(Updated: July 8, 2014)
In June last year the Snowden-leaks started with the disclosure of the PRISM-program. For many people it stands for NSA surveillance in general because they often have still no idea what PRISM is actually about.
Therefore, this article presents almost everything we know about the PRISM program, combining information from my earlier postings and from other media and government sources.
It shows that PRISM is not about bulk or mass surveillance, but for collecting communications of specifically identified targets. NSA also has no "direct access" to the servers of companies like Microsoft, Facebook and Google - it's a unit of the FBI that actually picks up the data.
In total, ca. 227 million internet communications are collected under the PRISM program each year, contributing to reports about terrorism and a wide variety of other national security issues. Anually, NSA analysts write more than 20.000 PRISM-based reports, which is ca. 15% of all intelligence reports the agency produces.
Most of what we know about PRISM comes from an internal NSA presentation of 41 slides. Edward Snowden initially asked The Washington Post to publish the full slide deck, but the paper refused and so only 4 were subsequently published by The Guardian. Other slides were revealed later on. Until now, a total of 17 slides have been published and another 4 were incidentally or partially shown on television. This means that a remaining 20 slides are still being withheld.
All known slides are shown here, in an order that probably comes closest to the original presentation. The slides (click them to enlarge) have a number which is only for reference. If new slides of this PRISM presentation become available, they will be added here.
The Guardian and The Washington Post on June 6, 2013, and shows the title of the presentation.
All slides are marked TOP SECRET//SI//ORCON/NOFORN, which means they are classified as Top Secret and protected by the control system for Special Intelligence (SI). The dissemination is strictly controlled by the originator, while it's generally prohibited to release them to foreign nationals.
The SIGINT Activity Designator (SIGAD) of the PRISM program is US-984XN, which indicates that PRISM is part of the BLARNEY-family and used for collecting data under the authority of the FISA Amendments Act.
> See also: PRISM as part of the BLARNEY program
The media have redacted the name of the person who is the PRISM collection manager, a title which is followed by S35333, which is NSA's internal organization designator for a unit of the Special Source Operations (SSO). The logo of this division is in the top left corner of each slide, with in the opposite corner a logo for the PRISM program itself.
Immediatly after the first slides of the presentation were published, some people thought it could be fake or photoshopped because of the not very professional looking design and the copy-paste elements. After more, and especially far more complex slides became available, we can now assume the presentation to be genuine.
> See also: Are the NSA's PRISM-slides photoshopped?
This presentation about PRISM was given in April 2013, which is just a month before Edward Snowden left his job at NSA and therefore this seems to be one of the most recent documents he was able to download from the internal NSA network.
General aspects of PRISM
The following slides are about the workings of the PRISM program in general:
The Guardian and The Washington Post on June 6, 2013, and shows a short introduction of the world's telecommunications backbone.
The diagram shows that the majority of international communications from Latin America, Europe and even from Asia flow through the United States, which makes it easy for NSA to intercept them on American soil.
Note that most of the communications from Africa (the continent where many jihadist groups from the Middle East went to in recent years) are going through Europe, which explains why NSA sometimes needs European partner agencies (like from the Netherlands) to access them.
The Guardian and The Washington Post on June 6, 2013, and shows which internet companies are involved and what kind communications can be received by the NSA.
We see that under PRISM the NSA is able to collect e-mail, chat, video and voice messages, photo's, stored data and things like that. But there are also "Notifications of target activity - logins, etc". This was interpreted by The Washington Post as a function that gives NSA analysts live notifications "when a target logs on or sends an e-mail".
But as these notifications are clearly listed as collected data (see also slide 8 down below), it's more likely they refer to the notification messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client.
It is possible though that NSA analysts can get a notification when new communications from a target they are watching becomes available in NSA systems. Whether (near) real-time monitoring of a target's communications is possible, depends on the way these data are made available to NSA (see slide 5 below).
