Yesterday, the Guardian reminded us that the NSA is still trolling our phone records for data mining. Today, the Washington Post blows the cover on a massive surveillance program that until now only a few people had known about — until now. And unlike the NSA phone-records surveillance, this one went after content at nine major Internet service providers:
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.
The highly classified program, code-named PRISM, has not been disclosed publicly before. Its establishment in 2007 and six years of exponential growth took place beneath the surface of a roiling debate over the boundaries of surveillance and privacy. Even late last year, when critics of the foreign intelligence statute argued for changes, the only members of Congress who know about PRISM were bound by oaths of office to hold their tongues. …
The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.
Was this narrowly tailored to just a few terrorist suspects? Not exactly:
But the PRISM program appears more nearly to resemble the most controversial of the warrantless surveillance orders issued by President George W. Bush after the al-Qaeda attacks of Sept. 11, 2001. Its history, in which President Obama presided over “exponential growth” in a program that candidate Obama criticized, shows how fundamentally surveillance law and practice have shifted away from individual suspicion in favor of systematic, mass collection techniques.
The PRISM program is not a dragnet, exactly. From inside a company’s data stream the NSA is capable of pulling out anything it likes, but under current rules the agency does not try to collect it all.
Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”
In other words, they’re not collecting all the data — but they’re surveilling all of it. Isn’t that a distinction without a difference? They can look into anything transmitted or stored on or through the servers, and pick and choose what they keep. Claiming that they don’t collect everything is somewhat akin to locking the barn door after the horse has bolted, no? And those decisions are based on content, not merely access logs, as with the telecoms.
Note the start date of PRISM, because you’ll hear lots about that. It started under Bush, but as the Post makes clear, has grown “exponentially” since then. If you want a measure of that growth under Obama, they provide it:
An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.
With this in mind, one has to wonder why the DoJ bothered to seek warrants for e-mails of James Rosen and the Associated Press. The government is literally looking at everything going through non-proprietary servers, and if you’ve already decided that Rosen in particular is a national-security risk in a leak investigation, it doesn’t take much rationalization to check the NSA stream on his work.
Contra the training materials, this is very much something to worry about — especially for the Obama administration.
Update: Jim Roberts at the New York Times emphasizes that this is about content:
Important point: Unlike Verizon metadata PRISM surveillance "can include the content of communications." http://t.co/g1u4YS3L8Z
— Jim Roberts (@nycjim) June 6, 2013
I’m trying to think of anything online that doesn’t eventually pass through these servers in some fashion. Can’t think of anything, which means that basically … Big Brother is listening.
Update Here’s a happy thought that follows from that one. This means that the NSA and FBI have access to communications of the legislative and judicial branches — at least those that go through public servers, no? Maybe Congress would like to invite Eric Holder up for another session really soon. They’d better send it by carrier pigeon.
Update: If you ever want to visit all of your old e-mails and Facebook posts, you may want to book a trip to Utah:
Under construction by contractors with top-secret clearances, the blandly named Utah Data Center is being built for the National Security Agency. A project of immense secrecy, it is the final piece in a complex puzzle assembled over the past decade. Its purpose: to intercept, decipher, analyze, and store vast swaths of the world’s communications as they zap down from satellites and zip through the underground and undersea cables of international, foreign, and domestic networks. The heavily fortified $2 billion center should be up and running in September 2013. Flowing through its servers and routers and stored in near-bottomless databases will be all forms of communication, including the complete contents of private emails, cell phone calls, and Google searches, as well as all sorts of personal data trails—parking receipts, travel itineraries, bookstore purchases, and other digital “pocket litter.” It is, in some measure, the realization of the “total information awareness” program created during the first term of the Bush administration—an effort that was killed by Congress in 2003 after it caused an outcry over its potential for invading Americans’ privacy.
But “this is more than just a data center,” says one senior intelligence official who until recently was involved with the program. The mammoth Bluffdale center will have another important and far more secret role that until now has gone unrevealed. It is also critical, he says, for breaking codes. And code-breaking is crucial, because much of the data that the center will handle—financial information, stock transactions, business deals, foreign military and diplomatic secrets, legal documents, confidential personal communications—will be heavily encrypted. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the US. The upshot, according to this official: “Everybody’s a target; everybody with communication is a target.”
Update: Not exactly a surprise, but noteworthy:
NBC News has learned that under the Patriot Act, the gov't has been collecting records on every call made in America
— Jesse Rodriguez (@JesseRodriguez) June 6, 2013
Update (AP): For what it’s worth, the powerpoint slides at WaPo look almost too cute to be true. This is among the most sensitive, politically explosive intelligence programs in the U.S. arsenal, one that’s apparently been kept secret for years, and someone in charge thought to put all the key information — participating companies, logos, information received, plus a prominent “Top Secret” marking — on one slide that could be leaked and would instantly blow the whole thing out of the water? That’s operational security at the top of the intel food chain? Not even code names for which companies are participating?
Update (AP): Gabe Malor and Ryan Gustafson note on Twitter that WaPo’s version of the powerpoint is cosmetically different from the Guardian’s. At WaPo, the PRISM logo has a white background; at the Guardian, it has a red background. Maybe that reflects different sub-agencies within PRISM? In that case, it looks like WaPo’s leaker and the Guardian’s leaker may be different people, which is news in itself.
Update (AP): What does this mean?
NBC News has confirmed from two sources that the PRISM program exists, but a government official says it is a data collection program rather than a data mining program.
They’re collecting the data but they’re not mining it?