Friday, June 14, 2013

Through a PRISM Darkly: Is There Less Here Than Meets the Eye?

by: /The Big Slice

light spectrum
What do you get when you combine a cheesy PowerPoint presentation, an IT geek with delusions of grandeur, an Obama-hating narcissist who fancies himself the blogosphere’s champion of civil liberties, and a punditocracy whose members make their living on the Internet but can’t explain the difference between Dropbox and Gmail? Behold PRISM.
The existence of PRISM was the subject of the second in a series of blockbuster stories detailing the activities of the National Security Agency, its revelation the product of a “crisis of conscience” on the part of NSA spywhistleblower defector(?) Edward Snowden, a 29-year-old high school dropoutturned NSA security guard turned CIA techie turned employee for NSA contractor Booz Allen Hamilton in Honolulu. Snowden apparently used his position as a computer security consultant toabscond with four Booz Allen laptops copy a bunch of files he wasn’t supposed to copy (despite his “top secret” security clearance) onto a thumb drive and then leave his girlfriend and his $200,000$122,000-a-year job to hop a flight to Hong Kong.
Once in Hong Kong, Snowden provided classified NSA files to activist/pundit/journalist Glenn Greenwald, formerly of and now with the UK’s Guardian newspaper, and the Washington Post’s Barton Gellman.
The Guardian broke the first story based on Snowden’s purloined NSA files on June 5, posting a copy of an order marked “top secret” from the Foreign Intelligence Surveillance Court requiring Verizon Business Network Services – a Verizon subsidiary providing phone service to business customers – to turn over “telephony metadata” for calls within the United States and between the U.S. and foreign numbers. The information subject to the order includes phone numbers, IMEI numbers and call durations. The order did not cover the contents of calls or subscribers’ names or addresses. Most in the media assumed – and no one has denied – that the court has issued similar orders to other U.S. phone companies.
As an aside, it is useful to know that the creation of the Foreign Intelligence Surveillance Court, or FISA Court, dates back to the passage of the Foreign Intelligence Surveillance Act in 1978.  The law was passed in response to revelations about the Nixon administration’s use of federal agencies to spy on political opponents and activists and requires the government, before it commences certain kinds of intelligence gathering operations within the United States, to obtain a judicial warrant similar to that required in criminal investigations. The court consists of 11 life-tenured U.S. District Court judges (the same sort of judges who hear civil and criminal matters at the trial level in federal courts throughout the United States) selected by the Chief Justice of the Supreme Court to serve for seven-year stints. They travel from their home districts to Washington, D.C. to hear FISA warrant applications on a rotating basis. At least one of the judges must be a member of the U.S. District Court for the District of Columbia.  Because of its subject matter, the FISA Court’s proceedings are secret, as are its orders.
Although the FISA Court prohibited Verizon from disclosing the existence of the order obtained by the Guardian, Sen. Diane Feinstein (D-CA), chair of Senate Intelligence Committee, and Sen. Saxby Chambliss (R-GA), the committee’s ranking Republican, confirmed the NSA program’s existence on June 6, noting that the order published by the Guardian appeared to represent a routine three-month renewal of a program authorized under Section 215 of the Patriot Act that had been going on since 2007 and was subject to both congressional and judicial oversight. Indeed, prior to 2007 the Bush administration had conducted a nearly identical program, but without court approval. USA Today did a story about the program in 2006 that you can still find online. The only thing new in the Guardian’s story was the existence of the court order.
A day after the Guardian’s story broke, on June 7, Director of National Intelligence James Clapper declassified details about the NSA’s collection and storage of telephone metadata. According to Clapper, the NSA is prohibited by the FISC from “indiscriminately sifting” through the metadata. He said individual records can only be reviewed “when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization.” That would seem to rule out scrutiny of your phone calls to your pot dealer or to phone sex lines (though keep in mind that the DEA and local cops were seizing phone records and tapping phone lines long before the Patriot Act was even a twinkle in Dick Cheney’s eye).
Clapper also said that only counterterrorism personnel trained in the program may access the records, though this statement somehow seems less reassuring when you consider that the IT guy at the branch office in Hawaii managed to get his hands on the “top secret” court order.
NSA computers can reportedly analyze the metadata for patterns, spot unusual behavior and identify networks of callers in contact with suspicious phone numbers overseas. If the NSA (or the FBI, in the case of a subject inside the United States) wants to actually listen to calls, it needs to go back to court for a wiretap warrant.
So, that’s the telephone metadata story. Not much new, though thanks to the country’s short attention span and the media’s collective amnesia, it caused a fair amount of excitement, and deservedly so. Do we want the government indiscriminately collecting and storing information about our phone calls (even if it doesn’t listen to the calls themselves)? Keeping in mind Benjamin Franklin’s adage that “they who can give up essential liberty to obtain a little temporary security deserve neither liberty nor safety,” we have to ask ourselves whether the program makes us safer and, if so, whether that increase in safety is worth the erosion of our privacy. It’s a debate we should have had years ago. Still, better late than never.