The Guardian and The Washington Post on June 6, 2013, and shows the dates when PRISM collection began for each provider:
- Microsoft: September 11, 2007
- Yahoo: March 12, 2008
- Google: January 14, 2009
- Facebook: June 3, 2009
- PalTalk: December 7, 2009
- YouTube: September 24, 2010
- Skype: February 2, 2011
- AOL: March 31, 2011
- Apple: October 2012
According to the book 'Der NSA Komplex', which was published by Der Spiegel in March 2014, PRISM also gained access to Microsoft's cloud service SkyDrive (now called OneDrive) as of March 2013. This was realized after months of cooperation between FBI and Microsoft.*
The Washington Post reported that in the speaker's notes accompanying the presentation, it's said that "98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources". The Post also says that "PalTalk, although much smaller, has hosted traffic of substantial intelligence interest during the Arab Spring and in the ongoing Syrian civil war".
The program cost of 20 million dollar per year was initially interpreted as being the cost of the program itself, but later The Guardian revealed that NSA pays for expenses made by cooperating corporations, so it seems more likely that the 20 million is the total amount paid by NSA to the companies involved in the PRISM program.
The Washington Post on June 29, 2013 and shows the PRISM tasking process, which means how the actual collection facilities are instructed about what data should be gathered.
The process starts with an NSA analyst entering selectors into the Unified Targeting Tool (UTT). In this case, selectors can be e-mail or IP addresses, but not keywords. According to an article in the French paper Le Monde, there are some 45.000 selectors involved in the PRISM collection.
Analysts can order data from two different sources:
- Surveillance, which means communications that will happen from the moment the target was selected (although the media interpreted this as the ability to real-time "monitor a voice, text or voice chat as it happens")
- Stored Comms, which are communications stored by the various providers dating from before the moment the target was selected
Edward Snowden vehemently accuses NSA for a lack of control and oversight mechanisms, which according to him, makes that analysts have unrestricted access to the communications of virtually everyone in the world. But the diagram in the slide clearly shows that there are multiple steps for approving every collection request:
1. For Surveillance a first review is done by an FAA Adjudicator in the analysts Product Line (S2) and for Stored Comms there's a review by the Special FISA Oversight and Processing unit (SV4).
2. A second and final review is done in both cases by the Targeting and Mission Management (S343) unit. Only after passing both stages, the request is released through the UTT and the PRINTAURA distribution managing system.
3. For Stored Comms the Electronic Communications Surveillance Unit (ECSU) of the FBI even does a third check against its own database to filter out known Americans.
Then it's the Data Intercept Technology Unit (DITU) of the FBI that goes to the various internet companies to pick up the requested data and then sends them back to NSA.
As indicated by companies like Google, they deliver the information to the FBI in different ways, like through a secure FTP transfer, an encrypted dropbox or even in person. According to a report by the journalist Declan McCullagh, the companies prefer installing their own monitoring capabilities to their networks and servers, instead of allowing the FBI to plug in government-controlled equipment.
> See also: The PRISM tasking process
By September 2012, the communications of some 45.000 selectors were being monitored. The strongest growth was Skype (up 248%), Facebook (up 131%) and Google (up 61%).
Der Spiegel on June 18, 2014. It shows a table with numbers about requesting (tasking) the collection of internet communications (DNI) through the Unified Targeting Tool (UTT).
The table lists NSA units which are called Product Lines (click here for an explanation of the internal designations). For each unit it is shown how many DNI selectors, like e-mail and IP addresses, they are tasking in total and how many of those are directed to the PRISM program. We also see the percentages and the change compared to the previous year.
In absolute numbers, the top-5 units tasking most DNI requests for PRISM are:
- S2I: Counter-Terrorism Product Line (11.461 selectors)
- S2E: Middle East and Africa Product Line (6935 selectors)
- F6: NSA/CIA Special Collection Service (4007 selectors)
- S2D: Counter Foreign Intelligence Product Line (3796 selectors)
- F22: European Cryptologic Center (3523 selectors)
In total, all these NSA-units requested the communications of 175.126 internet addresses, of which 49.653 (or 28% of the total) were tasked to PRISM. It's not clear whether these numbers include double selectors, like ones tasked by multiple units.
Wikipedia, where there's also a transcript of the text:
[...] your targets meet FAA criteria, you should consider tasking to FAA.
