You've probably heard by now: the NSA is listening to you. Or watching you. Or reading your Twitter feed. The news broke on Thursday that PRISM, a program run by the United States National Security Agency, was established post-9/11 to analyze the vast amounts of information flowing across cell phone networks and the Internet. Here's what The Washington Post wrote to introduce this story on Thursday:
"The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post."
Many, many people are upset about this news, and understandably so. But it's also confusing. Is this an illegal invasion of privacy? Are those Internet companies playing along? Let's take on the most important elements of the PRISM story one by one.
First up: PRISM is possible because Congress passed the Protect America Act in 2007 and the FISA Amendments Act in 2008, which "immunized private companies that cooperated voluntarily with U.S. intelligence collection," writes the Washington Post.
Here's the gist of what the Protect America Act Added, via Wikipedia:
- The bill allowed the monitoring of all electronic communications of "Americans communicating with foreigners who are the targets of a U.S. terrorism investigation" without a court's order or oversight, so long as it is not targeted at one particular person "reasonably believed to be" inside the country.
- The Act removed the requirement for a FISA warrant for any communication which was foreign-related, even if the communication involved a U.S. location on the receiving or sending end of communication; all foreign-foreign communications were removed from warrant requirements, as well.
- Experts claimed that this deceptively opened the door to domestic spying, given that many domestic U.S. communications passed via non-US locations, by virtue of old telephony network configurations.
And the FISA Amendments Act:
- Protects telecommunications companies from lawsuits for "'past or future cooperation' with federal law enforcement authorities and will assist the intelligence community in determining the plans of terrorists". Immunity is given by a certification process, which can be overturned by a court on specific grounds.
- Removes requirements for detailed descriptions of the nature of information or property targeted by the surveillance if the target is reasonably believed to be outside the country.
- Allows eavesdropping in emergencies without court approval, provided the government files required papers within a week.
While these acts were clearly aimed at foreign threats, they allowed for the monitoring of communications in the United States. Was that a necessary step, given how much information flows through the US Internet infrastructure, and the possibility of terrorists hiding sindie the country? Quite probably. Director of Natioanl Intelligence James R. Clapper stated on Thursday:
“Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans.”
The Post further detailed that as many as 1 in 7 intelligence reports come from PRISM data, and that it's the most important contributor to the President's Daily Brief. The information it collects is, most definitely, valuable.
So, the next question: What information is PRISM collecting, exactly? And from which companies? The Washington Post wrote on Thursday that Microsoft was the first company the NSA recruited to collect information under the new policy. Microsoft and other private corporations can voluntarily give up private information under the 2008 FISA Amendment without liability. Facebook and Apple both stated to the Post that they do not provide any government agency direct access to their servers.
The Post also quoted the secret document it had obtained, writing: "the document itself made clear that the NSA regarded the identities of its private partners as PRISM’s most sensitive secret, fearing that the companies would withdraw from the program if exposed. '98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources,' the briefing’s author wrote in his speaker’s notes."
Those sources are, according to the document, Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.
Denials from Apple, Google and Facebook have left some theorizing that the Washington Post and the Guardian, which also wrote about PRISM, had been duped, but NBC has also confirmed the program's existence.
Yahoo! and Microsoft have also denied being involved in PRISM. What's unclear, currently, is how the information is being gathered. There is some wiggle room in many of the corporate statements, which use language like "We provide customer data only when we receive a legally binding order or subpoena to do so," but there's no wiggle room in Apple's flat-out statement "We've never heard of PRISM." It seems possible or likely, at this point, that some information is being collected without those companies' participation.
Figuring out exactly what information is being collected is tricky. The short answer: A lot of it. The long answer:
"According to a separate 'User’s Guide for PRISM Skype Collection,' that service can be monitored for audio when one end of the call is a conventional telephone and for any combination of 'audio, video, chat, and file transfers' when Skype users connect by computer alone," writes The Washington Post. "Google’s offerings include Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."
Before the PRISM story broke, The Washington Post wrote another story detailing the NSA's collection of Verizon call records under court order: "The order appears to require a Verizon subsidiary to provide the NSA with daily information on all telephone calls by its customers within the United States and from foreign locations into the United States." That order reportedly only allows for collection of call metadata, such as the length of a call, not the actual audio. Either way, the information being collected is legal under the Patriot Act.
President Obama criticized the leaks, stating "In the abstract, you can complain about ‘big brother’ and how this is a potential program wrong amok. But when you actually look at the details, I think we’ve struck the right balance." He also stressed that no one is listening in on phone calls.
This is just the beginning of the story--no doubt more information on what PRISM collects and which companies provide that information will continue to be released. For a look back on how and why PRISM came to be, read The Atlantic's "Birth of the Surveillance State," published this morning. It explains the drastic steps taken by the NSA in the 2000s to catch up to the massive explosion in cellular and Internet data traffic across the world.
David Simon, journalist and writer of The Wire, has his own take on the situation. He criticizes the media for overreacting to what is an unsurprising, legal, and even necessary data monitoring program.