What is the NSA's PRISM program? (FAQ)

We now know that the NSA uses something called PRISM to monitor private Web data. Sounds like "1984." What does it really mean?

Editors' note: Updated on June 12 to include new information.

You've been hearing about a top-secret government program reportedly giving the NSA access to digital consumer information held by large tech companies. But what is it, really, and how does it affect you? Reports are changing fast, so we created this FAQ to let you know what is known so far. We will continue to update it as the facts become clear.

What is PRISM?
PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management," and is a "data tool" designed to collect and process "foreign intelligence" that passes through American servers. Details about its existence were leaked to The Washington Post and The Guardian by Edward Snowden, a 29-year-old NSA contractor.

It has now been acknowledged by the Obama administration.

In the words of national security reporter Marc Ambinder, "PRISM [is] a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States."

It only targets foreigners?
PRISM "cannot be used to intentionally target any U.S. citizen (PDF), or any other U.S. person, or to intentionally target any person known to be in the United States, according to a statement released by Director Clapper on June 8.

Why would there be foreign intelligence on American servers?
A huge amount of foreign internet traffic is routed through or saved on U.S. servers. For instance, a majority of Facebook and Google users are not from the United States.

So how does this affect an American's data?
The key word is intentional. The NSA can't intentionally target an Americans data. But analysts need only be at least 51 percent confident of a target's "foreignness."

What is PRISM not?
It is apparently not the name for an overarching secret surveillance program in affiliation with certain large tech companies, as was originally reported by The Washington Post. Director of National Intelligence James Clapper has released a statement saying, "PRISM is not an undisclosed collection or data mining program." Instead, the name PRISM appears to refer to the actual computer program used to collect and analyze data legally requested by the NSA and divulged by Internet companies. This matches reports from CNET and The New York Times.

However, as the New York Times reported late Friday evening, it has come to light that the nine large tech companies first reported to be working with the NSA to divulge information have, in fact, made it easier for the government to access data from their servers.

Which companies are involved?
Microsoft, Yahoo, AOL, Facebook, Google, Apple, PalTalk, YouTube, and Skype. Dropbox is allegedly "coming soon." However, 98 percent of PRISM production is based on just Yahoo, Google, and Microsoft.

All nine of them have explicitly denied that the government has "direct access" to their servers. Reliable sources have confirmed to CNET that PRISM works on a request-by-request basis, rather than unfettered access, as was originally reported by the Washington Post. Here is a direct quote from our in-depth article on this issue:

Those reports are incorrect and appear to be based on a misreading of a leaked Powerpoint document, according to a former government official who is intimately familiar with this process of data acquisition and spoke today on condition of anonymity.

Still, it appears that though they may have withheld direct access to their servers, many did in fact agree to collaborate with the government on "developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests."

How?
It's not entirely clear, but according to the New York Times, in at least two cases the companies discussed creating secure digital dropboxes where information sought by the NSA could be electronically deposited. Facebook reportedly actually built such a system.

On Tuesday, June 11, Google published a letter to the Justice Department , asking for permission to disclose the mechanism by which FISA requests are completed. A Facebook spokesperson joined the call, announcing that Facebook would "welcome the opportunity to provide a transparency report that allows us to share with those who use Facebook around the world a complete picture of the government requests we receive, and how we respond." After writing the letter to the Justice Department, Google discussed with Wired Magazine the ways it gets legal information to the government, insisting throughout that reports of "direct access" to Google servers have been erroneous. Jump to our How does it work? section for more details.

Why isn't Twitter a part of PRISM?
That's a very good question that at first no one was able to answer.

It now appears as though the answer is: Twitter simply said no.

Companies are legally obligated to comply with any legitimate government request for user data, but they are under no legal obligation to make that process easier. Twitter apparently refused to join the other nine in steam rolling the process.

On Friday, June 7, the New York Times wrote:

Twitter declined to make it easier for the government. But other companies were more compliant, according to people briefed on the negotiations. They opened discussions with national security officials about developing technical methods to more efficiently and securely share the personal data of foreign users in response to lawful government requests. And in some cases, they changed their computer systems to do so.

What type of data is monitored?
According to "slides and other supporting materials" given to the The Guardian and The Washington Post by Snowden: "e-mail, chat, videos, photos, stored data, VoIP, file transfers, video conferencing, notifications of target activity...log-ins, etc., online social networking details" -- so, everything.

