26 April 2014

****** Overview of What Is Now Known About NSA’s PRISM Electronic Eavesdropping Program


In June last year the Snowden-leaks started with the disclosure of the PRISM-program. For many people it stands for NSA surveillance in general because they often have still no idea what PRISM is actually about.

Therefore, this article presents a wrap up of almost everything we know about the PRISM program, combining information from my earlier postings and from other media and government sources.

Most of what we know about PRISM comes from an internal NSA presentation of 41 slides. Edward Snowden initially asked The Washington Post to publish the full slide deck, but the paper refused and so only 4 were subsequently published by The Guardian. A few other slides were revealed later on. In total 13 slides have been published and 4 were incidentally or partially shown on television.

All of them are shown here, in an order that probably comes closest to the original presentation. The slides have a number which is only for reference. If new slides of this PRISM presentation become available, they will be added here.


1. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the title of the presentation.

All slides are marked TOP SECRET//SI//ORCON/NOFORN, which means they are classified as Top Secret and protected by the control system for Special Intelligence (SI). The dissemination is strictly controlled by the originator, while it’s generally prohibited to release them to foreign nationals.

The SIGINT Activity Designator (SIGAD) of the PRISM program is US-984XN, which indicates that PRISM is part of the BLARNEY-family and used for collecting data under the authority of the FISA Amendments Act.

The media have redacted the name of the person who is the PRISM collection manager, a title which is followed by S35333, which is NSA’s internal organization designator for a unit of the Special Source Operations (SSO). The logo of this division is in the top left corner of each slide, with in the opposite corner a logo for the PRISM program itself.

Immediatly after the first slides of the presentation were published, some people thought it could be fake or photoshopped because of the not very professional looking design and the copy-paste elements. After more slides became available, we can now assume the presentation to be genuine.

This presentation about PRISM was given in April 2013, which is just a month before Edward Snowden left his job at NSA and therefore this seems to be one of the most recent documents he was able to download from the internal NSA network.

General aspects of PRISM

The following slides are about the workings of the PRISM program in general:



2. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows a short introduction of the world’s telecommunications backbone.

The diagram shows that the majority of international communications from Latin America, Europe and even from Asia flow through the United States, which makes it easy for NSA to intercept them on American soil.

Note that most of the communications from Africa (the continent where many jihadist groups from the Middle East went to in recent years) are going through Europe, which explains why NSA sometimes needs European partner agencies (like from the Netherlands) to access them.



3. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows which internet companies are involved and what kind communications can be received by the NSA.

We see that under PRISM the NSA is able to collect e-mail, chat, video and voice messages, photo’s, stored data and things like that. But there are also “Notifications of target activity - logins, etc”. This was interpreted by The Washington Post as a function that gives NSA analysts live notifications “when a target logs on or sends an e-mail”.

But as these notifications are clearly listed as collected data (see also slide 8 down below), it’s more likely they refer to the notification messages you get when someone logs in at an internet chatroom or an instant messenger, or when you receive an e-mail through an e-mail client.

It is possible though that NSA analysts can get a notification when new communications from a target they are watching becomes available in NSA systems. Whether (near) real-time monitoring of a target’s communications is possible, depends on the way these data are made available to NSA (see slide 5 below).



4. This slide was one of the first four revealed by The Guardian and The Washington Post on June 6, 2013, and shows the dates when PRISM collection began for each provider:


- Microsoft: September 11, 2007

- Yahoo: March 12, 2008

- Google: January 14, 2009

- Facebook: June 3, 2009

- PalTalk: December 7, 2009

- YouTube: September 24, 2010

- Skype: February 2, 2011

- AOL: March 31, 2011

- Apple: October 2012

According to the book ‘Der NSA Komplex’, which was published by Der Spiegel in March 2014, PRISM also gained access to Microsoft’s cloud service SkyDrive (now called OneDrive) as of March 2013. This was realized after months of cooperation between FBI and Microsoft.*

The Washington Post reported that in the speaker’s notes accompanying the presentation, it’s said that “98 percent of PRISM production is based on Yahoo, Google and Microsoft; we need to make sure we don’t harm these sources”. The Post also says that “PalTalk, although much smaller, has hosted traffic of substantial intelligence interest during the Arab Spring and in the ongoing Syrian civil war”.

The program cost of 20 million dollar per year was initially interpreted as being the cost of the program itself, but later it came out that NSA pays for expenses made by cooperating corporations, so it seems more likely that the 20 million is the total amount paid by NSA to the companies involved in the PRISM program.


5. This slide was one of four disclosed by The Washington Post on June 29, 2013 and shows the PRISM tasking process, which means how the actual collection facilities are instructed about what data should be gathered.

