How does Prism work? We have precious few details about the technical workings of the National Security Agency's global surveillance program, despite all the leaks and all the media coverage. That leaves the public and the technology community much like the blind men and the elephant.
Details matter. Depending on which part of the elephant you touch, Prism is either a system that lets the NSA read, see and hear anything online at any time or a tool that streamlines the legal process by which federal agents execute court orders to obtain digital evidence while hunting foreign enemies.
A hazy digital line separates these two possibilities, but the distinction matters both politically and legally. Congress will be unable to defend a program that allows U.S. spies to copy everything Google, Yahoo, and Microsoft know about us and store it forever in its new, super-secret Utah facility for later fishing expeditions. But there are well-established precedents that clear the way for federal agents to ask private companies to turn over their data specific to investigations.
Given that Prism’s self-identified leaker Edward Snowden worked in information technology (he was fired from his job at Booz Allen Hamilton Tuesday), it's disappointing that he has not yet managed to leak more technical specifics about how the program works. Here's what we know so far:
- Snowden told The Guardian in his video interview that the NSA could access anyone's email, and even reach far back in time when necessary, strongly suggesting the agency is copying massive amounts of data.
- A slide from the presentation Snowden gave The Guardian says the NSA gets data "directly from the servers of these U.S. Service Providers," suggesting an agent can somehow log into Google, Yahoo, etc., computers and use a self-service tool to obtain user data.
- The tech companies named in the Prism story deny that the NSA has direct access to their networks — and are now lobbying for more public disclosure of the data that is requested from them by security agencies.
- The New York Times described a "locked mailbox" process in which the NSA installs its own servers at a company's server farm. Upon request, target companies move data from their servers into the lock-box, giving the NSA quick access.
Ashkan Soltani is an independent privacy consultant and consumer advocate and former Federal Trade Commission investigator. He says it's possible all these assertions are correct. Depending on what data the NSA needs, it employs some or all of those methods to get it.
"It probably varies from company to company, based on what the company is willing to do," he said. "But the way I think it works is agents issue a directive to the company, and someone at the company, or a contractor on site, or a (computer program) collects those records and loads them into a box the NSA can access."
No technologist interviewed for this story believes the NSA simply vacuums up every piece of data from all tech companies. Despite advances in storage and transmission speeds, that would still be technically challenging and probably unnecessary. Why recreate Google when the agency can just ask Google for the data it wants?
Early versions of the Prism story asserted that the tech giants involved voluntarily participated in the program and were unaware of the queries made by agents. But most of the firms said they'd never heard of Prism, and that they don't allow unfiltered access to data. Both can be true, Soltani said.
"The NSA doesn't want companies to know the targets of their investigations, so I think they issue broad directives to the companies," he said. For example, rather than saying, “Give us all Bob Sullivan’s emails from last month,” the NSA hides its true intentions by saying “Give us all email written by someone with the initials B.S. last month.”
It's also possible that Prism is an internal code name the NSA uses, and firms that installed locked mailboxes had no idea they were participating in Prism.
"Assuming everyone is telling the truth, this is how I think it works," Soltani said. "And while we may disagree, there's certainly a way to imagine Prism is perfectly legal, based on the laws Congress has passed."
There's plenty of precedent for technology companies giving streamlined data access to law enforcement. Last year, the American Civil Liberties Union released a study showing that wireless firms give thousands of location records to local and federal investigators; some even have website portals where the records can be ordered in bulk.
It's uncomfortable seeing such mass surveillance in action, and it might be enough to stir renewed public debate on the topic, but Prism is the logical conclusion of laws Congress has passed and the natural tendency of law enforcement to push the envelope when investigating crimes.
“Prism didn't shock me at all. When I read the FISA Amendment Act ... I see Prism with my eyes," said Chris Soghoian, privacy rights expert with the American Civil Liberties Union.
If companies must act on each data request the government makes, they have the opportunity to step in and object. That might be a weak protection, but it is a protection. And it's a far cry from NSA agents simply rooting around Google at any time for anything.
Soghoian and Soltani are concerned that leaks about Prism have directed attention away from an earlier leak showing the NSA has obtained millions of phone records detailing U.S. users' calls from Verizon. A leaked secret court order indicates Verizon is giving the NSA details about every call placed in the U.S.
"When I look at the Patriot Act, I don't see that. That shocks me. It’s terrifying," Soghoian said. "What really matters, the million dollar question, isn't who has direct access to the data. It's the scale and volume of information being shared."
Still, if Prism is as broad-reaching as some have suggested, that's a concern for Soltani.
"The American public had previously, maybe unknowingly, relied on technical and financial barriers to protect them from large scale surveillance by the government," Soltani said. "However, these implicit protections have quickly eroded in recent years as technology industry advances have trickled down to the intelligence agencies, and as a result, changed the delicate balance of power.”
The argument we are now having, pitting civil liberties advocates against law enforcement, probably should have happened in 2008, when the FISA law was substantially revised to clear the way for tools like Prism. As the costs associated with massive surveillance and data storage continue to drop, experts warn that it’s inevitable that privacy invasions will rise, unless unchecked.
“We need to remember that this is a trend with a firm lower bound — once the cost of surveillance reaches zero we will be left with outdated laws as the only remaining barrier,” Soltani said.