The PRISM story firmly changed course yesterday when The Guardian published a video interview with NSA whistleblower Edward Snowden. If you haven’t watched the interview, you should. It’s historic and fascinating.
The media has all but forgotten about just how the NSA gathers all this information from the companies listed in the presentation. After the story first broke, the denials happened. Then the NY Times connected some dots, and there were then further denials (“the government does not have access to Google servers—not directly, or via a back door, or a so-called drop box”). Then Snowden happened.
At this point there are a lot more things we don’t know than we do. But there are still a lot of dots to connect. So I’m watching the Snowden developments out of one eye while I continue to find peace in my soul for the PRISM stories that can’t find a way to merge into one believable narrative.
I’m working from the assumption that every statement by the companies involved is true, or at least arguably true. Besides the fact that I don’t think these people are liars, with all the leaking going on, they just don’t know what other information is going to explode onto the scene, and they have to hedge.
But still, unless you think the original PRISM document is a fake, or so completely muddled in how it explains things that it might as well be, there are some big questions unanswered.
All of the denials and statements admit that the companies turn data over to the government “only in accordance with the law” along with various versions of how the companies review orders before complying.
I’ve spent a good number of hours researching these government orders, and talking to experts, over the last few days. I’m embarrassed to say that this was just not an area that I was particularly interested in, despite all the writing on the wall. To the best of my ability I’ve remedied that and am starting to push forward into some seriously grey area stuff. I am thankful to Wired’s Threat Level blog which has long focused on these issues. David Kravets work has been particularly edifying.
Here’s where we stand. I believe that #3 in my original post is still the most likely truth: “The presentation is real, and the companies are carefully drafting responses so that they aren’t technically lying.”
The government has a variety of tools under FISA and the Patriot Act to get the data they want (which is all of the data). We know a little about how National Security letters work from Google’s willingness to share data around those and the recent judicial challenges.
The Verizon vacuuming of all data over to the NSA, while horrifying, doesn’t apply to internet companies. Those companies must still comply with National Security Letters and FISA order, however.
The NY Times article changes the original allegations from The Guardian and Washington Post. There is no direct access allegation any more. The focus is now on special hardware lockboxes at company datacenters where requested data is moved for pickup by the NSA.
At first glance that sounds like a good idea. The government gets a court order, serves the order onto the company. The company reviews it and then sends the requested data into the lockbox. The NSA gets that data and the transaction is completed.
The only problem with this theory (from the NY Times story) is that Drummond afterwards said it’s not accurate – “not directly, or via a back door, or a so-called drop box.”
So let’s put Google aside for a moment and look at all the internet companies not on the Hot 9 list. Twitter, Amazon, Salesforce, for example. When they get a secret FISA order in they still must comply, without question. But they aren’t on the “direct access” slide. Clearly they are doing things, or not doing things, that make the process of getting their user data more complicated or just slower.
These Super 9 companies, in contrast, are doing something that makes them a headliner in the presentation deck. Twitter didn’t make the cut. Google did.
So again, taking Drummonds statements as true, what is Google doing that’s different than Twitter, and why is that thing making the NSA really happy?
I don’t know, but I have a guess.
My guess is that Google and the others have agreed to receive FISA requests in an automated way, process them in an automated way, and fire off the data in an automated way. That whole process could take a very small amount of time. Milliseconds for small sets of data, easy. Anything beyond that is from any human intervention at Google to read the order and decide whether to accept it. From what I’ve seen, it’s extremely rare for companies to push back on orders, since the secret FISA court always, without exception, tells them to settle down and get that data over to the NSA, pronto.
So Google complies, and the whole thing has been handled “in accordance with the law.” Given how important the Super 9 are to PRISM, it seems clear that responses from queries must come back pretty quickly, almost as fast as a normal search engine, for example.
That tells me there’s a lot of automation going on in a server or two (just don’t call them back doors or drop boxes).
Now here’s something new (to me at least) that also fills in some boxes. The NSA can begin surveillance on a subject for a full week before going to the secret FISA court for an order. In the last year every one of those orders have been granted, so it’s just a formality.
If I had been paying attention in May, David Kravets was already answering the questions I had last weekend. From his article Secretive Spy Court Approved Nearly 2,000 Surveillance Requests in 2012, he says:
The legislation does not require the government to identify the target or facility to be monitored. It can begin surveillance a week before making the request to the secret court, and the surveillance can continue during the appeals process if, in a rare case, the spy court rejects the surveillance application.
See section (g) here for the law behind his statement that the NSA can surveil someone for a week before going to the secret rubber stamp court.
So back to that “in accordance with the law” stuff that the Awesome 9 keep relying on. It appears to be quite legal to begin surveillance a week before getting a secret court order. That gives them time to determine if they’re barking up the wrong tree.
