If you thought the National Security Agency's collection of Verizon phone-call data was bad, wait until you hear about the seven-year-old, previously undisclosed classified government program that works with nine very major U.S. Internet companies to secretly scrape your online life and has become "the most prolific contributor" to President Obama's daily intelligence report and is "increasingly" important to the NSA. (UPDATE: Other late Thursday reports have named even more companies encompassed in the agency's data collection program. More here) PRISM, as the classified Silicon Valley collective is code-named, collects information such as emails, documents, audio, video, and photographs from Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple, according to a shocking Washington Post scoop. "From inside a company's data stream the NSA is capable of pulling out anything it likes," write the Post's Barton Gellman and Laura Poitras. You can see a full list of everything that encompasses in slides provided to the Post by what appears to be a single leaker the day after the Guardian's Verizon scoop, but suffice it to say this is a much bigger buffet of privacy invasion than the meta-data of your cellphone calls, which at least doesn't include the content of an innocent American's conversation. But don't worry, the program — approved under the Foreign Intelligence Surveillance Act but centering on American companies and their data — also includes a system, codenamed BLARNEY, that scrapes meta-data, too.
So much for Internet companies pushing back against unwarranted government surveillance. Just like the telecoms, in exchange for immunity from lawsuits, these nine Silicon Valley giants (perhaps with more on the way, though Twitter has held out and Apple waited for five years) have to accept a "directive" to open their servers to the FBI's Data Intercept Technology Unit. As this next enlightening slide from the Post shows, it hasn't taken too long for those companies to join the cause.
The revelation of the program does come with this important reminder from the Post team: "under current rules the agency does not try to collect it all." But that doesn't mean that innocent Americans aren't having their Internet lives — where most of us do a lot of our communicating — unwittingly scooped up by authorities. Gellman and Poitras explain:
Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”
Indeed, 51 percent confidence isn't very confident at all. Even when the system manages to work properly and find a person who reaches said "foreignness," because of the way the Internet works, that process still leaves a lot of people's innocent information collected by the NSA program run out of Fort Meade, as Gellman and Poitras explain: "To collect on a suspected spy or foreign terrorist means, at minimum, that everyone in the suspect’s inbox or outbox is swept in." In addition, analysts are taught to "chain through contact to 'hops' from their target," meaning that all the contacts — likely innocent Americans — are being spied on as well. If the program says it needs two hops, it's worth remembering that we're all 4.74 hops away. As the Post team adds, the whole PRISM process is literally as easy as "a few clicks":
There has been “continued exponential growth in tasking to Facebook and Skype,” according to the 41 PRISM slides. With a few clicks and an affirmation that the subject is believed to be engaged in terrorism, espionage or nuclear proliferation, an
analyst obtains full access to Facebook’s “extensive search and surveillance capabilities against the variety of online social networking services.”
This is all very shocking considering how much of our lives we spend online and how much of our personal data we entrust to these Internet companies. Though there were rumors that the search giant might have been up to something like this, Google is still alleging to the Post that it "cares deeply about the security of our users' data." But maybe it shouldn't be — we knew the scope of the NSA spying was bigger than the a few phone calls.
BREAKING: Intelligence chief declassifies phone data program details, says public must understand limits— The Associated Press (@AP) June 7, 2013
Update 10:12 p.m.: The Office of the Director of National Intelligence released a statement saying that "The article omits key information regarding how a classified intelligence collection program is used to prevent terrorist attacks and the numerous safeguards that protect privacy and civil liberties." In order to drive their point home, the office has authorized the declassification of "certain information related to the 'business records' provision of the Foreign Intelligence Surveillance Act," the statement says.
The statement appears to address both the PRISM story and the Verizon story. It asserts, among other things, that 1) the programs are legal 2) the leaked documents give an incomplete picture of what's going on, and 3) that they're super careful with the data they do collect. Read the full statement here. (Note: It looks like the full version of the statement is now offline. But Buzzfeed screencapped it):
Full statement from James R. Clapper, Director of National Intelligence twitter.com/BuzzFeedNews/s…— BuzzFeed News (@BuzzFeedNews) June 7, 2013
There's another statement up on the DNI website, here.
Update 10:06 p.m.: Foreign Policy has explained what PalTalk is, and why the NSA would be interested in collecting their user data. In sum FP thinks"the NSA appears to have had its reasons for reaching out to PalTalk."
Update 8:59 p.m.: Reuters reports, citing a senior unnamed official, that "collected information referenced by media meant to target only non-U.S. persons outside U.S." But in its tweeted form, the statement doesn't address whether the U.S. is collecting the communications of U.S. citizens while investigating targets outside of the country or not — in other words, it's not a straight denial of the story emerging in multiple reports as it stands.
Update, 8:35 p.m.: The Wall Street Journal reports that the NSA's data collection program "Also encompasses phone-call data from AT&T Inc.and Sprint Nextel Corp., records from Internet-service providers and purchase information from credit-card providers."