Hot off the heels of the revelation that Verizon has been supplying the National Security Agency (NSA) with phone records for all domestic calls, the Washington Post reveals the NSA and FBI are datamining the servers of nine technology companies, “extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.”
Companies participating in the program are obliged to accept “a directive” from the the attorney general and the director of national intelligence to open their servers to the FBI’s Data Intercept Technology Unit. In exchange, the companies receive immunity from lawsuits.
The broad, top secret program, code-named PRISM, was established in 2007 with Microsoft as its first partner but now counts Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple among its membership. Twitter is notably absent from the list.
PRISM appears to closely resemble the warrantless surveillance orders issues by President Bush after the September 11th, 2001 terrorist attacks rather than a dragnet data collection operation, but the NSA has the capability to search through the company’s servers for whatever it likes. To collect data, analysts in Fort Meade key in search terms designed to produce an “at least 51 percent confidence in a target’s ‘foreignness.’”
But even when meeting that relatively low threshold, by its very nature the system likely collects information about Americans who have had communications with the target, and analysts are trained to chain through two degrees of separation of contacts from the initial target. This chaining means that many Americans are likely the subject of “incidental” surveillance.
Analysts have access to Facebook’s “extensive search and surveillance capabilities” while the Skype partnership allows for monitoring of any combination of “audio, video, chat, and file transfers”, and Google allows surveillance of “Gmail, voice and video chat, photo libraries, and live surveillance of search terms.” The career intelligence officer who leaked documents about the program to the Washington Post noted “[t]hey quite literally can watch your ideas form as you type.”
Apple and Facebook have both denied participation in the program, with Apple saying they’ve “never heard” of it, and Facebook flatly denying they provide “any government organization with direct access” to their servers. Google has been slightly less clear, but told Washington Post they lack a back door for the government to obtain access to private user data and care “deeply” about the privacy of users.
An internal presentation on the operation obtained by the Post claims PRISM is the most frequent contributor to the President’s Daily Brief, saying it was cited in 1,477 articles last year and accounts for nearly 1 in 7 intelligence reports within the NSA. A parallel initiative also revealed by the Post, codenamed BLARNEY, is an ongoing data collection program that gathers “metadata” such as address packets and device signatures as it streams past choke points in internet infrastructure.
In comments to ThinkProgress, Amie Stepanovich, Director of the Electronic Privacy Information Center’s Domestic Surveillance Project noted that the 51 percent threshold reportedly used by NSA analysts not only “leaves a lot of room for error” initially, but combined with the chaining effect and how studies of private data brokers have shown that innate qualities like “foreignness” are often quite difficult to determine, the chance of an American citizens’ data being incidentally caught up in the program could actually be “incredibly high.”
The Washington Post has now backtracked on their claims that government had direct access to servers, editing their report to include more responses from companies and this statement: “[i]t is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers.” This change only strengthens the argument that the NSA had access to copies of the data.