Wanted to take yet another opportunity to mention the nationwide Restore the Fourth demonstration happening this week. http://restorethe4th.net I hope everyone reading this attends their local rally.
It also needs to be said that another leak is coming soon that details a program that collects/stores the contents of 1 Billion cell phone calls every single day [1]. I submitted the link earlier but it got buried after only a few upvotes.
While I support this protest, in my opinion, this is a non-media savvy day to have it. "Regular folks" use the day off for family, friends, and bbqs. It's a holiday so no one will be working at the government buildings, and it's typically a lousy news day since the skeleton crews are on.
But hopefully this event will start getting people together to keep the pressure on as new revelations come out. Protesting matters, phone calls matter, emails matter---I've seen it. Generally the rule is for every one constituent (that's key) call there's 100 more who think that. Right now you can start to see the official line fraying a bit with various actors attempting to cover their own asses. Maybe they don't care about the big picture, but they care about legacy, career, and ego. And no one wants to be on the wrong side of history.
These protests have not been well organized. From the outside it looks like a handful of Redditors who are thinking of hanging out together - and there seems to have been no PR or outreach to folks beyond Reddit. Most of the nation does not use Reddit.
My page for my New England city has nothing except a link to a conversation with half a dozen folks planning a preliminary meeting, with no follow up info posted. I could drive to Boston, but what's the point: the Boston group is only predicting an attendance of 40. I doubt it will get media coverage, and at that size I honestly hope it doesn't.
The supervisor must endorse the analyst's "reasonable belief," defined as 51 percent confidence, that the specified target is a foreign national who is overseas at the time of collection.
US citizens make up less than 50% of the world population. So given any target I can be more than 51% confident that they are not a US citizen, knowing nothing about the particular target whatsoever.
The United States makes up 4.46% of the world population [1], so there might be reason to believe that 95% of communications in transit are foreign. If you look at the users of facebook, there are more who are foreign (non-US) that US citizens [2].
Only if you have no prior information. However, since the target has to be a specific person, and you have to have some reason to want to monitor them, you would have to have a good deal of prior information. At the very least, you know the networks on which they can be monitored, which already introduces a much more informative prior than "is-a human". The ratio of Americans to other people in your belief network would tend to be dominated by that other prior information.
These numbers can't possibly work for interceptions within the US telecom network. The fraction of Americans using the US telecom network approaches 100%, while the fraction of Liberians using it is probably much smaller.
"The program is court-approved but does not require individual warrants."
So does this mean that the number of government requests released by Facebook, Microsoft, etc. within the last few weeks are essentially meaningless in regards to PRISM and most likely other top secret government spying programs?
This was known prior to the PRISM disclosure; they're (most likely) referring to the FAA 702 process, in which a court certifies a target for which multiple directives may then be issued. The certification establishing the target is reviewed in the manner of a FISA warrant, but the individual directives that flow from the certification aren't. Certifications have a 1:many relationship with directives.
The reasonable expectation one would have about statistics released by (say) Yahoo pursuant to this process is that they would capture every directive received by the provider, since providers don't get the certifications.
Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil. I'd be interested in hearing about any country that had a signals intelligence capability (Germany, France, Israel, UK, China, Japan, Brazil, &c) in which a warrant was required to conduct foreign intelligence.
I think the uniformed response from the carriers is a diversion from the NSLs which they cannot speak about for the metadata or specific requests for information they have not obtained via fiber splitting.
I don't think that many people knew about the fiber splitting. Only the telecoms were granted immunity.
Facebook, etc., said their numbers included requests that were not in response to individual warrants, so could include requests that originated through PRISM.
"The FBI uses government equipment on private company property to retrieve matching information from a participating company, such as Microsoft or Yahoo and pass it without further review to the NSA." (emphasis mine)
Is it just me or is this a fairly bold claim? I don't see anything about government equipment on private company property in the slides... wondering if this is additional testimony from Snowden, or info from supplementary docs that they haven't released.
