to knowing something, and we’d be fools to think we now know everything. There are still gaps and holes and I’m not sure we know enough yet to make any sort of judgment. For his part, Edward Snowden, the confessed NSA leaker, sounds genuinely concerned about the impact of digital surveillance in American society and the NSA’s powers. I’m not sure about the wisdom of seeking refuge in Hong Kong, though; were I a Chinese intelligence official and I learned a declared U.S. intelligence operative carrying troves of highly-classified cyber-surveillance information had arrived on my shores, I wouldn’t even hesitate to pick him up. The diplomatic ramifications of his exodus could eventually eclipse the reason behind it.

Cynicism and paranoia are so prevalent in our culture that it’s easy to assume that Snowden, a 29-year-old IT contractor in Hawaii, has truly thrown back the curtain on the mysteries of the National Security Agency. I’d be lying if I said I was convinced. I don’t think Snowdon is wrong per se; rather, I think that he thinks he’s right. His evidence, some of which has yet to be revealed, will ultimately show whether his perception matches the reality. As of right now, it’s hardly conclusive. With so many changes and contradictions, I’m not satisfied that the Guardian and the Post did their due diligence on PRISM or any of the other leaks, probably out of an eagerness to beat one another to breaking the story. That’d be troubling in and of itself, but with a story of this magnitude and significance it’s almost unforgivable.

I don’t think Snowden is all wrong and the government is all right, nor do I think the reverse of that. The truth probably lies somewhere in the middle. If his evidence proves what he claims, it will. If it doesn’t, it won’t. Whether or not he did the right thing by leaking it hinges on that assessment — as do, perhaps, a great many other things for American society.

[NOTE (6/10/13): This post was originally titled “Lies, Damn Lies, and PRISM.” Nobody’s complained about it but I’m worried my attempt to make a witty reference to Mark Twain could be misread as an insinuation that the National Security Agency, its employees, The Guardian, The Washington Post, their journalists, or Edward Snowden are liars. That’s not an assertion I’ve intended to make. Out of an abundance of caution, I’ve changed the title to something less accusatory and appended this note. Apologies for any confusion.]

Digging Deeper Into PRISM

On Thursday, The Guardian and The Washington Post published highly-classified National Security Agency documents revealing a massive Internet surveillance program called PRISM. Glenn Greenwald and Ewen MacAskill write:

The National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants, according to a top secret document obtained by the Guardian.

The NSA access is part of a previously undisclosed program called Prism, which allows officials to collect material including search history, the content of emails, file transfers and live chats, the document says.

[…]

The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.

With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.

In short, there are three key revelations about the NSA/corporate relationship:

  1. Through PRISM, the NSA has direct access to company servers containing millions of Americans’ personal information.
  2. The NSA’s direct access to company servers is willing and participatory on those companies’ part.
  3. The NSA’s direct access to company servers is nevertheless unmediated by those companies. (Guardian: “But the Prism program renders [the consent of internet and telecom companies] unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers.”)

One slight problem emerged after the program was announced: Google, Facebook, Apple, Microsoft, and the other companies allegedly involved are all disputing the central assertion of these reports. Facebook’s Mark Zuckerberg and Google’s Larry Page, among others, both explicitly denied that they’ve provided “direct access” to their servers or data centers to PRISM or any other U.S. government surveillance program. As you’d expect for leaders of major corporations commenting on matters of national security, Zuckerberg and Page use the typical legal hedging — “we review each government request for data carefully” and so forth — but on direct access they’re all but categorical in denying it.

The direct access distinction matters because the true scope and nature of the program matters. In a companion editorial to his report, Glenn Greenwald — a man who has never exaggerated or misrepresented U.S. government programs or actions in his career — drew comparisons to the worst abuses of the Nixon administration when referring to PRISM and whistleblowing:

The times in American history when political power was constrained was when they went too far and the system backlashed and imposed limits. That’s what happened in the mid-1970s when the excesses of J Edgar Hoover and Richard Nixon became so extreme that the legitimacy of the political system depended upon it imposing restraints on itself.

According to a lone source, PRISM is a surveillance apparatus seemingly so vast, so invasive, and so unchecked that it directly threatens the Republic. Yet the tech companies themselves publicly and privately dispute that source’s key assertions. The Guardian itself can’t even find a single tech executive to confirm off-the-record that their company participated in the program or one similar to it or, most importantly, that the NSA had direct access to any of their servers.

PRISM’s existence has been independently confirmed but seemingly little else about its methods or capabilities has been independently verified beyond a single source. Both The Guardian and The Washington Post have substantially revised their original articles since first publishing them on Thursday and will likely continue to do so, although The Guardian‘s core allegations remain unchanged. Other outlets have also now raised the possibility that PRISM isn’t the sprawling, all-consuming domestic spying program the newspapers describe.

Silicon Valley’s denials and refutations could, of course, be the product of a vast, far-reaching conspiracy against American civil liberties. Or they could be telling the truth.