July 26, 2013

NSA says there are three different PRISMs

(Updated: July 28, 2013)

Yesterday, German media wrote about an official letter from the NSA, which was sent to the German government to clarify some misconceptions about PRISM. This because German media and politics were heavily confused after it became clear that there's more than one program named PRISM.

The NSA letter explains what the PRISM data collection program is about and then confirms that this program is different from a more common military web tool called "Planning tool for Resource Integration, Synchronization and Management" (PRISM).

Surprisingly, the NSA also reveals that there's even a third program called PRISM. In this case the name stands for "Portal for Real-time Information Sharing and Management" and it's apparently an internal NSA information sharing program. It was unknown until now, probably because it's used in the NSA's highly sensitive Information Assurance Directorate (IAD).

Initially: two different PRISMs

Almost immediately after The Guardian and The Washington Post came with their disclosure of PRISM on June 6, some people googled and found out there were also a number of other programs called PRISM. Because both papers failed to clarify the precise nature of PRISM, it seemed that the program could have been the same as a more common application called "Planning tool for Resource Integration, Synchronization and Management" (PRISM). We examined this in an earlier article.

However, this option of both PRISMs being one and the same had to be abandoned after The Washington Post published four new slides from the PRISM-presentation on June 29. These slides presented many new details and also proved that the PRISM which collects data from internet companies is different from the PRISM planning tool. The first operates on the national intelligence level, and the latter is used at a tactical level by the various military commands. These new insights were discussed on this weblog in this article and graphically shown in this figure:

Comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Confusion in Germany

On July 17, the German tabloid BILD came with big headlines claiming that troops of the German federal defense forces (Bundeswehr) in Afghanistan already knew about PRISM in 2011. This suggested that the German government was lying, because earlier it had denied all accusations of knowing anything about the PRISM program as unveiled by Edward Snowden.

BILD found "PRISM" mentioned in a confidential e-mail, which the ISAF Joint Command Headquarters in Kabul sent to all Regional Commands (RC) in Afghanistan on September 1, 2011:

Screenshot of the front page of the German tabloid BILD,
as shown on the German television channel ZDF

This publication caused a lot of discussion, so already on the same day, spokesmen from both the German foreign intelligence agency BND and the German defense forces declared that there are two different PRISM programs: the first one being the program unveiled by Edward Snowden, and the second one being a "computer supported US communications system", which is used in Afghanistan "to coordinate US reconaissance systems and to present collected information" - as we can read from this letter of the assistant Defense minister:

Screenshot of a letter from the assistent German Defense minister to the German parliament,
explaining the PRISM confusion, as shown on the German television channel ZDF

Both officials didn't say that the full name of this second PRISM is "Planning tool for Resource Integration, Synchronization and Management", making it harder to proof that both programs are different.

Again this shows severe deficiencies in informing the public and in research by the media. The BILD-article is pure sensationalism. Simply googling key words from sections of the e-mail like "collection management shop", "COMINT nominations [...] must be resubmitted into PRISM" and "SIGINT Operational Tasking Authority" would have rapidly pointed to the PRISM planning tool.

As described earlier, the second PRISM is a so-called tasking tool, which is used to request the intelligence information which is needed for military operations. As such it's the core application of the military intelligence collection management. This PRISM planning tool runs over the intelligence community's JWICS and the military's SIPRNet networks. It was developed by SAIC, first mentioned in 2002 and since then in many job descriptions on the internet.

Only very few media did this kind of research and found out that there are really two different PRISM programs. We can see for example one article at Netzpolitik.org, which connects a bit too many things, and another one at Golem.de, which is based upon research by this weblog.

