The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the Internet. We'll try to summarize the important revelations about PRISM from the recent leaks and discussions around this important topic.

First, an important disclaimer: This summary won't be perfect or complete. The US government has complained that the discussion of PRISM involves incomplete information that doesn't paint a complete picture of what's going on -- but that's all we have available to us. In spite of their complaints, the US government won't give us all the information we need to have a proper debate. The same laws that compel service providers to hand over data also compel them to keep silent. They're not even allowed to admit that they've received any demands for data.

PRISM vs. Upstream Surveillance

According to an internal US National Security Agency slideshow leaked by Edward Snowden, PRISM isn't the only Internet surveillance tool used by the NSA.

One leaked slide clarifies matters. It states that PRISM is a "collection directly from the servers of [certain] U.S. Service Providers."

Other programs -- codenamed FAIRVIEW, STORMBREW, BLARNEY, and OAKSTAR -- work differently. These programs involve collecting all traffic, either by tapping undersea fiber optic cables or capturing traffic travelling through Internet routers and gateways located in the USA. It's long been known that the NSA has secret rooms at Internet service providers and routing companies where they can intercept and monitor the data flowing past. Room 641A at the AT&T office in San Francisco was the first such room that we learned about back in 2006.

Under these Upstream programs, the NSA probably has the ability to capture most of the data being transmitted over the Internet. They're building a massive data center in Utah, likely to store and analyze all this data. These upstream programs are capturing much more data and surveilling many more people than PRISM is.

prism-vs-upstream-slide

So What is PRISM?

Upstream surveillance captures data flowing across the Internet, but this data is often incomplete if encryption is used. For example, the NSA can't intercept Skype traffic data and decode it -- the Skype traffic data is encrypted so no one can snoop on it in transit. The NSA can't view your Google searches if you're logged in, because that's sent over an encrypted HTTPS connection as well.

The NSA wants this data and, under FISA, is capable of compelling any company to hand over data with orders from a secret court that's being called a "rubber stamp court" because they haven't denied any US government surveillance requests in the last three years. This is already occurring, and the NSA is capable of going to any service provider in the US and demanding it hand over the data. Service providers that have fought these requests as unconstitutional-- Yahoo is notable for doing this -- have lost in the secret courts. Even service providers not listed under PRISM are  handing over data when it's demanded.

PRISM is some sort of system that allows NSA agents to collect data "directly from the servers" of certain US-based service providers, including MIcrosoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple. Dropbox is listed as "coming soon."

prism-providers-slide

After these slides were released, many companies spoke up and said they had never heard of PRISM before and that the NSA did not have "direct access" to their servers. This is likely true. What we've learned so far indicates that PRISM is some sort of an internal NSA system that streamlines NSA demands for data to these companies. An NSA agent likely demands the access to a user's data -- Gmail, Skype calls, Google or Bing searches, or instant messages -- through the PRISM system and the company receives the demand. They then provide the demanded data in a convenient form, possibly through some sort of portal or by uploading it through standard protocols like FTP to the NSA's system.

This was already going on before PRISM and it's likely that providers not involved with PRISM are handing over data in the old, less-streamlined way. The new system allows NSA agents to demand data without filling out paperwork. Under the US FISA act, the NSA can monitor a person's phone, email, and other communications for up to a week without going to the secret court and asking permission, and they can do it via PRISM.

How Many People Are Monitored Under PRISM?

So how many people are being monitored under PRISM? We don't know for sure. However, there's a good reason to be suspicious -- the US government is demanding for all phone call "metadata" from phone companies in the USA. They've made a massive database containing which phone numbers call which other phone numbers and at which times. They've also asserted that they have a legal right to archive the location these calls were made from using cell phones, but they haven't yet because of technical constraints. The US government is essentially monitoring everyone's phone calls -- not listening in to all of them, necessarily, but certainly tracking who you're calling.

While the US government is essentially monitoring everyone's Internet usage through upstream programs, PRISM seems a bit more targeted. The NSA likely looks at the upstream data and then decides who to look more closely at using PRISM. However, we don't know for sure. The US government bans companies from even disclosing that they've received a national security letter request, much less disclosing how many they've received or how many accounts are being monitored.

