A closer look at Prism and US government surveillance

Towards the end of last week, over in the US it came to light that the FBI and National Security Agency (NSA) have direct, government-mandated, warrantless access to servers at Google, Apple, Facebook, Microsoft, Skype, and other major Internet companies.

Furthermore, the NSA also requested – and received – data about every domestic call that’s routed through Verizon’s wired telephone network. While we only have proof of this one request made to Verizon, it is almost guaranteed that the NSA also demanded the same information from every other wired and wireless telecommunications company in the US. In short, last week saw the revelation of what is probably by far the biggest case of domestic spying on innocent US citizens.

This data came out via two leaks. Firstly, the Guardian got its hands on a top secret court order, issued by the Foreign Intelligence Surveillance court, demanding Verizon turn over all of its “telephony metadata” – all of the data pertaining to a call, but not the actual content of the call – on a daily basis, for all domestic and international calls terminating in the US.

Secondly, the Washington Post got its hands on slides detailing the US government’s Prism program – a top secret program that gives the US intelligence community direct access to the servers of nine Internet companies, including Google, Microsoft, Apple, Skype, and Facebook. As far as we can tell, both Prism and the collection of telephony metadata has been going on for years – probably since soon after the Patriot Act was enacted in 2001, following the 11 September attacks.

What isn’t known at this point is just how extensive the FBI and NSA’s data gathering antics have been, but it’s fairly safe to assume that the US government’s dragnet is a lot broader than just these two cases. The slides released by the Washington Post say that Prism is the most prolific contributor to the President’s Daily Brief (PDB), with one in seven NSA reports citing data gathered by Prism, for a total of 1,477 articles read by Obama last year.

Perhaps most worryingly, though, there’s no clear evidence that the court orders and Prism are only being used to gather domestic intelligence in the US; as far as we can tell, Prism seems to care little about whether the target is domestic or international.

So, through these secret court orders and Prism, what data does the US government have access to? Telephony metadata consists of phone numbers, the unique serial numbers of any phones involved in the call, the start and end time, and sometimes the locations of the callers. It does not directly identify any caller by name, but it’s relatively easy to make the jump from a phone number, serial number, or location to an actual name. As long as you’re building up a detailed network of who talks to who, when, and where, names aren’t all that important either. While the Verizon court order excludes the actual content of phone calls, it’s not unlikely that there have been other secret court orders that also give the FBI and NSA access to the conversations.

The Prism program is potentially a lot more nefarious. According to the slide above, the US intelligence community has access to just about everything that you do, say, or post on Facebook, Google (Gmail, Search, YouTube), Yahoo, AOL, Microsoft (Hotmail, Skype), and Apple. As far as we can tell, there’s no separation between domestic and international citizens, nor innocents or people suspected of wrongdoing: Prism, in a word, appears to give the US government completely unfettered, warrant-free access to almost all of your online activity and communications.

Data… lots of data

One question that remains unanswered is how the US government accesses the servers of these Internet companies, or how it receives telephony metadata from Verizon (and probably other phone companies) on a daily basis. Due to the sheer scale of the data involved – probably on the scale of terabytes or petabytes per day – and the distributed nature of the Internet, it’s simply not realistic for the US government to have a single mega-hub, where every telco and Internet company sends their data.

Back in 2006, a whistleblower reported that the NSA had a secret room in an AT&T switching centre in San Francisco, where it could listen in on all phone calls and Internet traffic that passed through it. It’s entirely possible that the NSA/FBI/US government has similar rooms at switching hubs and data centres throughout the US. It’s easy to imagine the NSA having an office at Facebook’s data centre in Oregon (pictured below), for example, and then forwarding any interesting information to the Pentagon.

These local offices probably have direct access to the local Facebook/Google/Microsoft servers, probably via a special interface that limits what kind of data they can obtain. The slides mention that each Internet company provides different data, presumably as stipulated by each company’s technology and privacy chiefs, so the US government doesn’t have unlimited access to the actual memory and hard drives of these servers.

Again, due to the sheer volume of data, we’re probably not talking about human spies leafing through your Facebook photos – your data is probably gathered and analysed by a computer, with computer vision, voice recognition, and other specialised algorithms sifting out the occasional photo of a homemade pipe bomb out of the millions of food, baby, and lolcat photos.

These threats are probably then packaged up and sent along to FBI and NSA analysts in Washington and Maryland, where actual terrorist threats are picked out and presented to President Obama on a daily basis.

Is the US government out of control?

After learning about the Verizon wiretap and Prism slides, by far and away the most common response from the media is that Obama and the US government are out of control. Within hours of the Verizon wiretap being made public, the Obama administration trotted out the same old line to US citizens: It might seem like we’re stripping you of your First and Fourth Amendment rights, and Due Process, in the search for terrorists, but really, trust us, we know what we’re doing. This platitude was never that persuasive at the best of times, and at the worst of times – when the administration is caught doing something particularly heinous – it almost seems like they’re laughing in the faces of their citizens.

Ultimately, any government will use the powers that it is given, whether for good or evil – and the Patriot Act gives the US government an astonishingly broad carte blanche when it comes to surveillance. The sad fact is that under the Patriot Act, the Verizon wiretap and Prism are probably perfectly legal. If anything, this story is a prime example of why laws should never be rushed through, especially when those bills are as massively overreaching as the Patriot Act.

Moving forward, as a US citizen, an international citizen who uses Internet services based in the US, or if you’re simply unlucky enough to be based in a country that routes most of its traffic through the US, all we can really do is pray that the Patriot Act is repealed. With terrorism in the US seemingly on the rise throughout the 2000s, and showing no sign of slowing this decade, it would appear that the Patriot Act, for all of its wanton decimation of our civil liberties, hasn’t done a whole lot to curb terrorism.

It’s not that simple, though: The intelligence community would undoubtedly claim that there would be more terrorism without these Big Brother-like measures – a claim that’s awfully hard to refute, when all of the data is top secret. With enough of an uproar, though, much like SOPA, the Patriot Act could be defeated.

For the time being, if you’re worried about Uncle Sam reading your messages and looking at your photos, your best bet is to stop using big, US-based Internet services such as Google and Facebook, and to ensure that you always use encrypted connections (HTTPS) when surfing the web (also see our tips on staying anonymous online).