A letter from the NSA

On July 25, the website of the German newspaper WELT cited a letter which the NSA sent to the German federal government to answer official questions about PRISM. The letter says the media is "confusing two separate and distinct PRISM programs" and continues with explaining what the first program is about:

"The first PRISM pertains to the foreign intelligence collection being conducted under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA). This is the program that has caught the most attention of our publics, politicians and the media.
This is not bulk collection, and there are restrictions on how long the information can be retained. It is carefully targeted in accordance with a public law and requires court approval and supervision.
A fundamental, protective requirement of FISA is that it restricts the ability of the U.S. Government to obtain the contents of communications from communications service providers by requiring that the court find that the government has an appropriate and documented foreign intelligence purpose, such as the prevention of terrorism, hostile cyber activities or nuclear proliferation."

Screenshot of the letter from the NSA to the German government,
as shown on the German television channel ZDF

According to German media, the NSA letter continues by saying that the second PRISM program is a tool, which is used by US troops in Afghanistan to order and search intelligence information. This is the program mentioned in the ISAF e-mail from 2011 and is clearly the Planning tool for Resource Integration, Synchronization and Management (PRISM), allthough that's not only used in Afghanistan, but also at other US military commands.

Surprisingly and all by itself, the NSA added that there's even a third program called PRISM, which is fully independent from the two PRISM programs mentioned before. In this case the name is also an acronym, which stands for "Portal for Real Time Information Sharing and Management" and the program is apparently used for internal real-time exchange of information.

By now we already have quite some information about the first PRISM program, we know there's a clear distinction from the second PRISM tool and we even learned about a third PRISM. Nonetheless, German opposition leaders said they still hardly know what PRISM is all about, but this seems to be mainly for political ends, as Germany is facing general elections in September.

Now: three different PRISMs

It seems that NSA revealed the existance of the third PRISM program for the very first time, as it never appeared somewhere online before. If we google its full name, the only results are the recent German news reports. The German magazine Der Spiegel came with another quote, which seems to suggest that this third NSA tool "tracks and queries requests pertaining to our Information Assurance Directorate".

If that's correct, it could explain why we never heard of this program. The NSA's Information Assurance Directorate (IAD) is a very secretive division, because it's responsible for safeguarding US government and military secrets by implementing sophisticated encryption techniques.

Probably the most remarkable thing about the new "Portal for Real-time Information Sharing and Management" is not its function, which seems pretty obvious, but the fact that there are three programs with exactly the same name.

But from what we know by now, it also becomes clear that each program is used for different purposes and in different environments: the PRISM data collecting program is part of NSA's Signals Intelligence division, the PRISM planning tool is used for military intelligence and the PRISM information sharing portal in the Information Assurance division of the NSA.

Finally, here's a short summary of all three different PRISM programs:

This is a codeword for an NSA project of collecting information about foreign targets from data of nine major US internet companies. This program started in 2007 and was unveiled by Edward Snowden in June 2013.

2. Planning tool for Resource Integration, Synchronization and Management (PRISM)
This is a web tool used by US military intelligence to send tasking instructions to data collection platforms deployed to military operations. This program is not very secret and was first mentioned in 2002.

3. Portal for Real-time Information Sharing and Management (PRISM)
This is an internal NSA program for real-time sharing of information, apparently in the NSA's Information Assurance Directorate. Its existance was revealed by the NSA in July 2013.

July 16, 2013

New slides about NSA collection programs

(Updated: November 30, 2014)

Over the last month, the publication of various slides of a powerpoint presentation about the top secret NSA collection program PRISM caused almost worldwide media attention. Less known is that a number of new slides about other NSA collection programs were published on July 6 by the Brazilian newspaper O Globo.

These and a few other slides were also shown on Brazilian televion, combined with an interview with Guardian-columnist Glenn Greenwald, who lives in Rio de Janeiro. Screenshots of some of the slides shown on Brazilian television became available on Flickr (see Links and Sources). On July 21, the German magazine Der Spiegel published some extra details about the XKEYSCORE program.


Brazilian television and the O Globo website presented a whole new series of four slides from what seems to be a presentation about the FAIRVIEW program or maybe the broader "collection of communications on fiber cables and infrastructure as data flows past", which was called "Upstream" in one of the PRISM-slides.

