On Thursday night, the Washington Post and Guardian dropped concurrent bombshell reports. Their subject was PRISM, a covert collaboration between the NSA, FBI, and nearly every tech company you rely on daily. PRISM has allowed the US (and possibly UK) government unprecedented access to your personal information for at least the last six years. But what is it, exactly?
As much as PRISM might sound like a comic book antagonist of S.H.I.E.L.D., it's the codename for a very real US government program. According to leaked documents, it went into effect in 2007, and has only gained momentum since. Its stated purpose is to monitor potentially valuable foreign communications that might pass through US servers, but it appears that in practice its scope was far greater.
Microsoft. Yahoo. Google. Facebook. PalTalk. AOL. Skype. YouTube. Apple. If you've interacted with any of those companies in the last six years, that information is vulnerable under PRISM. But how?
The initial reports from last night suggested that the process worked as follows: The companies mentioned above (and who knows how many others) receive a directive from the attorney general and the director of national intelligence. They hand over access to their servers—and the tremendous wealth of data and communiques that passes through them every day—to the FBI’s Data Intercept Technology Unit, which in turn relays it to the NSA.
And that's when things get interesting.
It seems impossible that the NSA, an agency which by law is only allowed to monitor foreign communications, has so much access to US domestic information. And yet!
There are, as you might expect, filters in place to help handle the fire hose of data that comes through daily, the trillions of bits and bytes that make up our online identities and lives. Something to ensure that only the bad guys are being tracked and not honest, everyday citizens. Actually, there's one filter, and it's ridiculous: an NSA analyst has to have "51 per cent" confidence that a subject is "foreign." After that, it's carte blanche.
That's it. That's the only filter. And it's an ineffective one, at that; the PowerPoint slides published by the post acknowledge that domestic citizens get caught in the web, but that it's "nothing to worry about."
It's something to worry about.
What's most troubling about PRISM isn't that it collects data. It's the type of data it collects. According to the Washington Post report, that includes:
…audio and video chats, photographs, e-mails, documents, and connection logs… [Skype] can be monitored for audio when one end of the call is a conventional telephone, and for any combination of “audio, video, chat, and file transfers” when Skype users connect by computer alone. Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms.
Did you get all that? Similar depth of access applies to Facebook, Microsoft, and the rest. Just to be clear: this covers practically anything you've ever done online, up to and including Google searches as you type them.
The news of PRISM broke soon after a separate report, about the NSA's having access to Verizon customer—and, according to an NBC report, everyone else's—phone logs. Surprisingly enough, this is a totally different program! And PRISM makes the Verizon thing look like an ACLU company picnic by comparison.
When the NSA monitors phone records, it reportedly only collects the metadata therein. That includes to and from whom the calls were made, where the calls came from, and other generalized info. Importantly, as far as we know, the actually content of the calls was off-limits.
By contrast, PRISM apparently allows full access not just to the fact that an email or chat was sent, but also the contents of those emails and chats. According to the Washington Post's source, they can "literally watch you as you type." They could be doing it right now.
PRISM's first corporate partner was allegedly Microsoft, which according to the Post and Guardian signed on back in 2007. Other companies slowly joined, with Apple being the most recent enlistee. Twitter, it seems, has not complied.
But why would all of these companies agree to this? Mostly because they have no choice. Failure to hand over server data leaves them subject to a government lawsuit, which can be expensive and incredibly harmful in less quantifiable ways. Besides, they receive compensation for their services; they're not doing this out of charity. There is incentive to play ball.
Here's where things get a little complicated, though. Apple, Microsoft, Yahoo, and Google have all given full-throated denials of any involvement whatsoever. Most of them aren't just PR syntactical trickery, either; they are unequivocal.
What's most horrifying about PRISM might be that there's nothing technical illegal about it. The government has had this authority for years, and there's no sign that it's going to be revoked any time soon.
A little bit of history might be helpful for context. Back in 2007, mounting public pressure forced the Bush administration to abandon the warrantless surveillance program it had initiated in 2001. Well, abandon might be too strong a word. What the administration actually did was to find it a new home.
The Protect America Act of 2007 made it possible for targets to be electronically surveilled without a warrant if they were "reasonably believed" to be foreign. That's where that 51% comes in. It was followed by the 2008 FISA Amendments Act, which immunized companies from legal harm for collaborating handing information over to the government. And that's the one-two punch that gives PRISM full legal standing.
All of which is to say that PRISM is an awful violation of rights, but it's one that's not going to disappear any time soon. The government is pretty much completely unapologetic. And why wouldn't they be? It's easy enough to follow the letter of the law when you're the one writing it.
Powerpoint slides via Washington Post