U.S., company officials: Internet surveillance does not indiscriminately mine data
By Robert O’Harrow Jr., Ellen Nakashima and Barton Gellman,
The director of national intelligence on Saturday stepped up his public defense of a top-secret government data surveillance program as technology companies began privately explaining the mechanics of its use.
The program, code-named PRISM, has enabled national security officials to collect e-mail, videos, documents and other material from at least nine U.S. companies over six years, including Google, Microsoft and Apple, according to documents obtained by The Washington Post.
The disclosures about PRISM have renewed a national debate about the surveillance systems that sprang up after the attacks of Sept. 11, 2001, how broad those systems might be and the extent of their reach into American lives.
In a statement issued Saturday, Director of National Intelligence James R. Clapper Jr. described PRISM as “an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision.”
“PRISM is not an undisclosed collection or data mining program,” the statement said.
Clapper also said that “the United States Government does not unilaterally obtain information from the servers of U.S. electronic communication service providers. All such information is obtained with FISA Court approval and with the knowledge of the provider based upon a written directive from the Attorney General and the Director of National Intelligence.”
The statement from Clapper is both an affirmation of PRISM and the government’s strongest defense of it since its disclosure by The Post and the Guardian on Thursday. On Wednesday, the Guardian also disclosed secret orders enabling the National Security Agency to obtain data from Verizon about millions of phone calls made from the United States.
Clapper called the disclosures “rushed” and “reckless,” with “inaccuracies” that have left “significant misimpressions.”
“Disclosing information about the specific methods the government uses to collect communications can obviously give our enemies a ‘playbook’ of how to avoid detection,” Clapper said. “Nonetheless, [the law governing PRISM] has proven vital to keeping the nation and our allies safe. It continues to be one of our most important tools for the protection of the nation’s security.”
In responding to the revelations about PRISM, the White House, some lawmakers and company officials have repeatedly suggested that secret court orders are issued every time the NSA or other intelligence agencies seek information under Section 702 of the Foreign Intelligence Surveillance Act. But the orders, which are also secret, serve as one-time blanket approvals for data acquisition and surveillance on selected foreign targets for periods of as long as a year.
The companies have publicly denied any knowledge of PRISM or any system that allows the government to directly query their central servers. But because the program is so highly classified, only a few people at most at each company would legally be allowed to know about PRISM, let alone the details of its operations.
Executives at some of the participating companies, who spoke on the condition of anonymity, acknowledged the system’s existence and said it was used to share information about foreign customers with the NSA and other parts of the nation’s intelligence community.
These executives said PRISM was created after much negotiation with federal authorities, who had pressed for easier access to data they were entitled to under previous orders granted by the secret FISA court.
One top-secret document obtained by The Post described it as “Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.”
Intelligence community sources said that this description, although inaccurate from a technical perspective, matches the experience of analysts at the NSA. From their workstations anywhere in the world, government employees cleared for PRISM access may “task” the system and receive results from an Internet company without further interaction with the company’s staff.
In intelligence parlance, PRISM is the code name for a “signals intelligence address,” or SIGAD, in this case US-984XN, according to the NSA’s official classified description of PRISM and sources interviewed by The Post. The SIGAD is used to designate a source of electronic information, a point of access for the NSA and a method of extraction. In those terms, PRISM is a not a computer system but a set of technologies and operations for collecting intelligence from Facebook, Google and other large Internet companies.
According to a more precise description contained in a classified NSA inspector general’s report, also obtained by The Post, PRISM allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers. The companies cannot see the queries that are sent from the NSA to the systems installed on their premises, according to sources familiar with the PRISM process.
Crucial aspects about the mechanisms of data transfer remain publicly unknown. Several industry officials told The Post that the system pushes requested data from company servers to classified computers at FBI facilities at Quantico. The information is then shared with the NSA or other authorized intelligence agencies.
According to slides describing the mechanics of the system, PRISM works as follows: NSA employees engage the system by typing queries from their desks. For queries involving stored communications, the queries pass first through the FBI’s electronic communications surveillance unit, which reviews the search terms to ensure there are no U.S. citizens named as targets.
That unit then sends the query to the FBI’s data intercept technology unit, which connects to equipment at the Internet company and passes the results to the NSA.
The system is most often used for e-mails, but it handles chat, video, images, documents and other files as well.
“The server is controlled by the FBI,” an official with one of the companies said. “We do not offer a download feature from our server.”
Another industry official said, “No one wants the bureau logging into the company server.”
On Friday, President Obama defended the secret surveillance program, saying it makes “a difference in our capacity to anticipate and prevent possible terrorist activity.”
Obama said Congress was fully informed about the efforts, which are tightly controlled by legal authorities under FISA. “If every step that we’re taking to try to prevent a terrorist act is on the front page of the newspapers or on television,” he said, “then presumably the people who are trying to do us harm are going to be able to get around our preventive measures.”
Clapper’s statement Saturday emphasized that the program was legal under Section 702 of FISA, as approved by Congress in 2008.
The law governs surveillance of foreign nationals. It was originally passed in 1978, after scandals involving the FBI, IRS and White House during the civil rights movement of the 1960s and the Vietnam War.
Section 702 provides the post-911 legal framework for the “targeted acquisition” of intelligence about foreign persons outside the United States. The information can be obtained only under a FISA court order and a written directive from the attorney general and the director of national intelligence.
Under Section 702, the attorney general and director of national intelligence must show the FISA court that they have procedures “reasonably designed to ensure” that their intercepts will target foreigners “reasonably believed” to be overseas.
“Service providers supply information to the Government when they are lawfully required to do so,” Clapper said Saturday.
The law prohibits officials from intentionally targeting data collection efforts at U.S. citizens or anyone in the United States. The standards for intentional targeting require that an analyst have a “reasonable belief,” at least 51 percent confidence, that the target is a foreign national.
The law also provides “an extensive oversight regime, incorporating reviews by the Executive, Legislative and Judicial branches,” Clapper said in the statement.
One top-secret document shows that the government is making systematic use of PRISM. An internal presentation of 41 briefing slides on PRISM suggested the scale of data collection. It described the system as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 items last year. According to the slides and other supporting materials obtained by The Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly one in seven intelligence reports.
Craig Timberg contributed to this report.