The first slide (below) shows the logos of the NSA and its Special Source Operations (SSO) unit, and a map representing "1 Day view of authorized (FAA ONLY) DNI traffic volumes to North Korea within FAIRVIEW environment". As DNI stands for Digital Network Intelligence, this map apparently shows internet traffic to North Korea, as traced by the FAIRVIEW program.

According to O Globo these maps show the amount of exchanged messages and phone calls (allthough DNI only refers to internet traffic) by various countries in the world with North Korea, Russia, Pakistan and Iran. Below we see DNI traffic to Pakistan on March 4 and 5, 2012:

A third slide shows a list op "Top 20 Pakistani domains (.pk)" which where apparently tracked between February 15, 2012 and March 11, 2012:

A fourth slide shows some lines with names of collection managers of OAKSTAR, BLARNEY and what appears to be the STORMBREW and (the hitherto unknown) OCELOT programs (Update: newly disclosed slides show that the latter word is actually MADCAPOCELOT). Brazilian television showed this slide uncensored with the names visible, but here we blacked them out:

According to former NSA official Thomas Drake FAIRVIEW is a highly classified program for tapping into the world’s intercontinental fiber-optic cables. It acts as an "umbrella program" with other programs underneath it. One of them is BLARNEY, which is a program to access internet data at key junctions and is facilitated by arrangements with commercial cable companies and internet servce providers.

According to Drake, "BLARNEY is to the international Internet space as PRISM is to the domestic". FAIRVIEW is apparently also the method through which the NSA receives the information it has collected, essentially co-opting the fiber optic cables to transmit the data back to the agency to be analyzed by data mining programs.

> See for many more: Slides about NSA's Upstream collection


The Brazilian television also showed one slide from a presentation which wasn't mentioned or seen earlier. The only information we have, is the slide itself and what the O Globo website tells about it:

The slide is titled PRIMARY FORNSAT COLLECTION OPERATIONS, and the O Globo website says it shows a network of 16 facilities for intercepting transmissions from foreign satellites. The slide shows markings in blue and green, where blue represents "US Sites" and green "2nd Party" for intercepting locations run by partner signals intelligence agencies of the UKUSA Agreement.

US Sites:
- JACKKNIFE, Yakima (US)
- TIMBERLINE, Sugar Grove (US)
- CORALINE, Sabena Seca (Puerto Rico)
- SCS, Brasilia (Brazil)
- MOONPENNY, Harrogate (Great Britain)
- GARLICK, Bad Aibling (Germany)
- LADYLOVE, Misawa (Japan)
- LEMONWOOD, Thailand
- SCS, New Delhi (India)

2nd Party Sites:
- CARBOY, Bude (Great Britain)
- SOUNDER, Ayios Nikolaos (Cyprus)
- SNICK, near Seeb (Oman)
- SCAPEL, Nairobi (Kenya)
- STELLAR, Geraldton (Australia)
- SHOAL BAY, Darwin (Australia)
- IRONSAND, Waihopai (New Zealand)

Most of these locations were part of the ECHELON satellite intercept program. The NSA station at Bad Aibling in Germany was closed down in 2004 and turned over to the German foreign intelligence agency BND. At the same time, a joint NSA-BND unit was established at the nearby Mangfall Barracks.

According to Snowden, the NSA personnel from this unit maintain their own communications hub connected to the NSA headquarters. This cooperation between NSA and BND is based on a Memorandum of Agreement dated April 28, 2002.

The SCS sites in Brasilia and New Delhi are units of the Special Collection Service, a joint CIA/NSA program to collect information through covert listening posts based in US embassies in foreign capitals.

An article showing a better version of the map says that it's from 2002, which explains why it shows the stations at Bad Aibling and Sabena Seca, both of which have since closed.

> See for the 2012 situation: NSA's global interception network - FORNSAT


Already nine slides from the presentation about the PRISM data collection program were published on the websites of The Guardian and The Washington Post. On this weblog we also discussed the first five slides and the following four slides, which were additionally published by the Post.

