Since 9/11 and the advent of the ‘War on Terror’, the U.S. government has dramatically increased the scope in which its intelligence agencies can ‘legally’ collect information and conduct surveillance on foreign and, now as it turns out, domestic citizens. One of the programs that came to fruition under this policy of extended surveillance was PRISM – a mechanism that allows the government to collect user data from companies such as Google, Microsoft, Apple, Yahoo, and many others. However, it was not until June of this year that a government security contractor named Edward Snowden decided to blow the whistle on the classified details pertaining to this operation clouded in secrecy. On June 6th 2013, The Guardian and The Washington Post published reports based on leaked internal NSA training presentations, which revealed that the NSA had “direct access” to the servers of Google, Facebook, and other silicon valley companies. In the days following the leak, the implicated companies, initially, vehemently denied knowledge of and cooperation with PRISM. Moreover, they denied accusations that the NSA is permitted to access their users’ data.
PRISM – The Data Monster
PRISM is a tool used by the NSA (U.S. National Security Agency) to obtain private electronic data belonging to specific users as well as the greater public through of major Internet corporations and services like Gmail, Yahoo and Facebook. As The Washington Post previously reported, “The Protect America Act of 2007 led to the creation of a secret NSA program called US-984XN – also known as PRISM.” The program is rumored to be a streamlined version of similar surveillance practices that the U.S. intelligence community was conducting in the years following 9/11, under the directive of President George W. Bush’s “Terrorist Surveillance Program”.
The Protect America Act allows the U.S attorney general and the director of national intelligence to explain in a classified document how the United States would collect intelligence on foreigners overseas each year. However, it does not require the identification of specific targets or locations. Once a program is green-lighted by a federal judge in a classified order, the NSA can coerce companies like Google and Facebook into sending proprietary data to the government, as long as the order meets the classified plan’s predetermined criteria. However, both the companies and the government insist that data is only assembled with court approval and for specific aims. According to The Washington Post, “PRISM is said to merely be a streamlined system – varying between companies – that permits them to expedite court-approved data collection requests.” Therefore, the U.S. government maintains that the system is only allowed to collect data when given consent by the secretive yet technically legally solvent Foreign Intelligent Court.
Even though much has already been uncovered, we still do not have a complete understanding of how the actual system operates, is maintained, or even its full potential and scope. Furthermore, since there are few technical details about how PRISM works available, and due to the fact that the FISA court functions under national security classification, critics are concerned as to the extent of the program and whether it violates the civil liberties of U.S. citizens.
What the NSA collects
Alongside the technical revelations regarding PRISM, some light has also been shed on what exactly the NSA looks for and what it gathers. Broadly speaking, the collected information can be split into two categories according to leaked NSA guidelines: data from “upstream” wiretapping, which compiles data from undersea communications cables, and the data secured from PRISM, which acquires data through US telecommunications companies.
The NSA generally focuses on the collection of two types of data: metadata and content data. Metadata is the byproduct of electronic communications (e.g. phone records) that reveals the participants, time, and duration of calls. The forms of communications collected specifically by PRISM include the contents of emails, chats, VoIP calls and cloud files. The U.S government has tried to allay fears about the NSA’s indiscriminate metadata aggregation by pointing out that it does not reveal the actual contents of conversations or communications. But metadata can be as publicized as content – Internet metadata includes information such as e-mail logs, geolocation data (i.e. IP addresses), and search history. Because of antiquated legal frameworks, metadata is currently far less safeguarded legally than the content itself in the U.S. In the leaked documents, evidence demonstrated that Verizon handed over the call records and telephone metadata of all of its customers to the NSA on an “ongoing, daily basis.”
To be considered is the fact that large-scale aggregation of metadata commenced initially under the Bush administration with “Stellarwind”, which became public through the actions of NSA whistleblower William Binney. The program was continued under the Obama presidency for two years, but has now been replaced with a gamut of similar programs (e.g. “EvilOlive” and “ShellTrumpet”).
