PRISM is a code name for a program under which the United States National Security Agency (NSA) collects Internet communications from various US Internet companies. The program is also known by the SIGAD US-984XN. PRISM began in 2007 in the wake of the passage of the Protect America Act under the Bush Administration.

The program is operated under the supervision of the U.S. Foreign Intelligence Surveillance Court (FISA Court, or FISC) pursuant to the Foreign Intelligence Surveillance Act (FISA). The existence of the program was leaked six years later by NSA contractor Edward Snowden, who warned that the extent of mass data collection was far greater than the public knew and included what he characterized as “dangerous” and “criminal” activities.

The National Security Agency in the US has access to whatever data you are storing with US service providers like Google Microsoft, Yahoo, and Facebook. They are also likely monitoring most of the traffic flowing across the Internet. We will try to summarize the important revelations about PRISM from the recent leaks and discussions around this important topic.

First, an important disclaimer: This summary will not be perfect or complete. The US government has complained that the discussion of PRISM involves incomplete information that does not paint a complete picture of what’s going on — but that’s all we have available to us. In spite of their complaints, the US government won’t give us all the information we need to have a proper debate. The same laws that compel service providers to hand over data also compel them to keep silent. They’re not even allowed to admit that they’ve received any demands for data.

PRISM and Upstream Surveillance

According to the internal US National Security Agency slideshow leaked by Edward Snowden, PRISM is not the only Internet surveillance tool used by the NSA.

One leaked slide clarifies matters. It states that PRISM is a “collection directly from the servers of [certain] U.S. Service Providers.

Other programs — codenamed FAIRVIEW, STORMBREW, BLARNEY, and OAKSTAR — work differently. These programs involve collecting all traffic, either by tapping undersea fiber optic cables or capturing traffic travelling through Internet routers and gateways located in the USA. It has long been known that the NSA has secret rooms at Internet service providers and routing companies where they can intercept and monitor the data flowing past. Room 641A at the AT&T office in San Francisco was the first such room that was learned about back in 2006.

Under these Upstream programs, the NSA probably has the ability to capture most of the data being transmitted over the Internet. They have a massive data centre in Utah, likely to store and analyze all this data. These upstream programs are capturing much more data and surveilling many more people than PRISM is.

What is PRISM

Upstream surveillance captures data flowing across the Internet, but this data is often incomplete if encryption is used. For example, the NSA cannot intercept Skype traffic data and decode it — the Skype traffic data is encrypted so no one can snoop on it in transit. The NSA cannot view your Google searches if you are logged in, because that is sent over an encrypted HTTPS connection as well.

PRISM is some sort of system that allows NSA agents to collect data “directly from the servers” of certain US-based service providers, including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple.

After these slides were released, many companies spoke up and said they had never heard of PRISM before and that the NSA did not have “direct access” to their servers. This is likely true. What has been learnt so far indicates that PRISM is some sort of an internal NSA system that streamlines NSA demands for data to these companies. An NSA agent likely demands access to a user’s data — Gmail, Skype calls, Google or Bing searches, or instant messages — through the PRISM system and the company receives the demand. They then provide the demanded data in a convenient form, possibly through some sort of portal or by uploading it through standard protocols like FTP to the NSA’s system.

This was already going on before PRISM and it’s likely that providers not involved with PRISM are handing over data in the old, less-streamlined way. The new system allows NSA agents to demand data without filling out paperwork. Under the US FISA act, the NSA can monitor a person’s phone, email, and other communications for up to a week without going to the secret court and asking permission, and they can do it via PRISM.

How Many People Are Monitored Under PRISM?

So how many people are being monitored under PRISM? This is not known for sure. However, there are good reasons to be suspicious — the US government is demanding for all phone call “metadata” from phone companies in the USA. They have made a massive database containing which phone numbers call which other phone numbers and at which times. They have also asserted that they have a legal right to archive the location these calls were made from using cell phones, but they haven’t yet because of technical constraints. The US government is essentially monitoring everyone’s phone calls — not listening in to all of them, necessarily, but certainly tracking who you’re calling.

