This could be how PRISM actually works
Though we don't know the particulars of PRISM—the recently revealed program that allows the NSA and FBI to monitor users of Google, Yahoo, and Facebook, among others—a clearer picture is starting to take shape as those companies deny being part of such a system.
An NSA presentation, leaked late Thursday, says that the intelligence agency gathers communication information—everything from emails to video chat logs—directly from nine major Internet companies. What's interesting isn't just that these companies have issued seeming denials to these claims, but how they've issued them.
"Facebook is not and has never been part of any program to give the U.S. or any other government direct access to our servers. ... We hadn't even heard of PRISM before yesterday," Facebook CEO Mark Zuckerberg said on that site. "When governments ask Facebook for data, we …only provide the information if is required by law."
“We have never heard of PRISM," Apple said. "We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order.”
“We do not have any knowledge of the Prism program," AOL announced. "We do not disclose user information to government agencies without a ... formal legal process, nor do we provide any government agency with access to our servers.”
"We provide customer data only when we receive a legally binding order or subpoena to do so," Microsoft said.
In other words, assuming no one is lying outright, all the companies the NSA says it taps for information agree on three things:
1) They don't give the government direct access to their servers.
2) They do comply with court orders.
3) They haven't heard about a specific system called PRISM.
There is absolutely nothing in these claims that contradicts a theory put forth by security expert Lauren Weinstein: that PRISM doesn't actually tap directly into any company’s servers. Instead, it's a quick and easy court process. Under it, the NSA and FBI can easily get a court order for targets of their choosing.
The government likely doesn't have "back doors" into major Internet sites that would allow government access to those sites' user data on a "willy-nilly" basis. But it does seem reasonable to assume ... that the government has pressured major Internet sites to deploy the means for rapid access to specific data requests that would be mediated by gatekeepers at those firms.
That is, NSA (or whomever) would have an expedited means to present a firm with (for example) a court order...
"That's certainly a possibility that would be consistent with what we know so far," Matt Zimmerman, an attorney at the Electronic Frontier Foundation, told the Daily Dot, though he stressed that understanding the exact nature of PRISM is still a work in progress.
In fact, the Director of National Intelligence, James Clapper, seemed to explicitly agree with this theory in a release issued Thursday. He doesn't refer to the program outlined in the Guardian and Washington Post articles as PRISM, but rather as a "collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act (FISA)."
FISA was renewed by law in 2012; it passed the House, dodged amendments in the Senate, and was signed by President Obama in December. FISA listens to NSA and FBI requests for information about communications—emails, phone calls—and issues something of a secret warrant for them to obtain this information. FISA rulings themselves are conducted in secret.
FISA courts—which, as of 2008, no longer require the government to show probable cause or even identify its targets to get a surveillance order—are set up to rapidly issue the exact sort of secret demands for user information that Weinstein suggested.
That leaves one hitch: What about the fact that none of those companies had apparently ever heard of PRISM? It probably doesn't matter. There's no particular reason the NSA would have to tell them the details of the overarching program under which it was obtaining court orders.
Besides, as cybersecurity expert Robert Graham tweeted, "Internal code names are often not shared with the counterparty. Just because NSA calls it PRISM doesn't mean Apple/Google knows that name."
Photo by davidsancar/Flickr