So, sitting around the NSA office one day an analyst has an idea. Like, “Hey, let’s find Republicans in Wyoming who have Facebook or Twitter friends with someone outside of the U.S. And then cross reference that with concealed carry permits. I think these guys might be gun running. Can I get a high five!?
Our guy fills out a form in PRISM, I imagine, with his query. The damn Twitter doesn’t do Prism and needs a more formal order, probably requiring someone to wake up the secret judge and tell him to get that stamp ready. And then they send off the order in a variety of ways and demand a response in 24 hours or something.
Meanwhile things are rocking on Prism. The Verizon data is all locked in and can map out his location over time as a map overlay, easily. Our analyst filled out the form, checked the “FISA approved” box (knowing this is legal because they have a week to go to court), waits a few seconds….and then boom there it is. Lots of data on gun owners in Wyoming with overseas friends. It went through the express line at Google, who noted the FISA approved stamp, and rushed that data right back down the pipe to the NSA.
Hey, bring up those Verizon records and see where this guy’s been. Damn, he goes to the range nearly every day. I wonder if he’s complying with every single Federal and state gun law. Let’s send an agent down to chat with him. And if he gives you any shit just show him this picture of his mistress Verizon sent over. That’ll shut him up.
WAIT! Here’s a frickin video! oh man, I’m sending this to myself. No, hold on guys, I’m doing this. Ok, now, show him this video of himself in a compromised position with his girlfriend and ask if we should sent it to his wife at their home address, it’s right here.
So after a day of looking at pictures of naked girlfriends and wives and ranking the top ten porn searches our perp Googled in the last year, our NSA guys still can’t find a NSA-type crime or figure out how they might stop a major terrorist event. Time to delete this data (which probably means shoving into an archive for later analysis and cross checking). And no bother going to the court on this since the surveillance ended before the week was up.
A few days after that a big package comes in from Twitter with 40,000 printed pages of information. They’ve complied with FISA, with a big middle finger. That stuff gets tossed into the scanning room and forgotten.
My scenario is ridiculous above, but it squares with the slides, it squares with the Snowden interview, and it squares with the many denials we’ve heard.
WE KNOW THIS: These nine companies have done something (we don’t know what) to make the NSA’s lives easier. So easy that agents are told to just focus on these companies (not Twitter or Salesforce or Amazon) for FISA orders.
WE KNOW THIS: The NSA can begin surveillance on someone(s) for a full week before they have to get the rubber stamp from the secret court (which has never said no).
WE KNOW THIS: The NSA routinely talks about mitigation efforts to purge U.S. people data; however, they always talk about these measures being taken after they have control of the data. What they should be doing is proving the data is clean before they grab it. But it’s way more efficient (and also evil) to dragnet everything and then try to cut the good data away from the bad. This is self evident from them taking all call data from all Verizon customers, even calls beginning and terminating in the U.S. They get the data, then make promises to the court that they’ll treat that data appropriately. Huge, Huge, HUGE incentives for misuse here based on efficiency arguments.
I GUESS THIS: The NSA “request” is fired off to Google and others as soon as these guys see a thread to pull, and they mark the request as FISA ordered (they have a week to actually get the order, which will be backdated). Google greenlights it as a legal order and fires over the data. If the data is useful the NSA wakes the secret judge up again to stamp it good. Otherwise they toss the data out and nobody ever talks about it again.
This is the world described to me by people I’ve spoken with who seem to have the best grasp of how FISA orders work, and how they might work in connection with PRISM. It makes sense when you realize that the NSA can order surveillance without court approval for a full week. Since surveillance needs data I assume that Google and the others send that data pronto to comply with the law. I doubt they ever see or hear about the actual FISA order a week later.
There’s a lot of educated speculation here, but if this is mostly right then we’ve got a system that works much like the PRISM slides say – it feels like direct access to a server. There are some things going on in between, like checking a box that the order is FISA compliant, but it seems to me that any request for data under FISA is looked at as a FISA order, as it looks like the companies have no ability to delay or object to the seven day period where surveillance can occur without the actual secret court order.
Thus, under this conspiracy theory, PRISM works just as planned, and just as efficiently, as it was described in the presentation.
Now, the only way for this to stop is for someone in one of these companies to pull an Edward Snowden, download some FISA orders and hop on a plane to Hong Kong. And then call me and I’ll fly over and do a really kick ass interview with you where you can tell the world the rest of the PRISM story. I’ll even start your legal defense fund for you and solicit donations, because you’re going to need it.
You’ll definitely want to plan ahead to avoid the fate of other patriots who tried to do what’s right with government demands. There are usually short trials followed by long prison sentences. See Joseph P. Nacchio as a sad example of a man doing what he thought was right and then being torn apart by the government for saying no to them.
This time it’ll be differen’t, though. Ecador, Iceland, China, they all got your back.