For instance, Google data includes "Gmail, voice and video chat, Google Drive files, photo libraries, and live surveillance of search terms."

The original report suggests that "NSA reporting increasingly relies on PRISM" as its leading source of raw material, accounting for nearly one in seven intelligence reports.

A reliable source tells CNET that both the contents of communications and metadata , such as information about who's talking to whom, can be requested.

Can they read my iMessage?
Theoretically, yes. That is the kind of data the program has access to.

So someone has read my e-mail?
Aside from the fact that Google's algorithms crawl your e-mail all the time to target ads at you, "someone" within the NSA may have read your e-mails.

Is it even legal?
Yes, under Section 702 of the Foreign Intelligence Surveillance Act (FISA) of 2008 and the Protect America Act of 2007. Director of National Intelligence James Clapper released a statement Thursday night saying that "Section 702 is a provision of FISA that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States." FISA was renewed last year by Congress.

According to the Post, "Late last year, when critics in Congress sought changes in the FISA Amendments Act, the only lawmakers who knew about PRISM were bound by oaths of office to hold their tongues." When the story broke, Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) released a letter they cowrote to the Justice Department expressing their concerns relating to the program.

How does it work?
Essentially like this : The attorney general issues a secret order to a tech company to hand over access to its data to the FBI. The FBI then hands that information over to the NSA.

But many technical questions remain, such as: when given access, can the NSA tap directly into the companies' servers, as was originally alleged? Is the data printed out and handed to an NSA operative? Is an NSA operative stationed on the company's campus at a specific work station designed for such transactions?

On Tuesday, June 11, Google went to Wired Magazine in an attempt to answer some of these lingering questions. Google spokesman Chris Gaither flatly denied giving direct access to Google's servers, stating:

"When required to comply with these requests, we deliver that information to the US government -- generally through secure FTP transfers and in person. The US government does not have the ability to pull that data directly from our servers or network."

One thing to note about this answer is that in order for the secure FTP transfer to take place, it looks as though Google does have a special encrypted dropbox on campus -- which you could technically call a "company server" -- that stores and delivers the requested data.

Splitting hairs? Perhaps. It is very different from total, real-time access to Google's main servers.

Is this the same as the data Verizon is giving to the NSA?
No. This is separate. The data Verizon gives to the NSA is only metadata, so although the government can see who you call and how long you talk to them, they are not listening in on your voice mails and phone calls. But again, that's a separate NSA program. For more information on it, read this.

What's the fallout?
Well, so far respected human rights watchdog Freedom House has downgraded America's freedom ranking. Last time their survey was released, the United States was the second most free country on Earth in terms of Internet freedoms. That position is about to change.

How can I avoid this?
You can't.

Should I be outraged?
Probably! But maybe not. President Obama addressed PRISM on Friday and essentially said, "Don't worry. You can trust us."

Who is to blame for this?
Well, let's let Anthony Romero of the American Civil Liberties Union sum it up. He is quoted by The New York Times as saying, "A pox on all the three houses of government. On Congress, for legislating such powers, on the FISA court for being such a paper tiger and rubber stamp, and on the Obama administration for not being true to its values."

What happens next?
A diplomatic circus. The Obama administration has prosecuted leakers at an unprecedented rate, but it's going to have at least a bit of a hard time getting its hands on the source of these leaks: Edward Snowden is apparently holed up in a hotel in Hong Kong.

The NSA contractor outed himself in an interview with The Guardian's Glenn Greenwald in which he says that he chose Hong Kong because, "[it] has a reputation for freedom in spite of the People's Republic of China. It has a strong tradition of free speech." Hong Kong is a Special Administrative Region of The People's Republic of China and has its own government distinct from, but ultimately subject to, Beijing.

The United States does have a bilateral extradition treaty with Hong Kong, but a request from the U.S. based on political offenses could be vetoed by either Hong Kong or Beijing.

For now Snowden says, "the only thing I can do is sit here and hope the Hong Kong government does not deport me."
 

Join the discussion

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Christmas Buying Guide

The best gadgets for everyone on your list

From headphones to wearable tech, here is everything for tech enthusiasts this Christmas.