Emergency tasking processes exist for [imminent/immediate] threat to life situations and targets can be placed on [...] within hours (surveillance and stored comms).
Get to know your Product line FAA adjudicators and FAA leads.
According to an NSA report (pdf) published in April 2014, analysts "may seek to query a U.S. person identifier when there is an imminent threat to life, such as a hostage situation".
Just like a number of other slides and fragments thereof shown on television, there seems to be no good reason why a slide like this is still not published in a clear and proper way. They contain nothing that endangers the national security of the US, but instead would help to much better understand how the PRISM program is actually used.
The Washington Post on June 29, 2013.
It shows the flow of data which are collected under the PRISM program. Again we see that it's the FBI's DITU that picks up the data at the various providers and sends them to the PRINTAURA system at NSA.
From PRINTAURA some of the data are directed to TRAFFICTHIEF, which is a database for metadata about specifically selected e-mail addresses and is part of the TURBULANCE umbrella program to detect threats in cyberspace.
The main stream of data is sent through SCISSORS, which seems to be used for separating different types of data and protocols. Metadata and voice content then pass the ingest processing systems FALLOUT and CONVEYANCE respectively. Finally, the data are stored in the following NSA databases:
- MARINA: for internet metadata
- MAINWAY: for phonecall metadata
- NUCLEON: for voice content
- PINWALE: for internet content, video content, and "FAA partitions"
> See also: Storage of collected PRISM data
The Washington Post on June 29, 2013.
It shows the composition of the Case Notation (CASN) which is assigned to all communications which are intercepted under the PRISM program.
We see that there are positions for identifying the providers, the type of content, the year and a serial number. Also there's a fixed trigraph which denotes the source. For NSA's PRISM collection this trigraph is SQC. From another document (pdf) we learn that the trigraph for FISA data used by the FBI is SQF.
The abbreviations stand for: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?); RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking.
> See for more about this slide: PRISM case notations
The Washington Post on June 29, 2013.
The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there's no further explanation of what application we see here, but it seems to be for querying data collected under FISA and FAA authority.
In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This shows that both NSA, FBI and the Department of Justice (DOJ) are using data collected under the authority of the Foreign Intelligence Surveillance Act (FISA), and that the NSA's part is codenamed PRISM.
Below these icons there is a search field, to query one or more databases resulting in a partial list of records. At the left there's a column presenting a number of options for showing totals of PRISM entries. The screenshot shows that in April 2013, there were 117.675 "current entries" for PRISM.
> See for more about this slide: Searching the collected data
The tool shown in this slide is not use for analysing the data. For that, analysts can use other software programs like DNI Presenter or Analyst's Notebook.
Section 702 FAA Operations
The following slides are about how PRISM can be used to collect various types of data. This collection is governed by section 702 of the FISA Amendments Act (FAA), which in NSA-speak is called FAA702 or just merely 702.
Section 702 FAA was enacted in 2008 in order to legalize the interception that was going on since 2001 and that became known as the "warrentless wiretapping" because it was only authorized by a secret order of president George W. Bush. The FAA was re-authorized by Congress in December 2012 and extended for five years.
Under section 702 FAA, NSA is authorized to acquire foreign intelligence information by intercepting the content of communications of non-US persons who are reasonably believed to be located outside the US. This interception takes place inside the United States with the cooperation of American telecommunication and internet companies.
Operations under the original Foreign Intelligence Surveillance Act (FISA) from 1978 require an individual determination (the target might well be a whole organization though) by the FISA Court, but under FAA the Attorney General and the Director of National Intelligence (DNI) certify an annual list of targets. These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like the minimization rules for hiding names and addresses of US citizens.
NSA can collect data that flow through the internet backbone cables, as well as data that are stored on the servers of companies like Google, Facebook, Apple, etc. The latter are collected "directly from the servers" as opposed to the communications that are still on their way to those servers when passing through the main internet cables and switches.
Directly from servers
The words "directly from the servers" were misinterpreted by The Guardian and The Washington Post, leading to the claim that NSA had "direct access" to the servers of the internet service providers. As the next slide will show, there's no such direct access.