Some companies received permission to report the total number of US government requests alone -- everything from NSA requests relating to PRISM to standard police requests made with proper warrants. For example, Yahoo received 12,000 to 13,000 requests for user data between December 1, 2012 and May 31, 2012. We don't know how many user accounts were covered by these requests or how many were made for surveillance instead of standard criminal investigations.

dates-when-prism-began-for-each-provider-slide

Foreign vs. Domestic Targets

FISA technically restricts the government from monitoring the communications of Americans or anyone present in the USA. However, there are some concerns here:

  • The NSA must have 51% confidence that the target is "foreign." That's the lowest possible standard they could apply under the law -- and after that anything goes.
  • The NSA is aware that domestic citizens end up being spied on under this standard, but instructs its agents in the leaked slides that it's "nothing to worry about."
  • Even if the NSA becomes confident the target isn't foreign after collecting that data, the collected data can be kept forever. It's just stored in a different database.
  • The NSA uses "contact chaining" and targets everyone within three "hops" of a suspected target. For example, if a coworker of yours has a friend whose long-lost brother is a suspected terrorist, you are a legitimate target of NSA surveillance and could have your digital life sifted through. Even if you're found innocent, your data will be saved in a government database. Research has indicated that you can connect any person on the Internet to any other person in an average of 4.74 hops, or degrees. Many, many innocent people will be captured within three hops.

If you're not in the USA, things are even clearer. People outside the USA receive even less protection from intrusive surveillance and, even if found innocent, have their data stored in a database that can be more easily accessed.

prism-us-as-backbone-slide

Similar Surveillance Programs in Other Countries

In response to PRISM, citizens in other countries have expressed outrage. The German government was particularly vocal in expressing its disapproval.

However, various leaks have demonstrated that countries like the UK, France, and even Germany itself have similar secret Internet-monitoring programs in place. It's clear that the majority of developed countries are likely doing similar things like the USA, although they haven't been caught with their hands in the cookie jar just yet.

So Where Do We Go From Here?

The media has fixated on PRISM, but it's arguably one of the least scary revelations from recent NSA leaks. Yes, the US government is forcing US-based service providers to turn over customer data with only a secret court order from a rubber-stamp court. They've also built a system to streamline such requests, making it easier to spy on larger numbers of people. However, PRISM seems to at least be targeted at specific accounts. Other surveillance programs tap directly into the Internet's backbone and monitor the data flowing past -- even if the communication is encrypted, they can at least tell what websites you're communicating with.

As storage becomes cheaper, new huge data centers are built, and laws like FISA and the Patriot act become even more loose and authorize even more wide-scale government surveillance, the expansion of PRISM in the future is a concern. Will PRISM grow into a program that demands US service providers hand over all customer data to the US government to be placed in a massive database, just as they already demand phone companies hand over all phone call records, and Internet communications companies allow them to monitor all data flowing past?

Now that the leaks have informed citizens of the USA and the rest of the world what has been going on in secret, perhaps we can all begin to have a discussion about what kind of surveillance is acceptable in a democratic society. If people agree that such surveillance is necessary, that's one thing -- but it's quite another for such surveillance programs to be set up in secret by governments and forced on their citizens without a debate or even an acknowledgement that they exist. The US government is fighting to keep court opinions justifying their surveillance programs under wraps -- the surveillance programs are taking place under secret interpretations of laws that average citizens aren't allowed to know. That's no way to run a democracy.

Surveillance could also be used against everyone. Laws have become so complicated that it's often said the average American commits three felonies per day. Everything from unlocking a cellphone to jailbreaking an iPad to violating a website's terms of service is technically a felony that you could be convicted and jailed for in the USA.

What do you think about PRISM? Are you one of the people who aren't bothered by it? Or did we miss anything particularly important? Leave a comment below and chime in!

Image Credits: Bald Headed Eagle Via Shutterstock