Also: "The Foreign Intelligence Surveillance Court does not review any individual collection request." Could I get some perspective on this statement? Is this as bad as it sounds? Or are they saying the court approves monitoring on an individual and doesn't need to give approval for every single collection request on that individual?
In a report leaked 2 days ago [1], there is something on page 44 last paragraph that supports the FBI does the collection. If this is done via their machines on private property, this report doesn't speak to that.
In January 2009, the FBI, at NSA's request, assumed responsibility for the Domestic Content Order and became the declarant before the FISC.
> I don't see anything about government equipment on private company property in the slides.
Given the interface already laid out in what we knew about PRISM before, that's mostly an implementation detail. Maybe the company didn't want to have to send the data over the open Internet on their own (even encrypted) and wanted to pawn off that responsibility to the NSA?
I don't know where the info came from but I remember it being talked about when the news first leaked so it may have been sent by Snowden with the initial leak of slides.
I suppose the question is really how embedded into the company's subnet is the government equipment?
> The Foreign Intelligence Surveillance Court does not review any individual collection request
Basically this part from the article introduction: "The program is court-approved but does not require individual warrants. Instead, it operates under a broader authorization from federal judges who oversee the use of the Foreign Intelligence Surveillance Act (FISA)".
Keep in mind this is where the US/non-US inequality is at its most severe. Almost the only reason the FISC really cares about this at all is to prevent monitoring of American citizens in a way that violates the 4th Amendment. The program as constituted is less worried about ensuring the right person has their data collected as it is about ensuring that a U.S. citizen does not have their data collected.
So from that perspective such a warrant might appear rational on the part of the court.
That's admittedly a pretty large inequity between US and non-US persons but that's how the existing case law seems to approach it.
And yes, the NSA tells the FISA court it wants a court order to spy on Al Qaeda in Pakistan or Chinese spies. Each one of those is a "court order". If it sounds like a general warrant, well, that's because that's what it is.
I don't know if this is connected to the new information, but I seemed to remember articles about the FBI trying to set up backdoors and do something like extending the use of CALEA-type hardware to web companies. I don't know whatever became of it, but older articles on the subject can still be found.
"On April 5, according to this slide, there were 117,675 active surveillance targets in PRISM's counterterrorism database. The slide does not show how many other Internet users, and among them how many Americans, have their communications collected "incidentally" during surveillance of those targets."
I think something is inferred there that isn't necessarily true: there being 117,675 PRISM records does not necessarily refer to 117,675 different people being targeted. The slides imply that there would be two different records for the same person's Gmail account and their Facebook account. So the number of individual people being targeted would actually be a good amount less. Yes, still tens of thousands of people... but less that 117,675.
The way this is presented really isn't cool. If the Post has evidence to back their annotations, they should cite it or at least say it exists in other sources they have access to.
If the annotations are correct, they basically confirm the worst and most extreme interpretations people could come up with when this story broke. But there's no evidence presented in these slides, at all, to support the notes they've "helpfully" added. Where's this information coming from?
Architecturally, it sounds remarkably similar to commercial social media monitoring platforms - not too surprising, since both are essentially about watching and searching the behavior of people around certain topics/groups/keywords.
Queries ('selectors') go in one end, are presumably translated into appropriate queries at each of the external 'data sources' (best-effort translation of the original selectors into whatever the source supports query-wise) and then the results are either alerted on in real-time (surveillance) or kept longer-term (stored comms).
Content returned varies on what the provider can support.
Finally there is a search interface on top (although it looks very basic in this case - simple boolean AND/OR) to provide historic search over the data collected.
The Washington Post articles keep referring to companies/providers as "participating", but no where in the slides does it say that internet companies are knowingly participating. It seems very likely that the companies listed are unaware of the surveillance, and the dates listed are when the NSA was able to tap and decode their data streams. I would really like to see evidence that companies are knowingly participating, otherwise this may be defamation by the Post.
