Digging Deeper into PRISM, Part 2

Things have only gotten murkier since I wrote about PRISM, the National Security Agency’s recently-revealed digital surveillance program, on Friday. For starters, the Washington Post has drastically altered its original story since publication, expanding it from two pages to four and rewriting key assertions. (Some of the changes can be seen here, although further ones are likely.) Among the most significant changes was a tweak of its opening paragraph (emphasis mine):

[Original] The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.

[Revised] The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.

While everyone knows the NSA surveils foreign targets — it is, after all, their mandate — they’re constitutionally prohibited from spying on domestic targets. Changing those few words radically affects whether or not the NSA has overstepped its legal bounds. It’s not a good sign for what could be one of the most important news stories of our generation.

Soon after the Guardian and the Post‘s original articles, The New York Times published its own piece that, while confirming the program’s existence, also directly challenged the two newspapers’ assertions about its scope and nature:

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said.

The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

This is a far cry from the unfettered direct access that had been suggested elsewhere. Other outlets, speaking with deep-background sources in both the tech companies and in the intelligence community, echoed this description. CNET blamed it on a misunderstanding of the PRISM PowerPoint slides:

Recent reports in The Washington Post and The Guardian claimed a classified program called PRISM grants “intelligence services direct access to the companies’ servers” and that “from inside a company’s data stream the NSA is capable of pulling out anything it likes.”

Those reports are incorrect and appear to be based on a misreading of a leaked Powerpoint document, according to a former government official who is intimately familiar with this process of data acquisition and spoke today on condition of anonymity.

“It’s not as described in the histrionics in The Washington Post or The Guardian,” the person said. “None of it’s true. It’s a very formalized legal process that companies are obliged to do.”

Mashable also concurred: “In short, there are no back doors, but perhaps there are side doors — although these might very well be standard procedures in cases of wiretap requests.” (In other words, the all-seeing, all-knowing Surveillance State might just be government bureaucrats and tech lawyers cutting down on paperwork.) Mother Jones speculated that if Google, Apple, Facebook, and other Silicon Valley giants “have agreed only to build more secure ways of passing along data in response to individual FISA warrants, that explains why they’ve never heard of PRISM and why they deny being part of any program that allowed the government direct access to their data.”

The real kicker came in a follow-up article on Saturday, where the Post dialed back on its earlier claims almost completely (quoted at length in case of changes):

According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.

Crucial aspects about the mechanisms of data transfer remain publicly unknown. Several industry officials told The Post that the system pushes requested data from company servers to classified computers at FBI facilities at Quantico. The information is then shared with the NSA or other authorized intelligence agencies.

According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.

That unit then sends the query to the FBI’s data intercept technology unit, which connects to equipment at the Internet company and passes the results to the NSA.

The system is most often used for e-mails, but it handles chat, video, images, documents and other files as well.

“The server is controlled by the FBI,” an official with one of the companies said. “We do not offer a download feature from our server.”

Significant inconsistencies still remain between the system described by The New York Times and the system described by The Washington Post. This could be due to different company policies; i.e. Facebook might impose fewer intermediate steps between the NSA and the data they request than Google does. But what no longer remains are the original bombshell claims of direct, unfettered NSA access to Silicon Valley servers and data, nor is there supporting evidence for the claims of widespread digital surveillance of American citizens. (In fact, the Post‘s newest article says an entire FBI unit screens data requests to ensure that no U.S. citizens are targeted.)

The Washington Post, which sadly eliminated its decades-old ombudsman position earlier this year, has yet to comment on or even acknowledge the many changes in its PRISM reporting just within the past few days. The Guardian, meanwhile, has renounced nothing. As of right now, their article still includes the following claims:

It also opens the possibility of communications made entirely within the US being collected without warrants.
The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.

TechCrunch, Mashable, and CNet have explicitly or implicitly ruled this out, as have The New York Times and now The Washington Post in their own reporting. Perhaps the most damning indication is that no news outlet has independently confirmed the Guardian‘s depiction of PRISM.

So what does this all mean? We now know PRISM and a few other NSA programs exist, even if their details remain murky and incomplete. We now know James Clapper, the Director of National Intelligence, probably lied to the Senate when he said the NSA does not collect massive amounts of data on U.S. citizens. (If not through PRISM, then definitely through the disturbing Verizon metadata court order that has seemingly been all but forgotten.) We’re also finally having a serious, frank discussion about the FISA system, digital privacy, over-classification, the growth of the security-industrial complex, the protections of the Fourth Amendment, and the extent to which we should reshape our society to defend that society. That can only be a good thing after twelve long years.

But ultimately, all we’ve done is gone from knowing nothing to knowing something, and we’d be fools to think we now know everything. There are still gaps and holes and I’m not sure we know enough yet to make any sort of judgment. For his part, Edward Snowden, the confessed NSA leaker, sounds genuinely concerned about the impact of digital surveillance in American society and the NSA’s powers. I’m not sure about the wisdom of seeking refuge in Hong Kong, though; were I a Chinese intelligence official and I learned a declared U.S. intelligence operative carrying troves of highly-classified cyber-surveillance information had arrived on my shores, I wouldn’t even hesitate to pick him up. The diplomatic ramifications of his exodus could eventually eclipse the reason behind it.

Cynicism and paranoia are so prevalent in our culture that it’s easy to assume that Snowden, a 29-year-old IT contractor in Hawaii, has truly thrown back the curtain on the mysteries of the National Security Agency. I’d be lying if I said I was convinced. I don’t think Snowdon is wrong per se; rather, I think that he thinks he’s right. His evidence, some of which has yet to be revealed, will ultimately show whether his perception matches the reality. As of right now, it’s hardly conclusive. With so many changes and contradictions, I’m not satisfied that the Guardian and the Post did their due diligence on PRISM or any of the other leaks, probably out of an eagerness to beat one another to breaking the story. That’d be troubling in and of itself, but with a story of this magnitude and significance it’s almost unforgivable.

I don’t think Snowden is all wrong and the government is all right, nor do I think the reverse of that. The truth probably lies somewhere in the middle. If his evidence proves what he claims, it will. If it doesn’t, it won’t. Whether or not he did the right thing by leaking it hinges on that assessment — as do, perhaps, a great many other things for American society.

[NOTE (6/10/13): This post was originally titled “Lies, Damn Lies, and PRISM.” Nobody’s complained about it but I’m worried my attempt to make a witty reference to Mark Twain could be misread as an insinuation that the National Security Agency, its employees, The Guardian, The Washington Post, their journalists, or Edward Snowden are liars. That’s not an assertion I’ve intended to make. Out of an abundance of caution, I’ve changed the title to something less accusatory and appended this note. Apologies for any confusion.]