PRISM ⇥ washingtonpost.com

Barton Gellman and Laura Poitras of the Washington Post:

The program, code-named PRISM, has not been made public until now. It may be the first of its kind. The NSA prides itself on stealing secrets and breaking codes, and it is accustomed to corporate partnerships that help it divert data traffic or sidestep barriers. But there has never been a Google or Facebook before, and it is unlikely that there are richer troves of valuable intelligence than the ones in Silicon Valley.

Equally unusual is the way the NSA extracts what it wants, according to the document: “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”

That’s fucked up.

I mean, we all kind of knew that someone with surveillance motives must want access to the vast amounts of data at the server farms of the biggest tech companies. Since the introduction of warrantless wiretapping, I think many people assumed that there would be some way that the National Security Agency could gain access with fewer barriers. But I don’t think anyone seriously considered that these companies had a buy-in from the NSA.

That’s really fucked up.

A number of the companies which are allegedly partners in this — including Google, Apple, and Facebook — have denied any involvement. For the record, the government has also acknowledged the program, while disputing a few details:

Activities authorized by Section 702 are subject to oversight by the Foreign Intelligence Surveillance Court, the Executive Branch, and Congress. They involve extensive procedures, specifically approved by the court, to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.

The name “prism” suggests light being split, which lead “Panther Modern” on ArsTechnica to speculate that this may be happening without the explicit knowledge of the companies involved (via D’Arcy Norman):

This means that the data is being collected in “raw” format at the ISP level, and either cached, or immediately redirected off-site to an NSA-controlled datacenter like the new one in Utah.

A key point this makes is that when Google, Apple, et al said today that they “didn’t know”, they might not have been lying, since data collection at the ISP level requires no complicit tagging of traffic by the application developers themselves.

Consider, for example, this 2007 Seattle Times article:

The job entailed building a “secret room” in another AT&T office 10 blocks away, he said. By coincidence, in October 2003, Klein was transferred to that office. He asked a technician about the secret room on the sixth floor, and the technician told him it was connected to the Internet room a floor above. The technician handed him wiring diagrams.

“That was my ‘aha’ moment,” Klein said. “They’re sending the entire Internet to the secret room.”

The diagram showed splitters glass prisms that split signals from each network into two identical copies. One copy fed into the secret room. The other proceeded to its destination, he said.

That’s plausible, but also strange, considering the implications in the (butt-ugly) PowerPoint presentation regarding the program. The companies are each regarded as “providers”, implying that they are willingly handing this information over. On the other hand, the use of the phrase “join the program” with regards to the dates that collection began is something the journalists created. The actual slideshow uses the phrase “dates when PRISM collection began for each provider”, which might mean the companies really were unaware.

For their part, the government also contends that this, in addition to yesterday’s revelation about Verizon phone records, are entirely legal:

“As far as I know, this is an exact three-month renewal of what has been the case for the past seven years,” Ms. [Dianne] Feinstein said, adding that it was carried out by the Foreign Intelligence Surveillance Court “under the business records section of the Patriot Act.”

This essentially confirms the longstanding argument from civil liberties advocates that the law is much too broad and vague.

Whatever the case may be, it’s awfully scary considering the massive amount of data that passes through US-based internet service providers. It’s also frightening if you believe that only non-US persons are targeted, as I am a non-US person.

This is so fucked up.