How to talk about PRISM and not get entirely blown-off, if you’re an activist

(aka: How #PRISM works…)

Alec Muffett
6 min readOct 7, 2016

[ This is a mildly-edited extract of a mail which I wrote to a Open Rights Group maillist, discussing the recent Yahoo mail-scanning story; we start with the feedline. Begin extract.]

[…deletia…] I agree with his assessment — it looks like wiretap for a selector across live accounts (scope unknown).

I concur, but with a potential twist which is unclear. For those who aren’t aware, the way that Section 702 “PRISM” interception surveillance works is well-described in the Wikipedia article:

According to this report, PRISM is only used to collect internet communications, not telephone conversations. These internet communications are not collected in bulk, but in a targeted way: only communications that are to or from specific selectors, like e-mail addresses, can be gathered. Under PRISM, there’s no collection based upon keywords or names.[39]

The actual collection process is done by the Data Intercept Technology Unit (DITU) of the FBI, which on behalf of the NSA sends the selectors to the US internet service providers, which were previously served with a Section 702 Directive. Under this directive, the provider is legally obliged to hand over (to DITU) all communications to or from the selectors provided by the government.[39] DITU then sends these communications to NSA, where they are stored in various databases, depending on their type.

Data, both content and metadata, that already have been collected under the PRISM program, may be searched for both US and non-US person identifiers. These kinds of queries became known as “back-door searches” and are conducted by NSA, FBI and CIA.[40] Each of these agencies has slightly different protocols and safeguards to protect searches with a US person identifier.[39]

…and (to explain the jargon) a selector is a string of characters which identifies an individual, for instance:

  • an email address like john.doe@openrightsgroup.org
  • or a phone number
  • or a Twitter handle
  • or a Facebook username
  • or a lot of other things such as those you will find described in Snowden-related articles about XKeyscore.

The FBI then— as described above, though obviously sometimes for themselves, and sometimes on behalf of the NSA — serve these selectors to the various platforms, who are legally obliged to take action upon them and return to the FBI all blobs of data which pertain to these selectors in some [defined] way.

(Sidebar)

The reason that so many platforms can say, hand on heart:

  • We don’t enable bulk surveillance
  • There is no back door
  • We don’t give Government agents direct access to our servers

…is that strictly they are all telling the 100% accurate, honest-to-god truth.

Instead of “direct” access— and again, read the above wikipedia article carefully — the Government forces platforms to query their own databases for selectors that the Government provide, using a threat which I would imagine goes somewhat along the lines of:

“Under section 702 you must give us everything you’ve got that pertains to john.doe@openrightsgroup.org and if we think you are holding out on us, we will set our lawyers on you / have you roasted in the press for harbouring child molesters / find some way to screw you for taxes.”

…so when anyone from the activist community is attacking a platform for “letting the government search [the] databases”, be aware that by phrasing the accusation in this way they are giving both the platform and the government a free escape route. They can truthfully deny the complaint and sidestep the attack, all because grammar.

So fix your grammar before you attempt such cleverness.

(End Sidebar)

[…email continues on detailed topic; End extract.]

I am not a lawyer, nor have I any special insight into these matters, but I imagine that instead of asserting that social network companies allow the Government to access or obtain data ‘direct’ from their servers — and we can perhaps blame Ed Snowden himself for popularising use of the emotive and incorrect word ‘direct’? — instead asking the companies to comment:

…upon the degree of oversight they have over the information which is legally sought under Section 702 requests; what they feel about the volume of Section 702 requests which they are obliged to process, and to what lengths do they go to minimize the information provided in response to Section 702 orders?

…would possible be more fruitful, or at least amusing and interesting?

Also: don’t call it “PRISM”. Officially nobody knows that that exists, so they can truthfully say we don’t know anything about anything called PRISM, too…

Footnote

It’s entirely possible to argue that “there is no practical difference between giving the Government direct access to your {databases, servers} as opposed to the Government forcing you to run queries for different selectors upon their behalf and sending them the results”

I have a lot of sympathy for this viewpoint, but regrettably the legal world does not work on the basis of “there is no practical difference”.

Therefore: we must fix our grammar and avoid providing get-out-of-jail-free passes to folk by “asking the right questions the wrong way”.

Footnote #2

Just in case you are one of the “…but Wikipedia is not a source” brigade, see instead the US Government report into how Section 702 of FISA works, from the “Privacy and Civil Liberties Oversight Board” report into “…the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act” at https://www.pclob.gov/library/702-Report.pdf

Extract attached, see highlighted text:

Once foreign intelligence acquisition has been authorized under Section 702, the government sends written directives to electronic communication service providers compelling their assistance in the acquisition of communications. The government identifies or “tasks” certain “selectors,” such as telephone numbers or email addresses, that are associated with targeted persons, and it sends these selectors to electronic communications service providers to begin acquisition. There are two types of Section 702 acquisition: what has been referred to as “PRISM” collection and “upstream” collection.

In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (“NSA”) receives all data collected through PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of Investigation (“FBI”) each receive a select portion of PRISM collection.

Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies.

Interestingly, regarding the Yahoo case, this section continues:

Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”). An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being “to” or “from” the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be “about” the selector. An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.

Footnote #3

“How do selectors get from DITU to the Communications Service Provider?”

The boring answer: This is an implementation detail, and frankly it does not really matter; we are in a modern era of networking where vast amounts of data can be quickly and economically sent and received by any person with a phone, so shipping however-many tens/hundreds/thousands/more of selectors around is not a big deal, and is likely dealt with in means commensurate with the risk, and the capabilities of the Communications Service Provider.

The fun answer: Excel Spreadsheets of “Selectors” are written to USB thumb-drives which are then tied to the legs of heavily-vetted carrier pigeons that fly between Ft Meade and the vast data-farms of Silicon Valley.

Which are actually in a potato field in Idaho.

--

--