Tech: All the companies listed have multiple sites/datacenters. While they use SSL/TLS to encrypt client-server connections, they may not be using encryption to protect server-server connections. Most of the database replication systems don't use encryption by default. Companies use circuit switched connections between sites, they don't own the fiber between two datacenters. That fiber is owned by the big telco providers, and passes through equipment owned by the telco providers.
We know big telco providers like AT&T and Verizon are very willing to give the NSA access to everything without putting up a fight. It seems very possible to me that the NSA is surveilling these companies without their knowledge.
For example it was reported that Dropbox was "coming soon" to PRISM. I don't believe for a second that Dropbox is knowingly giving access to the NSA. "Coming soon" may mean that the NSA has tapped Dropbox's communication, and they are working on decoding it, and converting it into a usable format for PRISM.
That's an unnecessary conspiracy theory. The companies all say that they comply with all legal orders, and secret FISA orders are legal. These slides all seem in line with what the CEOs and reps have said.
No one is denying PRISM exists, it just needs to be abolished, and all things like it should be subject to public scrutiny. Obviously it's not ineffective when it's not a secret, so there is no reason for secrecy.
I really think that this is the case. Splitting the data would involve considerably less people in the know than asking for cooperation. Also, only the telecoms were granted immunity. The NSLs really appear to be solely for metadata, and maybe the uniformed response to this program by the 9 companies listed is a diversion from the NSLs, and they have not given "direct access".
The Post describes FBI-maintained equipment on company premises. It doesn't seem likely that Google's controls on their own infrastructure (or, say, Facebook's) are so lax that a few racks full of stuff could show up at their data centers without anyone at the company being aware of it.
The old parts of the WaPo's notes don't seem to have been revised. For example, the 'PRISM' name probably doesn't have anything to do with fibre-optic taps, since the You Should Use Both slide indicates that the PRISM name refers only to the Web-company "direct collection" operation rather than the "upstream collection" from the network. https://news.ycombinator.com/item?id=5887627 (This Washington Post page still doesn't seem to have any mention of the You Should Use Both slide, probably for the bad reason that it was the Guardian's scoop.) Similarly, the Introduction slide seems to be mostly relevant to upstream collection rather than PRISM.
Apple joined in Oct 2012. It could be that other companies have agreed to join and were allocated those codes, but are not yet up and running as of the date the slides were made. Just speculation. I recall that there was a slide saying "dropbox coming soon", so they are probably working on onboarding other companies.
With only two characters for the source ID, somebody at the NSA is thinking long term and using more than just digits from now on. Many more providers will come in the future.
To me the most interesting thing about all this will be the level of integration between the systems and their ability to filter and record information, figuring out who is likely to have done/said/thought what (using very agressive machine learning algorithms) and tying that in to an email address as the key. There is no court order needed from an operative I'm certain to get my Internet history from the fibre optic side; why would they even need to bother requesting info from google etc. directly of they can just start filtering on certain cookies in real time. SSL might be difficult to break, but I can see that you could easily proxy SSL connections at the network level... Maybe someone can explain to me how a man in the middle attack against SSL can be prevented?
When looking at these new slides with commentary, I find them hard to reconcile with the Google statements about access, but they're not completely contradictory. This line from the slides commentary in particular is new (I wonder if it summarises other slides considered too compromising to reveal?):
Washington Post - The FBI uses government equipment on private company property to retrieve matching information from a participating company
The statements by Google seem to contradict this on first reading:
Larry Page - "Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
David Drummond - "Now, what does happen is that we get specific requests from the government for user data. We review each of those requests and push back when the request is overly broad or doesn't follow the correct process. There is no free-for-all, no direct access, no indirect access, no back door, no drop box."