The process starts with an NSA analyst entering selectors into the Unified Targeting Tool (UTT). In this case, selectors can be e-mail or IP addresses, but not keywords. According to an article in the French paper Le Monde, there are some 45.000 selectors involved in the PRISM collection.

Analysts can order data from two different sources:

- Surveillance, which means communications that will happen from the moment the target was selected (although the media interpreted this as the ability to real-time “monitor a voice, text or voice chat as it happens”)

- Stored Comms, which are communications stored by the various providers dating from before the moment the target was selected

Edward Snowden vehemently accuses NSA for a lack of control and oversight mechanisms, which according to him, makes that analysts have unrestricted access to the communications of virtually everyone in the world. But the diagram in the slide clearly shows that there are multiple steps for approving every collection request:

1. For Surveillance a first review is done by an FAA Adjudicator in the analysts Product Line (S2) and for Stored Comms there’s a review by the Special FISA Oversight and Processing unit (SV4).

2. A second and final review is done in both cases by the Targeting and Mission Management (S343) unit. Only after passing both stages, the request is released through the UTT and the PRINTAURA distribution managing system.

3. For Stored Comms the Electronic Communications Surveillance Unit (ECSU) of the FBI even does a third check against its own database to filter out known Americans.

Then it’s the Data Intercept Technology Unit (DITU) of the FBI that goes to the various internet companies to pick up the requested data and then sends them back to NSA.

As indicated by companies like Google, they deliver the information to the FBI in different ways, like through a secure FTP transfer, an encrypted dropbox or even in person. According to a report by the journalist Declan McCullagh, the companies prefer installing their own monitoring capabilities to their networks and servers, instead of allowing the FBI to plug in government-controlled equipment.


6. This slide was shown on Brazilian television and seems also to be about PRISM Tasking, more specifically about a procedure for emergency tasking when lives are in danger. The slide was uploaded to Wikipedia, where there’s also a transcript of the text:

[…] your targets meet FAA criteria, you should consider tasking to FAA.

Emergency tasking processes exist for [imminent/immediate] threat to life situations and targets can be placed on […] within hours (surveillance and stored comms).

Get to know your Product line FAA adjudicators and FAA leads.

According to an NSA report (pdf) published in April 2014, analysts “may seek to query a U.S. person identifier when there is an imminent threat to life, such as a hostage situation”.

Just like a number of other slides and fragments thereof shown on television, there seems to be no good reason why a slide like this is still not published in a clear and proper way. They contain nothing that endangers the national security of the US, but instead would help to much better understand how the PRISM program is actually used.


7. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the flow of data which are collected under the PRISM program. Again we see that it’s the FBI’s DITU that picks up the data at the various providers and sends them to the PRINTAURA system at NSA.

From PRINTAURA some of the data are directed to TRAFFICTHIEF, which is a database for metadata about specifically selected e-mail addresses and is part of the TURBULANCE umbrella program to detect threats in cyberspace.

The main stream of data is sent through SCISSORS, which seems to be used for separating different types of data and protocols. Metadata and voice content then pass the ingest processing systems FALLOUT and CONVEYANCE respectively. Finally, the data are stored in the following NSA databases:

- MARINA: for internet metadata

- MAINWAY: for phonecall metadata

- NUCLEON: for voice content

- PINWALE: for internet content, video content, and “FAA partitions”


8. This slide was one of four disclosed by The Washington Post on June 29, 2013.

It shows the composition of the Case Notation (CASN) which is assigned to all communications which are intercepted under the PRISM program.

We see that there are positions for identifying the providers, the type of content, the year and a serial number. Also there’s a fixed trigraph which denotes the source. For NSA’s PRISM collection this trigraph is SQC. From another document (pdf) we learn that the trigraph for FISA data used by the FBI is SQF.

The abbreviations stand for: IM = Instant Messaging; RTN-EDC = Real Time Notification-Electronic Data Communication(?); RTN-IM = Real Time Notification-Instant Messaging; OSN = Online Social Networking.


9. This slide was one of four disclosed by The Washington Post on June 29, 2013.

The content of the slide shows a screenshot of a web based application called REPRISMFISA, which is probably accessible through the web address which is blacked out by the Post. Unfortunately there’s no further explanation of what application we see here, but if we look at the word REPRISMFISA we can imagine the application is for going “back to data collected under the PRISM program according to the Foreign Intelligence Surveillance Act (FISA)”.

In the center of the page there are three icons, which can be clicked: PRISM, FBI FISA and DOJ FISA. This shows that both NSA, FBI and the Department of Justice (DOJ) are using data collected under the authority of the Foreign Intelligence Surveillance Act (FISA), and that the NSA’s part is codenamed PRISM.