(The claim of NSA having "direct access" was not only based on this slide, but also on misreading a section from the draft of a 2009 NSA Inspector General report about the STELLARWIND program, which on page 17 says: "collection managers sent content tasking instructions directly to equipment installed at company-controlled locations". The Washington Post thought this referred to the companies involved in the PRISM program, but it actually was about Upstream Collection, which has filters installed at major internet switches. This follows from two facts: first, that the STELLARWIND program was terminated in January 2007 while PRISM only started later that year; second, that STELLARWIND only involved companies that operate the internet and telephony backbone cables, like AT&T and Verizon, not internet service providers like Facebook and Google)
Despite this clear evidence that speaks against a "direct access" to company servers, Glenn Greenwald still sticks to that claim in his book No Place To Hide, which was published on May 13, 2014. Asked about this by a Dutch news website, Greenwald said that the "direct access" doesn't mean that NSA "has full, unlimited access. But they can tell the companies what they want to have and then they can get it".
An important thing that wasn't well explained by the media, is that not only PRISM, but also the domestic part of Upstream collection is legally based upon section 702 FAA. Note that NSA also conducts Upstream collection under three other legal authorities: FISA and Transit inside the US and Executive Order 12333 when the collection takes place abroad.
> See for more: Slides about NSA's Upstream collection
From a 2011 FISA Court ruling (pdf) that was declassified upon request of the Electronic Frontier Foundation we learn that under section 702 FAA, NSA acquires more than 250 million "internet communications" each year. This number breaks down as follows:
- Upstream: ca. 9% or more than 22 million communications *The ruling doesn't explain what exactly a "internet communication" is. A problem that troubled both NSA and the FISA court was that under Upstream it's technically very difficult to distinguish between single communications to, from or about targeted persons and those containing multiple communications, not all of which may be to, from or about approved targeted addresses. The latter may contain to up to 10,000 domestic communications each year.*
- PRISM: ca. 91% or more than 227 million communications
On June 27, 2014, the Director of National Intelligence (DNI) for the first time published a Statistical Transparancy Report, which says that in 2013, the collection under Section 702 FAA affected some 89.138 targets. Such a target "could be an individual person, a group, an organization or a foreign power".
Specifically for 702 FAA collection, the number of 89.138 targets includes an "estimated number of known users of particular facilities (sometimes referred to as selectors)" - which means users of e-mail and IP addresses and such.
The report gives the following example: "foreign intelligence targets often communicate using several different email accounts. Unless the Intelligence Community has information that multiple email accounts are used by the same target, each of those accounts would be counted separately in these figures. On the other hand, if the Intelligence Community is aware that the accounts are all used by the same target, as defined above, they would be counted as one target".
Le Monde on October 22, 2013. It compares the main features of the PRISM program and the Upstream collection.
The last line says that for PRISM there is no "Direct Relationship with Comms Providers". Data are collected through the FBI. This clearly contradicts the initial story by The Guardian and The Washington Post, which claimed that NSA had "direct access" to the servers of the internet companies. This led to spectacular headlines, but also a lot of confusion, as it allowed the companies involved to strongly deny any direct relationship with the NSA - because it's actually the FBI that is picking up their data.
Had this slide been published right in the beginning, then more adequate questions could have been asked and probably we could have got answers that made more sense.
A direct relationship does exist however with the companies which are involved in the Upstream collection, like AT&T and Verizon, who most likely have high volume filtering devices like the Narus STA 6400 installed at their switching stations. Unlike intercept facilities outside the US, where the XKeyscore system can store and search 3 days of content, the sites inside the US only seem to filter data as they flow past, and hence there's no access to Stored Communications.
The slide also shows that the so-called "Abouts" collection is only conducted under the Upstream method. As we learned from a hearing of the Presidential Civil Liberties Oversight Board (PCLOB ), this About Collection is not for gathering communications to or from a certain target, but about a specific selector, like for example an e-mail message in which an e-mail address or a phone number of a known suspect is mentioned. This About Collection is not looking for names or keywords, is only used for internet communications and was authorized by the FISA Court.