The Brazilian television showed two new pictures, the first is the fifth slide published by The Guardian, but only showing the world map with fiber optic cables, and without the text balloons about "Upstream" and "PRISM" collection methods, which apparently show up after clicking the original powerpoint presentation:

The slide which is below was not published earlier. Just like the previous slide, this one is also about "FAA702 Operations", which means operations under section 702 of the FISA Amendment Act (FAA) of 2008. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and the program name FAIRVIEW is the central cyan colored box. Maybe the codenames of other programs are in the yellow box at the right side:

An eleventh slide of the PRISM presentation appeared on the website of O Globo, some days after the previous slides were shown on television. This slide is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013:

It seems the bottom part of this slide was blacked out by Brazilian media, as the Indian
paper The Hindu disclosed that this slide also mentions "politics, space, nuclear" as
topics under the header "India", and also information from Asian and African
countries is contributing to a total of "589 End product Reports".

These lists show that PRISM is used for collecting data about the usual strategical and tactical targets and not about ordinary people, as most of the media reports suggest.

> See for all known PRISM slides: What is known about NSA's PRISM program



Brazilian television showed a whole new set of slides about the XKEYSCORE program. According to O Globo, XKEYSCORE detects the nationality of foreigners by analysing the language used within intercepted emails, which the paper claims has been applied to Latin America and specifically to Colombia, Ecuador, Venezuela and Mexico.

In total, O Globo showed four slides about the XKEYSCORE program, which are classified as TOP SECRET//COMINT//REL TO USA, AUS, CAN, GBR, NZL. This means this information can be shared with signals intelligence agencies from Australia, Canada, Great Britain and New Zealand, which are cooperating under the so called UKUSA Agreement.

XKEYSCORE collects data with the help of over 700 servers based in "US and allied military and other facilities as well as US embassies and consulates" in several dozen countries. These locations are shown on the slide below:

The next slide shows how the collected data of so-called sessions are processed by separating them into different communication information, which are stored in various databases:

According to O Globo the XKEYSCORE can also track people by localities when they are using Google Maps:

This slide is follewed by one showing a map of Afghanistan and surrounding countries with a lot of coloured marking points, without any clarification of what they represent:

According to new information published by the German magazine Der Spiegel (pdf) on July 21, the slides about X-KEYSCORE are from a presentation dated February 25, 2008. It's said that, starting with the metadata, the program is able to retroactively reveal any terms a targeted person has typed into a search engine like Google or Google Maps. Furthermore, there's a buffer storage capable of storing a "full take" of intercepted raw data for several days. X-KEYSCORE can also to monitor user activity in near real time, as well as showing "anomalies" in internet traffic.

In December 2012, XKEYSCORE gathered around 180 million data sets from Germany alone. Apparently the German federal security service BfV was equipped with XKEYSCORE to "expand their ability to support NSA as we jointly prosecute CT [counterterrorism] targets" and the German foreign intelligence agency BND was tasked with instructing the BfV on how to use the program.

On July 25, the directors of the German intelligence agencies briefed members of the German parliamentary intelligence oversight committee about the various NSA programs. They said that XKEYSCORE is used by the BND since 2007, that BfV uses a test version since 2012, and that this program is not for collecting data, but only for analysing them. The director of the BfV even gave a partial demonstration of the test version of XKEYSCORE.

On July 31, The Guardian published a full presentation about XKEYSCORE, which confirms that this program is not for data collection, but for data analysing.

(Updated on September 22 with the eleventh PRISM slide and on October 23 with a better FornSat slide)

Links and Sources
- Brazilian television report: La CIA y la NSA espiaron mediante satélites desde Brasil & Slides
- O Globo slides: Mapa mostra volume de rastreamento do governo americano
- Cryptome translations: NSA Email and Phone Tracking Programs
- Screenshots on Flickr: NSA Hawaii in USB Made in China
- DailyDot.com: Forget PRISM: FAIRVIEW is the NSA's project to "own the Internet"
- Der Spiegel-article: 'Prolific Partner': German Intelligence Used NSA Spy Program

See also: Boundless Informant NSA data-mining tool – four key slides

July 7, 2013

New insights into the PRISM program

(Updated: January 21, 2016)

Last Saturday, June 29, the Washington Post unexpectedly disclosed four new slides from the powerpoint presentation about the PRISM data collection program.