The Art of Data Collection
Many crucial details on how and under what circumstances the NSA collects data are still unavailable. Legally speaking, surveillance programs rely on two key statutes, Section 702 of the FISA Amendments Act (FAA) and Section 215 of the Patriot Act. The former authorizes the aggregation of communications data through PRISM and similar programs, while the latter authorizes the collection of metadata from telecommunications companies such as Verizon and AT&T.
Nonetheless, multiple reports and leaked documents indicate the statutes have been interpreted in secret by the FISA intelligence courts to grant much broader authority than they were originally intended to authorize. They also revealed that the FISA courts only approve the NSA’s collection procedures, and that individual warrants for specific targets are not required.
Generally, the steps in which NSA accrues data is as follows:
Firstly, an analyst starts by inputting “selectors” (search terms or tags) into a system like PRISM, which then “tasks” information from other collection sites, known as SIGADs (Signals Intelligence Activity Designators).
Correspondingly, because SIGADs have both classified and unclassified code names, and are tasked for different types of data, a central entity code named NUCLEON gathers the contents of phone conversations, while others like MARINA store internet metadata.
According to the leaked documents, under the agency’s targeting and “minimization” rules, NSA analysts cannot specifically target a U.S. citizen domestically per say. Yet, the Washington Post also reported that “an analyst must have at least 51-percent certainty their target is foreign.” As to what constitutes 51% is a highly contentious.
The laws state the analyst must take steps to remove data that is determined to be from “U.S. persons”, but even if they are not relevant to terrorism or national security, these communications can still be stored and analyzed for up to half a decade without judicial review. The information can even be shared with other agencies under the U.S intelligence community umbrella (e.g. FBI, CIA, DEA). The communications are supposedly shared under the justification that they are "reasonably believed to contain evidence of a crime that has been, is being, or is about to be committed”, or that they contain information relevant to arms proliferation or cyber security. Moreover, if communications are encrypted, they can be kept indefinitely.
In the weeks that followed the PRISM document leak, a global debate regarding the United States government’s surveillance and spying program was initiated, and fiery criticism from the international community’s has begun to engulf the NSA, Congress, and the Obama administration.
While outspoken supporters of the NSA surveillance program in Congress and the White House – including President Obama – have argued the constitutional and utilitarian justification of the project, anxiety and opposition seems to be growing in certain sections of Congress. In June of this year, a number of senators unveiled a bill that aimed to rein in the problematic legal provisions that provide U.S. intelligence agencies nearly unfettered authority to conduct warrantless scrutiny over domestic and foreign communications. Several other lawmakers have introduced their own measures, but legislative reform is still at its infant stages as for now.
Meanwhile, a diverse coalition of interest groups and private organizations are directly challenging some of the NSA’s surveillance programs in court. On July 16th, a team of plaintiffs joined to sue the U.S. government for “an illegal and unconstitutional program of dragnet electronic surveillance,” in which the NSA gathered the consumer phone records of Verizon, AT&T, Sprint and other domestic telecommunication service providers. The service and data storage providers at the heart of PRISM controversy are beginning to recognize their involvement and fight back against government intervention as well, but the specific details in regards to their original involvement in NSA surveillance on US citizens is still hazy. Microsoft, Google, Yahoo, and other technology firms have stepped up pressure in the past month on the government to declassify the process by which it coerces them into handing over their private data. In an impassioned plea on July the 16th this year, Brad Smith, Microsoft’s head legal counsel, stated: “We believe the U.S. constitution guarantees our freedom to share more information with the public, yet the government is stopping us.”
Finally, there’s the group of people most affected by PRISM and its sibling programs: the American public and a broader scale the international community. On July 4th, “Restore the Fourth” rallied in more than 100 U.S. cities to protested the government’s surveillance programs, focusing on electronic privacy. It is unclear if public outrage will result in reform, but as a consequence of the startling actions of Edward Snowden, a civic discussion on the constitutionality of the U.S. government’s covert surveillance operations has started to gain momentum.