Because under Upstream NSA is allowed to do About Collection which pulls in a broader range of communications, the retention period (the time the data are stored) is only two years. Data collected under PRISM, which are restricted to communications to and from specific addresses, are stored for the standard period of five years. Both under PRISM and Upstream there's no collection based upon keywords.
Wikipedia, the subheader reads "Collection only possible under FAA702 Authority" and in the central cyan colored box the codenames FAIRVIEW and STORMBREW are shown subsequently. Maybe other codenames are in the yellow box at the right side. It's not clear what the irregular blue shapes in the Indian Ocean are. The figure which is right of New Zealand is a stereotype depiction of a terrorist with a turban.
OPI stands for Office of Primary Interest and UTT for Unified Targeting Tool, the NSA application used for instructing the actual collection facilities.UPSTREAMOPI tasks firstname.lastname@example.org under FAA702 and 12333 authority in UTT
Badguy sends e-mail from [outside?] U.S. and comms flow inside U.S.
FAIRVIEW sees selector but can't tell if destination end is U.S. or foreign
Only the target end needs to be foreign
Le Monde on October 22, 2013.
It shows a list of 35 IP addresses and domain names which are the "Higher Volume Domains Collected from FAA Passive". Data from these domains are collected from fiber optic cables and other internet infrastructures - the Upstream or Passive Collection, complementary to the PRISM collection which involves some major US domains like hotmail.com and yahoo.com.
All IP addresses and domain names are blacked out, except for two French domains: wanadoo.fr (a major French internet service provider) and alcatel-lucent.com (a major French-American telecommunications company). The rest of the list will most likely contain many similar domain names, which shows that redactions of the Snowden-documents are not only made to protect legitimate security interests, but also when the papers, in this case Le Monde, want to keep these revelations strictly focussed to their own audience.
On May 8, 2014, the French paper Le Monde listed some more targets from NSA's Upstream Collection, although it is not clear whether these are derived from this slide or from a different NSA document.
Reporting based on PRISM
The following slides show some of the results from the PRISM program:
Le Monde on October 22, 2013.
It shows a highlight of reporting under the section 702 FAA authority, which in this case includes both PRISM and the STORMBREW program of the Upstream collection capability. Information derived from both sources made the NSA/CSS Threat Operations Center (NTOC) figure out that someone had gotten access to the network of a cleared defense contractor (CDC) and was either preparing to, or at least had the ability to get 150 gigabytes of important data out. NTOC then alerted the FBI, which alerted the contractor and they plugged the hole the same day, apparently December 14, 2012.
Another cyber attack that was detected by PRISM occured in 2011 and was directed against the Pentagon and major defense contractors. According to the book 'Der NSA Komplex' this attack was codenamed LEGION YANKEE, which indicates that it was most likely conducted by Chinese hackers.*
The Intercept on April 30, 2014.
It shows that during the 2012 Olympic Games in London, 100 specially trained and/or approved GHCQ employees were granted access to data collected under the PRISM program. 256 selectors (like e-mail addresses) were under surveillance, leading to 11.431 communication fragments ("cuts of traffic") being produced during one week in May. This is an average of 45 communication parts like e-mail and chat messages and such per address.
According to another document published by The Intercept, GCHQ wanted "unsupervised access" to data collected by NSA under the section 702 FAA authority (PRISM and Upstream) in "a manner similar to the Olympic Option" program from 2012. GCHQ seemed to be less enthusiastic about the current procedure to get such kind of access under supervised conditions, called Triage, which involves long steps to get the necessary approvals.
website of O Globo, and a large one, also with most of the topics censored, was published in Glenn Greenwald's book No Place To Hide on May 13, 2014. The slide is titled "A Week in the Life of PRISM Reporting" and shows some samples of reporting topics from early February 2013.
One of the things that were apparently blacked (or actually whited) out were published in the Indian paper The Hindu, which said that this slide also mentions "politics, space, nuclear" as topics under "India" and also information from Asian and African countries, contributing to a total of "589 End product Reports".
