PRISM logo via leaked NSA slides

The PRISM Details Matter

On “directly,” “unilaterally,” and the difference between a bombshell and a yawn of a story

[2013/06/14: An update addressing Greenwald’s response is at the bottom — Mark]

Glenn Greenwald and Ewan MacAskill’s account of the NSA’s “PRISM” program in the Guardian is woefully short on technical details of how the program works. This lack of clarity should be troublesome to those attempting to decide whether they should be outraged. Does this program allow the government to look at private communications on a company’s central servers without a valid court order, or is it something more benign?

There shouldn’t have to be this lack of clarity. Greenwald and MacAskill’s followup article identifying Edward Snowden as the leaker specifically mentions his affinity for technical details:

A master on computers, he seemed happiest when talking about the technical side of surveillance, at a level of detail comprehensible probably only to fellow communication specialists.

Yet in both articles, the authors neglected to share these technical details. The closest we get to a description of what the authors think is going on is this, from the original article:

When the FAA was first enacted, defenders of the statute argued that a significant check on abuse would be the NSA’s inability to obtain electronic communications without the consent of the telecom and internet companies that control the data. But the Prism program renders that consent unnecessary, as it allows the agency to directly and unilaterally seize the communications off the companies’ servers.

The Washington Post similarly claimed that agencies were “tapping directly into the central servers.” Additionally, the Post claimed:

From inside a company’s data stream the NSA is capable of pulling out anything it likes […]

Words have meaning, and the ones chosen here paint a grave picture. If the NSA has direct and unilateral access to anything it likes on the company’s servers, then this story is a bombshell, it deserves all the attention it is getting, and the vehement denials of direct access that the implicated companies have made are falsehoods. If these claims are true, people should be furiously angry both with the US government and with the implicated companies.

The New York Times’ sources claim that the program is rather different in its operation:

But instead of adding a back door to their servers, the companies were essentially asked to erect a locked mailbox and give the government the key, people briefed on the negotiations said. Facebook, for instance, built such a system for requesting and sharing the information, they said. The data shared in these ways, the people said, is shared after company lawyers have reviewed the FISA request according to company practice. It is not sent automatically or in bulk, and the government does not have full access to company servers. Instead, they said, it is a more secure and efficient way to hand over the data.

The Director of National Intelligence has also responded with a similar explanation:

PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a).

The kind of access described in these accounts is both indirect and moderated in that the government only has access to a subset of data about FISA warrant-specified targets, and this data is not gathered unilaterally, but only after company lawyers have reviewed and approved the request. In this case, the company is obligated by law to turn the data over. The only choice they have is how they do it. The New York Times and the NSA claim that PRISM is merely a more efficient way of getting legally-required information from the company’s central servers to a place where the government can access it. But that’s not a bombshell — that’s a yawn. This would just mean that tech companies whose very mission is to create informational efficiency have coöperated with a technical program that streamlines compliance with legal court orders.

If that banal implementation detail is in fact the whole truth of the program, why would Greenwald and MacAskill have alleged direct and unilateral access? When challenged on Twitter, Greenwald replied “Our story is 100% accurate and not a comma has been or will be changed.” He seemed to be sticking by his account. Another time, when challenged, he pointed to a fifth PowerPoint slide posted by The Guardian.

NSA PRISM slide

This slide claims “collection directly from the servers” of service providers. But it isn’t clear at all that “the servers” means the company’s central servers and not a digital clean room set up specifically to hold data on warrant targets. Greenwald seems oblivious to this possibility:

“It means what it says: that they can take things directly from the servers of those companies. What else could it mean?”

Greenwald also said that what the companies have said, and what the NSA claims, conflicts:

“We reported — accurately — what the NSA claims. We reported —accurately — what the companies claim. It conflicts. That’s why we reported it.”

But Greenwald and MacAskill reported more than what the published slides claim. They reported direct and unilateral access to company data. The slides don’t actually conflict with the company and NSA statements, once you take into account that “the servers” doesn’t necessarily mean the company’s central servers, and could instead mean the kind of secondary digital clean room described in The New York Times’ account.

This is not a pedantic point.

The difference between these two explanations isn’t some nuanced distinction that only tech geeks should care about. This is the difference between companies voluntarily giving the government direct and unilateral access to arbitrary customer data and companies merely complying with the law in a technically efficient way that doesn’t change the nature of the data received by the government. If Greenwald and MacAskill have documents or detailed statements from Snowden that provide illumination on this point, they should share this information. Because as it stands now, the only way their story is true is if all the companies involved are lying, and the NSA is lying, and Senators Feinstein and Rogers are lying, and the President is lying, and the New York Times’ sources are lying.

Everyone but Greenwald’s source would have to be lying.

This certainly isn’t impossible. Much more likely in my estimation is that Greenwald’s use of “direct” and “unilateral” was technically imprecise or the result of exaggerations from his source. Either way, the American people deserve to know the truth. Before the story moves on to the motivations of the leaker, or the safety of the leaker, or the fallout from the leak, it would be helpful to learn precisely how this program works. Does it indeed render company consent unnecessary? Can the government search their customer data without company lawyers first reviewing and approving a lawful court order? Or is PRISM merely the method that companies use to comply with lawful requests?

If the kind of direct, unilateral access alleged by The Washington Post and The Guardian is not the case, the publications should issue strongly worded retractions. If this kind of access is the case, they should share the sources for this information; the slides they have published do not corroborate this account.

These details matter.

These details completely change the nature of the story, and they shouldn’t just be brushed aside as a minor technical footnote. Serious accusations were made, and have been roundly denied by the implicated parties. There is no aspect of this story more important than finding out which account is accurate.