The slides and accompanying commentary from the WP imply that these statements above are at best misleading and misdirection, but not necessarily untrue in a strict sense. There are various qualifiers and ambiguities in the Google statements which mean they could still be claimed to be true - the placement of the apostrophe on users’ data, which could be taken to mean all users as a plurality rather than just a few tens of thousand, the use of broad, and on such a scale to limit the denial to activities similar to those at Verizon which was reporting all activity. They may well not have heard of a PRISM program as there would be no reason to share the codename with them. Taken together those denials could be taken to be simply denials of participating in complete surveillance (with broad being defined as every single user) or giving access (in some limited sense) to their servers - I'm not sure they've ever denied access to data. The only thing which does puzzle me is that they've claimed their legal team reviews each and every request - that would be hard to do in an automated system or one in which the NSA has their own equipment, though perhaps they do it in bulk or retrospectively.
So these statements could be true in some limited sense, but it'd be nice if Google didn't feel the need to couch their denials in lawyerly evasions. The main reason they have to do this and cannot release more data is that they're not allowed to talk about these secret programs - that enforced secrecy is the most damaging thing here, both for Google and for public debate - we can't talk about them because they're secret, and neither the people affected, nor even the US Congress are given the facts to decide whether they even approve of this behaviour by the NSA/FBI, because the programs are secret. No-one can have a meaningful debate on these programs without more information.
[+] [-] pvnick|12 years ago|reply
It also needs to be said that another leak is coming soon that details a program that collects/stores the contents of 1 Billion cell phone calls every single day [1]. I submitted the link earlier but it got buried after only a few upvotes.
[1] http://www.businessinsider.com/greenwald-nsa-store-calls-eve...
[+] [-] tippytop|12 years ago|reply
But hopefully this event will start getting people together to keep the pressure on as new revelations come out. Protesting matters, phone calls matter, emails matter---I've seen it. Generally the rule is for every one constituent (that's key) call there's 100 more who think that. Right now you can start to see the official line fraying a bit with various actors attempting to cover their own asses. Maybe they don't care about the big picture, but they care about legacy, career, and ego. And no one wants to be on the wrong side of history.
[+] [-] skue|12 years ago|reply
My page for my New England city has nothing except a link to a conversation with half a dozen folks planning a preliminary meeting, with no follow up info posted. I could drive to Boston, but what's the point: the Boston group is only predicting an attendance of 40. I doubt it will get media coverage, and at that size I honestly hope it doesn't.
[+] [-] samd|12 years ago|reply
US citizens make up less than 50% of the world population. So given any target I can be more than 51% confident that they are not a US citizen, knowing nothing about the particular target whatsoever.
[+] [-] WestCoastJustin|12 years ago|reply
[1] http://en.wikipedia.org/wiki/List_of_countries_by_population
[2] http://en.wikipedia.org/wiki/Facebook_statistics
[+] [-] hypersoar|12 years ago|reply
[+] [-] jamesaguilar|12 years ago|reply
[+] [-] bcl|12 years ago|reply
[+] [-] ISL|12 years ago|reply
[+] [-] twelvechairs|12 years ago|reply
[+] [-] eightyone|12 years ago|reply
"The program is court-approved but does not require individual warrants."
So does this mean that the number of government requests released by Facebook, Microsoft, etc. within the last few weeks are essentially meaningless in regards to PRISM and most likely other top secret government spying programs?
[+] [-] tptacek|12 years ago|reply
The reasonable expectation one would have about statistics released by (say) Yahoo pursuant to this process is that they would capture every directive received by the provider, since providers don't get the certifications.
Just a quick reminder: the USG does not need and has never needed and probably will never need a warrant to spy on a foreign entity not on US soil. I'd be interested in hearing about any country that had a signals intelligence capability (Germany, France, Israel, UK, China, Japan, Brazil, &c) in which a warrant was required to conduct foreign intelligence.
[+] [-] siddboots|12 years ago|reply
[+] [-] segacontroller|12 years ago|reply
I think the uniformed response from the carriers is a diversion from the NSLs which they cannot speak about for the metadata or specific requests for information they have not obtained via fiber splitting.