This disclosure came as a surprise, because earlier, Guardian-journalist Glenn Greenwald said that no more slides would be published because they contain very specific technical NSA means for collection, for which The Guardian would probably be prosecuted.

That The Washington Post now disclosed them, is even more surprising, not only because it's an American paper, but also because it's said that Edward Snowden initially went to The Post asking to publish all 41 slides of the PRISM presentation. But The Washington Post refused to do so and therefore Snowden gave the scoop to The Guardian, which published the first four slides.

It's not clear who exactly released the four new slides, whether it was Snowden himself or editors of The Washington Post, and what the reason was for doing it. Allthough these new slides show some of the same oddities we already saw in the first series, these new ones have a very specific and detailed content. This makes them look far more genuine and, more importantly, show much better how PRISM actually works.

We now learn that PRISM is not one single technical system or computer application, but a data collecting project which combines a number of different tools, computer systems and databases, some existing, some maybe new. This also means that this PRISM program is not the same thing as the Planning tool for Resource Integration, Synchronization and Management (PRISM), a theory which was examined in our previous posting.

> The latest information: What is known about NSA's PRISM program

The PRISM tasking process

In this first new slide (below) we see details of the PRISM Tasking Process, which is how instructions for gathering the requested data are sent and reviewed. This process starts with an NSA analyst typing one or more search terms, or "selectors" as NSA calls them, into the Unified Targeting Tool (UTT). Selectors may refer to people (by name, e-mail address, phone number or some other digital signature), organizations or subjects such as terrorism or uranium related terms.

Along with the selectors, the analyst must fill out an electronic form that specifies the foreign-intelligence purpose of the search and the basis for the analyst’s reasonable belief that the search will not return results for US citizens or foreign nationals who are within the US at the time of data collection.

The slide shows that it's possible to search existing communications that are already stored ("Stored Comms") and also to initiate a search for new, future communications of selected targets. The latter option is called "Surveillance", which by a number of media was erroneously interpreted as the possibility of real-time monitoring of for example an internet chat.

Every request made by a target analyst must be approved twice. For new surveillance requests, an FAA Adjudicator (S2) does the first review and validation of the target. The slide says that there are such adjudicators in every so-called Product Line, which are the NSA departments for specific issues like counter terrorism and couter proliferation. A second and final review of the analysts' determination is done by NSA unit S343 for Targeting and Mission Management, which then releases the tasking request through the Unified Targeting Tool. Then it's apparently a computer system called PRINTAURA which distributes the requests to the different collection sites.

For searching stored communications, the first check is done by the Special FISA Oversight and Processing unit (SV4). According to The Washington Post this seems to refer to the federal judges of the secret Foreign Intelligence Surveillance Court (FISC), but according to national security reporter Marc Ambinder, the "FISA Oversight and Processing" is an internal NSA unit. The second and final review is once again done by unit S343 for Targeting and Mission Management. After the request is released to PRINTAURA, the Electronic Communications Surveillance Unit (ECSU) of the FBI checks against its own database to filter out known Americans.

Different tasking tools

In another source the Unified Targeting Tool (UTT) is described as a DNR tasking tool, which means it's a software program used to send so called tasking instructions to dedicated devices, telling them which data should be collected. As DNR stands for Dial Number Recognition, this sounds like the targeting tool is aimed at finding out who is behind a certain phone number, but as NSA sources often mention DNR equal to DNI (Digital Network Intelligence or internet content), it seems DNR stands for information derived from telephone networks in general.