Der Spiegel on June 18, 2014. It shows a table with numbers about the intelligence reports based upon data collected through the PRISM program.
The table lists NSA units which function as Office of Primary Interest (OPI - click here for an explanation of the internal designations). In this case, the numbers are sorted in the order of reports produced. The top-5 most productive units are:
- F6: NSA/CIA Special Collection Service (3723 reports)
- S2I: Counter-Terrorism Product Line (3493 reports)
- S2E: Middle East and Africa Product Line (2574 reports)
- S2G: Counter Proliferation Product Line (2092 reports)
- NSAT: NSA Texas (1690 reports)
The total number of intelligence reports produced by all these OPI's is 144.779, and 22.500 of them are based upon information from the PRISM program, which is an average of 15%. According to a document published in Greenwald's book, there were 18.973 PRISM-based end-product reports in the fiscal year 2011 and 24.096 in 2012.
Der Spiegel on June 18, 2014. Just like the previous slide, it shows a table with numbers about the intelligence reports based upon data collected through the PRISM program.
The table again lists NSA units which function as Office of Primary Interest (OPI - click here for an explanation of the internal designations). In this case, the numbers are sorted by how many of the total number of reports issued by the various OPI's are PRISM-based, which can be seen in the fourth column. The top-5 units are:
- ECC: European Cryptologic Center (52%)
- S2I: Counter-Terrorism Product Line (42%)
- S2J: Weapons and Space Product Line (33%)
- S2G: Counter Proliferation Product Line (30%)
- NSAT: NSA Texas (30%)
These lists clearly show that collection under the PRISM program is not restricted to counter-terrorism, but is also not about monitoring ordinary people all over the world, as many people still think. PRISM is used for gathering information about a range of targets derived from the topics in the NSA's Strategic Mission List (pdf). The 2007 edition of this list was also among the Snowden-documents and subsequently published, but got hardly any attention.
Already on June 27, 2013 then NSA director Alexander stated in a Congress hearing that data collected under section 702 FAA and section 215 Patriot Act (the domestic metadata collection), enabled US agencies to disrupt 54 threat events, 42 of which "involved disrupted plots". Of those 54:
- 12 involved cases of material support to terrorists;Alexander said that in 53 of the 54 cases, data collected under section 702 provided the initial tip to "unravel the threat stream" and that almost half of terrorist reporting comes from Section 702.
- 50 lead to arrests or detentions;
- 25 occurred in Europe;
- 11 were in Asia;
- 5 were in Africa;
- 13 had a homeland nexus.
According to former NSA deputy director Chris Inglis some 41 terrorist plots were foiled by information collected under section 702 FAA, most of them by PRISM. This is not a very large number, but as we've seen, PRISM is also used for creating intelligence reports about many other topics.
In 2012, these were cited as a source in 1477 items of the President's Daily Brief, making PRISM one of the main contributors to this Top Secret intelligence briefing which is provided to the president each morning.
According to its annual report (pdf), the Dutch parliamentary intelligence oversight committee CIVD was informed on July 3, 2013 that information from PRISM prevented 26 terrorist attacks in Europe, including one in the Netherlands.
- See also: Excerpts from NSA documents about PRISM
Links and Sources
- PCLOB.gov: Section 702 Program Report (pdf)
- MatthewAid.com: New NSA Report on Its Electronic Eavesdropping Programs
- EmptyWheel.net: Back Door Searches: One of Two Replacements for the Internet Dragnet?
- DNI.gov: NSA's Implementation of Foreign Intelligence Surveillance Act Section 702 (pdf)
- TED.com: Edward Snowden: Here's how we take back the Internet
- C-Span.org: Privacy and Civil Liberties Oversight Board Hearing, Government Officials Panel
- TechDirt.com: Why Does The NSA Focus So Much On 'TERROR!' When PRISM's Success Story Is About Cybersecurity?
- SealedAbstract.com: The part of the FISC NSA decision you missed
- GlobalResearch.com: New Documents Shed Light on NSA’s Dragnet Surveillance
- TheGuardian.com: Microsoft handed the NSA access to encrypted messages