I don't think that many people knew about the fiber splitting. Only the telecoms were granted immunity.
[+] [-] tzs|12 years ago|reply
[+] [-] md224|12 years ago|reply
Is it just me or is this a fairly bold claim? I don't see anything about government equipment on private company property in the slides... wondering if this is additional testimony from Snowden, or info from supplementary docs that they haven't released.
Also: "The Foreign Intelligence Surveillance Court does not review any individual collection request." Could I get some perspective on this statement? Is this as bad as it sounds? Or are they saying the court approves monitoring on an individual and doesn't need to give approval for every single collection request on that individual?
[+] [-] WestCoastJustin|12 years ago|reply
In January 2009, the FBI, at NSA's request, assumed responsibility for the Domestic Content Order and became the declarant before the FISC.
[1] https://news.ycombinator.com/item?id=5952830
[+] [-] mpyne|12 years ago|reply
Given the interface already laid out in what we knew about PRISM before, that's mostly an implementation detail. Maybe the company didn't want to have to send the data over the open Internet on their own (even encrypted) and wanted to pawn off that responsibility to the NSA?
I don't know where the info came from but I remember it being talked about when the news first leaked so it may have been sent by Snowden with the initial leak of slides.
I suppose the question is really how embedded into the company's subnet is the government equipment?
> The Foreign Intelligence Surveillance Court does not review any individual collection request
Basically this part from the article introduction: "The program is court-approved but does not require individual warrants. Instead, it operates under a broader authorization from federal judges who oversee the use of the Foreign Intelligence Surveillance Act (FISA)".
Keep in mind this is where the US/non-US inequality is at its most severe. Almost the only reason the FISC really cares about this at all is to prevent monitoring of American citizens in a way that violates the 4th Amendment. The program as constituted is less worried about ensuring the right person has their data collected as it is about ensuring that a U.S. citizen does not have their data collected.
So from that perspective such a warrant might appear rational on the part of the court.
That's admittedly a pretty large inequity between US and non-US persons but that's how the existing case law seems to approach it.
[+] [-] rsingel|12 years ago|reply
And yes, the NSA tells the FISA court it wants a court order to spy on Al Qaeda in Pakistan or Chinese spies. Each one of those is a "court order". If it sounds like a general warrant, well, that's because that's what it is.
[+] [-] LoganCale|12 years ago|reply
http://news.cnet.com/8301-1009_3-57428067-83/fbi-we-need-wir...
[+] [-] moskie|12 years ago|reply
I think something is inferred there that isn't necessarily true: there being 117,675 PRISM records does not necessarily refer to 117,675 different people being targeted. The slides imply that there would be two different records for the same person's Gmail account and their Facebook account. So the number of individual people being targeted would actually be a good amount less. Yes, still tens of thousands of people... but less that 117,675.
[+] [-] drivebyacct2|12 years ago|reply
But who really knows, I guess.
[+] [-] bulatb|12 years ago|reply
If the annotations are correct, they basically confirm the worst and most extreme interpretations people could come up with when this story broke. But there's no evidence presented in these slides, at all, to support the notes they've "helpfully" added. Where's this information coming from?
[+] [-] brown9-2|12 years ago|reply
[+] [-] dmix|12 years ago|reply
http://apps.washingtonpost.com/g/page/national/inner-working...
[+] [-] jka|12 years ago|reply
Queries ('selectors') go in one end, are presumably translated into appropriate queries at each of the external 'data sources' (best-effort translation of the original selectors into whatever the source supports query-wise) and then the results are either alerted on in real-time (surveillance) or kept longer-term (stored comms).
Content returned varies on what the provider can support.
Finally there is a search interface on top (although it looks very basic in this case - simple boolean AND/OR) to provide historic search over the data collected.
[+] [-] logn|12 years ago|reply
Facebook joined PRISM on June 3, 2009.
