PRISM allows the NSA to collect material directly from the servers of major providers, including the contents of emails, file transfers, live video or voice chats, VoIP (such as Skype), videoconferencing, social media interactions, search history, etc. In November the Guardian published a large (41 slides) PowerPoint presentation that described PRISM program capabilities in detail and was apparently used to train intelligence personnel on the program.
The presentation states that these companies assisted with the operation of PRISM, but all of the companies denied knowing about the program at all. Google said, “Google does not have a back door for the government to access private user data” while Apple said it had “never heard of” PRISM. Senior executives of the tech companies insisted that if it was happening, it was being done without their knowledge.
But an article by Spencer Ackerman published in Wednesday’s Guardian argues that the companies did know all along.*
The senior lawyer for the National Security Agency stated unequivocally on Wednesday that US technology companies were fully aware of the surveillance agency’s widespread collection of data, contradicting months of angry denials from the firms.
Rajesh De, the NSA’s General Counsel, said all communications content and associated metadata harvested by the NSA under a 2008 surveillance law occurred with the knowledge of the companies – both for the internet collection program known as Prism and for the so-called ‘upstream’ collection of communications moving across the internet.
The FISA Amendments Act passed in 2008, Title VII, section 702, allows the NSA’s foreign surveillance programs such as PRISM (and some earlier data collection activities previously authorized under the President’s 2001 Surveillance Program) to collect internet, phone, email, and other communications content when one party to the communication is reasonably believed to be a non-American outside the United States. The NSA stores PRISM data for five years, and communications taken directly from the internet for two years. Snowden’s leaked documents showed that the NSA has unmonitored blanket access to tech companies’ customer information. The secret FISA court (FISC) that oversees US surveillance activities renews authorizations annually for NSA targeted surveillance under Section 702. It isn’t clear what legal processes the government serves on a company to compel access to content and metadata under the PRISM program or upstream collection. Section 702 prohibits intentional targeting of Americans or US persons, known as “reverse targeting,” but the in the process of collection, large amounts of Americans’ phone calls and emails are swept up.
Section 702 also permits NSA analysts to search through the collected communications for identifying information about Americans, an amendment to so-called ‘minimisation’ rules revealed by the Guardian in August and termed the ‘backdoor search loophole’ by [Senate Intelligence Committee member Ron] Wyden.
De argued that once the Fisa court permits the collection annually, analysts ought to be free to comb through it, and stated that there were sufficient privacy safeguards for Americans after collection and querying had occurred. ‘That information is at the government’s disposal to review in the first instance,’ De said.
Other Snowden documents the Washington Post published revealed that the NSA also siphons data in transit between the Google and Yahoo data centers, including from fiber optic cables between servers at various locations around the world, an activity reportedly conducted under Executive Order 12333. While an individual user may have an encrypted connection to a website, the internal data flows are not encrypted and allow the NSA to gather millions of records each month, including both metadata and such content as video, audio, and text.
* Late update: Mike Masnick at Techdirt says, “Not so fast, buddy!” After kudos to Spencer Ackerman’s customary outstanding reporting, Masnick says,