Below these icons there is a search field, to query one or more databases resulting in a partial list of records. The search options seem rather limited, as only two keywords can be entered, with an additonal “and/or” option. At the left there’s a column presenting a number of options for showing totals of PRISM entries.

Section 702 FAA Operations

The following slides are about how PRISM can be used to collect various types of data. This collection is governed by section 702 of the FISA Amendments Act(FAA), which in NSA-speak is called FAA702 or just merely 702.

Section 702 FAA was enacted in 2008 in order to legalize the interception that was going on since 2001 and that became known as the “warrentless wiretapping" because it was only authorized by a secret order of president George W. Bush. The FAA was re-authorized by Congress in December 2012 and extended for five years.

Under section 702 FAA, NSA is authorized to acquire foreign intelligence information by intercepting the content of communications of non-US persons who are reasonably believed to be located outside the US. This interception takes place inside the United States with the cooperation of American telecommunication and internet companies.

Operations under the original Foreign Intelligence Surveillance Act (FISA) from 1978 require an individual determination by the FISA Court, but under FAA the Attorney General and the Director of National Intelligence (DNI) certify an annual list of targets. These certifications are then reviewed by the FISA Court to determine whether they meet the statutory requirements, like the minimization rules for hiding names and addresses of US citizens.




10. This slide was additionally published by The Guardian on June 8, 2013, to clarify that PRISM, which involves data collection from servers, is distinct from the programs FAIRVIEW, STORMBREW, BLARNEY and OAKSTAR. These involve data collection from “fiber cables and infrastructure as data flows past”, which is calledUpstream collection.

NSA can collect data that flow through the internet backbone cables, as well as data that are stored on the servers of companies like Google, Facebook, Apple, etc. The latter are collected “directly from the servers” as opposed to the communications that are still on their way to those servers when passing through the main internet cables and switches.

Directly from servers

The words “directly from the servers” were misinterpreted by The Guardian and The Washington Post, leading to the claim that NSA had “direct access” to the servers of the internet service providers. As the next slide will show, there’s no such direct access.

(The claim of NSA having “direct access” was not only based on this slide, but also on misreading a section from the draft of a 2009 NSA Inspector General report about the STELLARWIND program, which on page 17 says: “collection managers sent content tasking instructions directly to equipment installed at company-controlled locations”. The Washington Post thought this referred to the companies involved in the PRISM program, but it actually was about Upstream Collection, which has filters installed at major internet switches. This follows from two facts: first, that the STELLARWIND program was terminated in January 2007 while PRISM only started later that year; second, that STELLARWIND only involved companies that operate the internet and telephony backbone cables, like AT&T and Verizon, not internet service providers like Microsoft and Google)

Upstream collection

An important thing that wasn’t well explained by the media, is that not only PRISM, but also the domestic part of Upstream collection is legally based upon section 702 FAA. Note that NSA also conducts Upstream collection under three other legal authorities: FISA and Transit inside the US and Executive Order 12333 when the collection takes place abroad.

From a 2011 FISA Court ruling (pdf) that was declassified upon request of the Electronic Frontier Foundation we learn that under section 702 FAA, NSA acquires more than 250 million “internet communications” each year. This number breaks down as follows:

- Upstream: ca. 9% or more than 22 million communications *

- PRISM: ca. 91% or more than 227 million communications

The ruling doesn’t explain what exactly a “internet communication” is. A problem that troubled both NSA and the FISA court was that under Upstream it’s technically very difficult to distinguish between single communications to, from or about targeted persons and those containing multiple communications, not all of which may be to, from or about approved targeted addresses. The latter may contain to up to 10,000 domestic communications each year.*



11. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013. It compares the main features of the PRISM program and the Upstream collection.

Direct Access?

The last line says that for PRISM there is no “Direct Relationship with Comms Providers”. Data are collected through the FBI. This clearly contradicts the initial story by The Guardian and The Washington Post, which claimed that NSA had “direct access” to the servers of the internet companies. This led to spectacular headlines, but also a lot of confusion, as it allowed the companies involved to strongly deny any direct relationship with the NSA - because it’s actually the FBI that is picking up their data.

Had this slide been published right in the beginning, then more adequate questions could have been asked and probably we could have got answers that made more sense.

A direct relationship does exist however with the companies which are involved in the Upstream collection, like AT&T and Verizon, who most likely have high volume filtering devices like the Narus STA 6400 installed at their switching stations. Unlike intercept facilities outside the US, where the XKeyscore system can store and search 3 days of content, the sites inside the US only seem to filter data as they flow past, and hence there’s no access to Stored Communications.