According to one of the earlier slides, NSA analysts should also use other sources, like data which can be gathered through access points that tap into the internet’s main gateway switches ("Upstream collection"). This is done through collection programs codenamed FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. Allthough by its name the Unified Targeting Tool (UTT) seems to be of a generic nature, it's not clear whether it can be used also for tasking these other sources, or that they need other tasking tools. According to the book "Der NSA Komplex" the UTT replaced the OCTAVE telephony tasking system in 2011.*

Screenshot of the Unified Targeting Tool (UTT) showing how to select a "Foreigness Factor"
(note the URL in the address bar starting with "gamut")

From a number of job descriptions we learn that this Unified Targeting Tool is often mentioned in connection to GAMUT and sometimes also to CADENCE. We see this written like "GAMUT-UNIFIED TARGETING TOOL", "GAMUT/UTT" or "CADENCE/UTT". Both GAMUT and CADENCE are nicknames for what is said to be a "collection mission system for tasking" and probably refer to databases which store the tasking requests from the Unified Targeting Tool.

An interesting coincedence is that the word gamut means a range of colors that can be reproduced by a certain technique - like a prism can break light up into its constituent spectral colors.

More important is that the new slide shows that for PRISM the Unified Targeting Tool (UTT) is used for tasking, which means that this PRISM program is different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which itself is a tasking tool. Before the new slides were released, The Guardian and The Washington Post failed to explain whether PRISM was a single application or a project-like program.

Infographic comparing the PRISM data collection program and the PRISM planning tool
(click for a bigger picture)

Now we know that the PRISM planning tool isn't the application used for tasking the data collection from the internet companies, it's also clear that the PRISM planning tool is used primarily for requesting information needed for military operations and therefore tasks various intelligence sources deployed to those operations. By contrast, the Unified Tasking Tool used under the PRISM program is for requesting information on the national level.

The actual data collection

The actual collecting of the internet data under the PRISM program is not done by the NSA, but by the Data Intercept Technology Unit (DITU) of the FBI. This makes sense, as the FBI is the agency which is primarily responsible for investigating US companies and citizens.

From one source it seems that the Data Intercept Technology Unit was set up in 2011 or 2012 to monitor new and emerging technology with court-authorized intercepts, but this source (pdf) says that it already existed in 1997. There's a challenge coin of DITU (right) dating from after 9/11, as it shows pictures of the World Trade Center and the Pentagon.

In it's comments on this slide, The Washington Post says this FBI "interception unit [is] on the premises of private companies", which isn't the case as DITU is an FBI unit based at Quantico, Virginia. They can have equipment installed at sites of the internet companies, but for that no evidence is presented, making one author questioning whether there is such equipment at all.

Initially the DITU managed the FBI's internet monitoring programs Omnivore and Carnivore, tapping into the internet at ISP locations. The raw data were decoded by using the Packeteer en Coolminer tools, as can be read in this document (pdf) from 2010, but according to the PRISM-reporting, the unit can now also order data from companies like Google, Yahoo, Microsoft, Apple and others directly.

A new report by Declan McCullagh says that internet companies don't want the FBI to install listening devices on their networks. In order to prevent that, they are willing to cooperate with the FBI by adding their own monitoring capabalities to their network and server equipment, which makes it easier for them to comply with government information requests. This would mean that there's no need for dedicated FBI data collecting devices at the companies premises.

Earlier, Google said that when it receives a valid FISA court order, it delivers the information to the US government through secure FTP transfers or in person. Another option is doing this by using an encrypted dropbox, where an internet company can drop the requested data. Facebook and Microsoft said they will only hand over data or information about specific individuals upon receiving a legally binding order or subpoena.

Depending on the company, a PRISM-tasking may return e-mails, attachments, address books, calendars, files stored in the cloud, text or audio or video chats and metadata that identify the locations, devices used and other information about a target. After collecting, the FBI's Data Intercept Technology Unit passes this information to one or more so called customers at the NSA, the CIA or the FBI itself.

Storage of collected PRISM data

A second slide (below) shows how collected data flows into the various NSA servers. It's the Data Intercept Technology Unit (DITU) of the FBI which collects raw data from the internet companies, and sends them to the NSA. At NSA the data first go to a system called PRINTAURA, which, according to the Washington Post, automates the traffic flow.

As PRINTAURA also distributes the tasking requests, it seems this system is the technical heart of the PRISM program, which may also be indicated by the fact that both nicknames/codewords start with the same three letters. As we learn from the slide, PRINTAURA is managed by NSA unit S3532.

All NSA offices, operations, units and cells have their own designation, consisting of a letter, followed by some numbers. We remember that the first slide of the PRISM presentation has a line which says "[...] PRISM Collection Manager, S35333". This means the author of the slides was a collection manager attached to unit S35333, which, just like the PRINTAURA unit S3532, is part of the S35 or Special Source Operations (SSO) division according to this NSA orgchart.

From PRINTAURA data go to a database called TRAFFICTHIEF, which according to this article was set up as part of the TURBULANCE program to detect threats in cyberspace. From a slide about the XKeyscore tool, published by The Guardian on July 29, we learn that TRAFFICTHIEF is a database for metadata about specifically selected e-mail addresses.

Data to be processed are send to a system called SCISSORS, which is managed by unit T132, and from there onto unit S3132 for "Protocol Exploitation". This does the processing of something which is blacked out - probably the specific classified codeword used for these internet data.

This processing sorts the data into different types and protocols and dispatches them to the various NSA databases for storage. But before that, metadata and voice content have to pass FALLOUT and CONVEYANCE. According to the Washington Post, these systems appear to be a final layer of filtering to reduce the intake of information about Americans, but an internal NSA document describes FALLOUT as a "DNI ingest processor". All other data once again pass the SCISSORS system.

Finally, the collected data are stored in the following databases:
- MARINA: for internet metadata
- MAINWAY: for telephone and internet metadata contact chaining
- NUCLEON: for voice content
- PINWALE: contrary to what many other media say, this database is not only for video content, but also for "FAA partitions" and "DNI content". DNI stands for Digital Network Intelligence, which is intelligence derived from digital networks, or simply: internet content, like forum postings and e-mail and chat messages. The word PINWALE is often combined with the abbreviation UIS, which stands for User Interface Services, apparently an interface tool for accessing and searching databases.

Analysing collected data

There are no slides available saying what happens with these data after being stored, but The Washington Post says that "After processing, [collected data] are automatically sent to the analyst who made the original tasking. The time elapsed from tasking to response is thought to range from minutes to hours. A senior intelligence official would say only, Much though we might wish otherwise, the latency is not zero."

At the moment it's not clear which tool or application is used to analyse the data gathered from the US internet companies. National security reporter Marc Ambinder says that PRISM itself might be "a kick-ass GUI [graphic user interface] that allows an analyst to look at, collate, monitor, and cross-check different data types". However, until now there's no evidence for PRISM being such a tool for analysis.

Most tools used by NSA employees are listed in job descriptions and the PRISM we see there is always the Planning tool for Resource Integration, Synchronization and Management, that we talked about in our previous posting.

Therefore, it's likely that data gathered under the PRISM program are analysed using other common NSA analysing tools, like the XKEYSCORE indexing and analysing tool, which The Guardian erroneously presented as a collection program, or a more specific tool called DNI Presenter, which is used to read the content of stored e-mails and chats or private messages from Facebook and other social networks.

Based upon what such analysis presents, NSA analysts use other tools, like CPE (Content Preparation Environment), to write a report. Such reports are then stored in databases for finished NSA intelligence products, like ANCHORY. Finally, these intelligence reports are available to end users through the Top Secret section of INTELINK, which is the intranet of the US intelligence community.

PRISM case notations

A third slide (below) shows how each target gets a unique PRISM case notation and what the components of these notations are.

Abbreviations: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?);
RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking; CASN = Case Notation

The first position is the designation for each of the providers from which internet data are collected. Some people noticed the numbers jumped from P8 for AOL to PA for Apple, but someone suggests that P9 was maybe assigned to a company that fell out, and that the numbers may be hexadecimal, so the next provider will be PB, followed by PC, etc., as B = 11, C = 12, etc.

The next position of the case notation is a single letter, designating the content type, like e-mail and chat messages, social network postings, but also so-called real-time notifications (RTN) for e-mail and chat events. The Washington Post and other media apparently misinterpreted this by saying that NSA officials "may receive live notifications when a target logs on or sends an e-mail, or may monitor a voice, text or voice chat as it happens".

(Update: compare this to the data analysing tool TAC, which is used by the Defense Intelligence Agency and offers "real-time analysis of data" by alerting "analysts immediately when fresh intelligence is detected".)

In the slide, the real-time notifications are clearly listed as being "Content Type" and most of us will know them as the messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client. These notification messages are also available for NSA analysts, but only after being collected and stored, just like all other types of internet content.

Searching the collected data

The fourth new slide (below) is presented by The Washington Post as being about "Searching the PRISM database", but as we just learned from the dataflow slide, there is no single PRISM-database. Data collected from the internet companies go into separate databases, according to the type of data. Some of these databases already existed before the PRISM program was started in 2007.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but if we look at the word REPRISMFISA we can imagine the application is for going "back to data collected under the PRISM program according to the Foreign Intelligence Surveillance Act (FISA)". Remember also that in one of the earlier slides it's said: "Complete list and details on PRISM web page: Go PRISMFAA".

Above the olive green bar, there is a line saying: "DYNAMIC PAGE - HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET // [blacked out] / SI / TK // ORCON // NOFORN" This means that depending on the generated content of the page, it has to be classified as TOP SECRET, with additionally one or several of the following Sensitive Compartmented Information control systems:
- TALENT KEYHOLE (TK - for data collected by space-based collection platforms)
- Special Intelligence (SI - for data from communications intercepts)
- an undisclosed control system marked by a classified codeword, which is blacked out by The Washington Post. Probably this is the codeword used for information which is based upon data derived from the internet companies. As said earlier, "PRISM" is not a codeword used for content, but rather the (unclassified) nickname of the program for collecting certain internet data.

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This seems to confirm that this application is used to search data collected under the Foreign Intelligence Surveillance Act (FISA), specified for use by NSA, FBI and the Department of Justice (DOJ).

Below these icons there is a search field, to get a partial list of records. The search options seem rather limited, as only two keywords can be entered, with an additonal "and/or" option. At the left there's a column presenting a number of options for showing totals of PRISM entries. For checking the record status, one can click the following options:
- See Entire List (Current)
- See Entire List (Expired)
- See Entire List (Current and Expired)
- See NSA List
- See New Records
- Ownership count

Below this list, the text says: "If the total count is much less than this, REPRISMFISA is having issues, E-MAIL the REPRISMFISA HELP DESK AT [address blacked out] AND INFORM THEM"

The numbers below that text are hardly readable, but the Washington Post says that on "April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database". This sounds like a huge number, but without any further details about these targets it's almost impossible to give some meaningful opinion about it.

(Updated with minor additions and corrections based upon recently disclosed documents)

Links and Sources

- ForeignPolicy.com: Meet the Spies Doing the NSA's Dirty Work
- TheWeek.com: Solving the mystery of PRISM
- ForeignPolicy.com: Evil in a Haystack
- WashingtonPost.com: Inner workings of a top-secret spy program
- TechDirt.com: Newly Leaked NSA Slides On PRISM Add To Confusion, Rather Than Clear It Up
- Technovia.co.uk: Something doesn’t add up in the lastest Washington Post PRISM story
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”
- CNet.com: FBI: We need wiretap-ready Web sites - now (2012)
- CNet.com: How the U.S. forces Net firms to cooperate on surveillance