[+] [-] antoncohen|12 years ago|reply
Tech: All the companies listed have multiple sites/datacenters. While they use SSL/TLS to encrypt client-server connections, they may not be using encryption to protect server-server connections. Most of the database replication systems don't use encryption by default. Companies use circuit switched connections between sites, they don't own the fiber between two datacenters. That fiber is owned by the big telco providers, and passes through equipment owned by the telco providers.
We know big telco providers like AT&T and Verizon are very willing to give the NSA access to everything without putting up a fight. It seems very possible to me that the NSA is surveilling these companies without their knowledge.
For example it was reported that Dropbox was "coming soon" to PRISM. I don't believe for a second that Dropbox is knowingly giving access to the NSA. "Coming soon" may mean that the NSA has tapped Dropbox's communication, and they are working on decoding it, and converting it into a usable format for PRISM.
[+] [-] andrewljohnson|12 years ago|reply
No one is denying PRISM exists, it just needs to be abolished, and all things like it should be subject to public scrutiny. Obviously it's not ineffective when it's not a secret, so there is no reason for secrecy.
[+] [-] segacontroller|12 years ago|reply
[+] [-] rst|12 years ago|reply
[+] [-] leoc|12 years ago|reply
[+] [-] rsingel|12 years ago|reply
So far as I can tell, this article from 2007 is the only comprehensive look at the FBI's private spy architecture.
http://www.wired.com/politics/security/news/2007/08/wiretap?...
[+] [-] leot|12 years ago|reply
[+] [-] segacontroller|12 years ago|reply
[+] [-] lawnchair_larry|12 years ago|reply
[+] [-] signed0|12 years ago|reply
[+] [-] flyt|12 years ago|reply
[+] [-] alx|12 years ago|reply
[+] [-] shadowmatter|12 years ago|reply
These slides look to be from the same deck. I wonder if there are more yet to come.
[+] [-] yen223|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] andy_ppp|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] sixothree|12 years ago|reply
[+] [-] stefanix|12 years ago|reply
[+] [-] grey-area|12 years ago|reply
Washington Post - The FBI uses government equipment on private company property to retrieve matching information from a participating company
The statements by Google seem to contradict this on first reading:
Larry Page - "Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received—an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false."
David Drummond - "Now, what does happen is that we get specific requests from the government for user data. We review each of those requests and push back when the request is overly broad or doesn't follow the correct process. There is no free-for-all, no direct access, no indirect access, no back door, no drop box."
The slides and accompanying commentary from the WP imply that these statements above are at best misleading and misdirection, but not necessarily untrue in a strict sense. There are various qualifiers and ambiguities in the Google statements which mean they could still be claimed to be true - the placement of the apostrophe on users’ data, which could be taken to mean all users as a plurality rather than just a few tens of thousand, the use of broad, and on such a scale to limit the denial to activities similar to those at Verizon which was reporting all activity. They may well not have heard of a PRISM program as there would be no reason to share the codename with them. Taken together those denials could be taken to be simply denials of participating in complete surveillance (with broad being defined as every single user) or giving access (in some limited sense) to their servers - I'm not sure they've ever denied access to data. The only thing which does puzzle me is that they've claimed their legal team reviews each and every request - that would be hard to do in an automated system or one in which the NSA has their own equipment, though perhaps they do it in bulk or retrospectively.
So these statements could be true in some limited sense, but it'd be nice if Google didn't feel the need to couch their denials in lawyerly evasions. The main reason they have to do this and cannot release more data is that they're not allowed to talk about these secret programs - that enforced secrecy is the most damaging thing here, both for Google and for public debate - we can't talk about them because they're secret, and neither the people affected, nor even the US Congress are given the facts to decide whether they even approve of this behaviour by the NSA/FBI, because the programs are secret. No-one can have a meaningful debate on these programs without more information.
[+] [-] unknown|12 years ago|reply
[deleted]