While the US government is essentially monitoring everyone’s Internet usage through upstream programs, PRISM seems a bit more targeted. The NSA likely looks at the upstream data and then decides who to look more closely at using PRISM. However, we don’t know for sure. The US government bans companies from even disclosing that they’ve received a national security letter request, much less disclosing how many they’ve received or how many accounts are being monitored.

Some companies received permission to report the total number of US government requests alone — everything from NSA requests relating to PRISM to standard police requests made with proper warrants. For example, Yahoo received 12,000 to 13,000 requests for user data between December 1, 2012, and May 31, 2012. We don’t know how many user accounts were covered by these requests or how many were made for surveillance instead of standard criminal investigations.

Foreign vs. Domestic Targets

FISA technically restricts the government from monitoring the communications of Americans or anyone present in the USA. However, there are some concerns here:

The NSA must have 51% confidence that the target is “foreign.” That’s the lowest possible standard they could apply under the law — and after that, anything goes.

The NSA is aware that domestic citizens end up being spied on under this standard, but instructs its agents in the leaked slides that it’s “nothing to worry about.”

Even if the NSA becomes confident the target isn’t foreign after collecting that data, the collected data can be kept forever. It’s just stored in a different database.

The NSA uses “contact chaining” and targets everyone within three “hops” of a suspected target. For example, if a coworker of yours has a friend whose long-lost brother is a suspected terrorist, you are a legitimate target of NSA surveillance and could have your digital life sifted through. Even if you’re found innocent, your data will be saved in a government database. Research has indicated that you can connect any person on the Internet to any other person in an average of 4.74 hops, or degrees. Many, many innocent people will be captured within three hops.

If you are not in the USA, things are even clearer. People outside the USA receive even less protection from intrusive surveillance and, even if found innocent, have their data stored in a database that can be more easily accessed.

Similar Surveillance Programs in Other Countries

In response to PRISM, citizens in other countries have expressed outrage. The German government was particularly vocal in expressing its disapproval.

However, various leaks have demonstrated that countries like the UK, France, and even Germany itself have similar secret Internet-monitoring programs in place. It’s clear that the majority of developed countries are likely doing similar things like the USA, although they haven’t been caught with their hands in the cookie jar just yet.

Where Do We Go From Here?

The media has fixated on PRISM, but it’s arguably one of the least scary revelations from recent NSA leaks. Yes, the US government is forcing US-based service providers to turn over customer data with only a secret court order from a rubber-stamp court. They’ve also built a system to streamline such requests, making it easier to spy on larger numbers of people. However, PRISM seems to at least be targeted at specific accounts. Other surveillance programs tap directly into the Internet’s backbone and monitor the data flowing past — even if the communication is encrypted, they can at least tell what websites you’re communicating with.

As storage becomes cheaper, new huge data centers are built, and laws like FISA and the Patriot act become even more loose and authorize even more wide-scale government surveillance, the expansion of PRISM in the future is a concern. Will PRISM grow into a program that demands US service providers hand over all customer data to the US government to be placed in a massive database, just as they already demand phone companies hand over all phone call records, and Internet communications companies allow them to monitor all data flowing past?

Now that the leaks have informed citizens of the USA and the rest of the world what has been going on in secret, perhaps we can all begin to have a discussion about what kind of surveillance is acceptable in a democratic society. If people agree that such surveillance is necessary, that’s one thing — but it’s quite another for such surveillance programs to be set up in secret by governments and forced on their citizens without debate or even an acknowledgement that they exist. The US government is fighting to keep court opinions justifying their surveillance programs under wraps — the surveillance programs are taking place under secret interpretations of laws that average citizens aren’t allowed to know. That’s no way to run a democracy.

Surveillance could also be used against everyone. Laws have become so complicated that it’s often said the average American commits three felonies per day. Everything from unlocking a cellphone to jailbreaking an iPad to violating a website’s terms of service is technically a felony that you could be convicted and jailed for in the USA.

Source: Wikipedia, Makeuseof.

self-taught developer and programmer. My areas of interest are Web Development, Penetration Testing, and Digital Forensics.

My technology stack includes C, C++, Python, Javascript, Bash, and Assembly. Joseph Moronwi writes about computer programming and cybersecurity. You can find him at his virtual home, https://netseedblog.com