About Collection

The slide also shows that the so-called “Abouts” collection is only conducted under the Upstream method. As we learned from a hearing of the Presidential Civil Liberties Oversight Board (PCLOB ), this About Collection is not for gathering communications to or from a certain target, but about a specific selector, like for example an e-mail message in which an e-mail address or a phone number of a known suspect is mentioned. This About Collection is not looking for names or keywords, is only used for internet communications and was authorized by the FISA Court.

Because under Upstream NSA is allowed to do About Collection which pulls in a broader range of communications, the retention period (the time the data are stored) is only two years. Data collected under PRISM, which are restricted to communications to and from specific addresses, are stored for the standard period of five years. Both under PRISM and Upstream there’s no collection based upon keywords.



12. The slide was seen in a television report and shows a world map with the undersee fiber optic cables according to the volumes of data they transmit. This map is used as background of a number of other slides about FAA 702 Operations. In seems that additional information, like in the next slide, appears by mouse clicking the original powerpoint presentation.


13. The slide shows the same world map with fiber-optic cables and is hardly readable, but according to Wikipedia, the subheader reads “Collection only possible under FAA702 Authority” and in the central cyan colored box the codenames FAIRVIEW and STORMBREW are shown subsequently. Maybe other codenames are in the yellow box at the right side. It’s not clear what the irregular blue shapes in the Indian Ocean are. The figure which is right of New Zealand is a stereotype depiction of a terrorist with a turban.




14. This partial slide was seen on the laptop of Glenn Greenwald in a report by Brazilian television and shows two scenarios for collection data under FAA 702 authority. It has two boxes with text, the one on the right reads:

UPSTREAM

Scenario #2

OPI tasks badguy@yahoo.com under FAA702 and 12333 authority in UTT

Badguy sends e-mail from [outside?] U.S. and comms flow inside U.S.

FAIRVIEW sees selector but can’t tell if destination end is U.S. or foreign

RESULT

Collection allowed

Only the target end needs to be foreign

OPI stands for Office of Primary Interest and UTT for Unified Targeting Tool, the NSA application used for instructing the actual collection facilities.




15. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a list of 35 IP addresses and domain names which are the “Higher Volume Domains Collected from FAA Passive”. This indicates that data from these domains are collected from fiber optic cables and other internet infrastructures, which is called Passive or Upstream collection.

All IP addresses and domain names are blacked out, except for two French domains: wanadoo.fr (a major French internet service provider) and alcatel-lucent.com (a major French-American telecommunications company). The rest of the list will most likely contain many similar domain names, which shows that redactions of the Snowden-documents are not only made to protect legitimate security interests, but also when the papers, in this case Le Monde, want to keep these revelations strictly focussed to their own audience.

Reporting based on PRISM

The following slides show some of the results from the PRISM program:



16. This slide was one of three published on the website of the French paper Le Monde on October 22, 2013.

It shows a highlight of reporting under the section 702 FAA authority, which in this case includes both PRISM and the STORMBREW program of the Upstream collection capability. Information derived from both sources made the NSA/CSS Threat Operations Center (NTOC) figure out that someone had gotten access to the network of a cleared defense contractor (CDC) and was either preparing to, or at least had the ability to get 150 gigabytes of important data out. NTOC then alerted the FBI, which alerted the contractor and they plugged the hole the same day, apparently December 14, 2012.

Another cyber attack that was detected by PRISM occured in 2011 and was directed against the Pentagon and major defense contractors. According to the book ‘Der NSA Komplex’ this attack was codenamed LEGION YANKEE, which indicates that it was most likely conducted by Chinese hackers.*



17. This slide of the PRISM presentation appeared on the website of O Globo and is titled “A Week in the Life of PRISM Reporting” and shows some samples of reporting topics from early February 2013.

It seems the bottom part of this slide was blacked (or actually whited) out by Brazilian media, as the Indian paper The Hindu disclosed that this slide also mentions “politics, space, nuclear” as topics under “India”, and also information from Asian and African countries, contributing to a total of “589 End product Reports”.

These lists show that collection under the PRISM program is not restricted to counter-terrorism, but is also not about monitoring ordinary people all over the world, as many people still think. PRISM is used for gathering information about a range of targets derived from the topics in the NSA’s Strategic Mission List (pdf). The 2007 edition of this list was also among the Snowden-documents and subsequently published, but got hardly any attention.

According to former NSA deputy director Chris Inglis some 41 terrorist plots were foiled by information collected under section 702 FAA, most of them by PRISM. This is not a very large number, but as we’ve seen, PRISM is also used for creating intelligence reports about many other topics.

In 2012, these were cited as a source in 1477 items of the President’s Daily Brief, making PRISM one of the main contributors to this Top Secret intelligence briefing which is provided to the president each morning.

Links and Sources








No comments: