May 8, 2015
The Associated Press has published a detailed report about how the NSA's PRISM program — established to acquire data from tech giants including Apple, Google, Microsoft, and Facebook — is a small part of a massive domestic dragnet run by the nation's premier covert intelligence gathering organization.
The report reaffirms what we already know, specifically that "the NSA copies Internet traffic as it enters and leaves the United States, then routes it to the NSA for analysis," and it also shores up a few things about how PRISM works.
First, it clears up the controversy around the assertion that PRISM involves nine tech companies providing "direct access" to their servers.
From AP (emphasis ours):
Technology experts and a former government official say that ["direct access"] phrasing, taken from a PowerPoint slide describing the program, was likely meant to differentiate Prism's neatly organized, company-provided data from the unstructured information snatched out of the Internet's major pipelines.
In slide made public by the newspapers, NSA analysts were encouraged to use data coming from both Prism and from the fiber-optic cables.
Prism, as its name suggests, helps narrow and focus the stream.
So PRISM leverages the direct access the NSA has to the Internet's major pipelines and then uses court orders authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) to collect specific data from tech companies.
[UPDATE 7/11] Here's the corresponding PRISM slide, published by The Washington Post:
Here's how the AP explains the court order part (emphasis ours):
Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.
By law, the certification can be broad. The government isn't required to identify specific targets or places.
A federal judge, in a secret order, approves the plan.
With that, the government can issue "directives" to Internet companies to turn over information.
While the court provides the government with broad authority to seize records, the directives themselves typically are specific, said one former associate general counsel at a major Internet company. They identify a specific target or groups of targets. Other company officials recall similar experiences.
All adamantly denied turning over the kind of broad swaths of data that many people believed when the Prism documents were first released.
Here's where it's still murky — the government has a authority to take troves of data, and wants as much data as possible, but tech companies say they aren't providing broad swaths of data.
When PRISM leaked, The Washington Post reported that the 702 orders given to tech companies "serve as one-time blanket approvals for data acquisition and surveillance on selected foreign targets for periods of as long as a year."
Tech companies say it doesn't play out that way.
Microsoft said in a statement: "We only ever comply with orders for requests about specific accounts or identifiers."
Google chief architect Yonatan Zunger wrote that Google only responds to "lawful, specific orders about individuals.”
And Facebook revealed it received between 9,000 and 10,000 requests for user data in the second half of last year, and said "we respond only as required by law."
So it remains to be seen how just much data the NSA can acquire from tech companies.
It should be noted that in July the court that was established to "hear applications for and grant orders approving electronic surveillance," called the Foreign Intelligence Surveillance Court (FISC), found that government 7o2 orders at the heart of PRISM had violated the Fourth Amendment's restriction against unreasonable searches and seizures "on at least one occasion."