The telephone records story generated a lot of heat (though both support for the program andcriticism were bipartisan, the hypocrisy and faux outrage from the likes of Rush Limbaugh and SeanHannity, supporters of the “surveillance state” under Bush, were predictably hilarious), but there were few outright denials. The media, politicians and even civil libertarians seem to generally agree about what is going on, even if they differ strongly on its merits. But that’s not the case with the second “blockbuster” story to come from Snowden’s thumb drive.
On June 6, both the Guardian and the Washington Post published articles based on several slides from a PowerPoint presentation about “PRISM.”  As Gellman at the Post breathlessly described this program:
The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.
The Post added that the NSA is “reaching deep inside the machinery of American companies that host hundreds of millions of American-held accounts on American soil.”  The story identified the companies involved as Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple. Dropbox was said to be joining the program soon.  According to the PowerPoint slides, the program began in 2007 (under Bush) and was expanded over the years as more Internet companies joined.
The Guardian’s Greenwald likewise reported that the NSA had obtained “direct access” to the Internet companies’ servers and implied that the agency’s spies could retrieve emails, Internet searches, photos – whatever – unilaterally and at will:
The Prism program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders. With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.
Both the Post and the Guardian based these sweeping conclusions on a line in the PowerPoint slides referring to “collection directly from the servers” of the listed U.S. service providers. However, it appears neither the Post nor the Guardian made much of an effort to determine what this admittedly inartful wording meant. The PowerPoint slides themselves appear rather amateurish, and given their “top secret” nature it seems likely that they were not meant for distribution outside the NSA. Reporters at the Post and the Guardian seem to have used their imaginations to fill in the blanks.
Within hours of the stories’ publication, most of the companies named were strenuously denying the assertions that they had provided the NSA with direct access, or a “backdoor,” to their servers or that the agency was unilaterally downloading users’ information. Although critics of the NSA were calling the denials “carefully parsed,” they were, in fact, pretty unequivocal. Google co-founder Larry Page wrote:
First, we have not joined any program that would give the U.S. government – or any other government – direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.
Second, we provide user data to governments only in accordance with the law. Our legal team reviews each and every request, and frequently pushes back when requests are overly broad or don’t follow the correct process. Press reports that suggest that Google is providing open-ended access to our users’ data are false, period. Until this week’s reports, we had never heard of the broad type of order that Verizon received – an order that appears to have required them to hand over millions of users’ call records. We were very surprised to learn that such broad orders exist. Any suggestion that Google is disclosing information about our users’ Internet activity on such a scale is completely false.
On June 7, the day after the PRISM story broke in the Post and the Guardian, the New York Timesreported that rather than direct, unfettered access to the companies’ central servers, what really happens at those companies that have made arrangements with the NSA is that data the companies are required by law to produce pursuant to a warrant or other court order is placed in a separate “secure portal.” The Times further described this “portal” as being similar to “a digital version of the secure physical rooms that have long existed for classified information, in some instances on company servers.”
On June 11, Google confirmed to the Wall Street Journal that the process for turning over data to the government is even less “high tech” than the Times piece had made it sound. According to Google spokesman Chris Gaither, when the company receives a court order to turn over information, it usually does so using a secure FTP, or “file transfer protocol,” server. The current specification for FTP dates to 1985. Gaither said Google occasionally even hands the data over to the NSA or law enforcement in person.
So basically, it appears that the process by which the NSA obtains data from Google and other companies is more akin to accessing a shared file on Dropbox than it is to tapping into or intercepting Internet traffic in real time. When you send someone a link to a shared file or folder on Dropbox, you are not giving that person access to your entire hard drive or a window into your Internet activity. Rather, your computer uploads the specific folder or files to be shared to the “cloud,” and the person you’re sharing it with then downloads it to her computer. In the case of PRISM, “Direct access” may mean access to a dedicated FTP server at Google, but it does not appear to mean access to Google’s “central servers.”
The Post began backing off some of its claims the day after its June 6 story, wiping a statement from the article that the Internet companies had “participated knowingly” in PRISM. Without running a correction or acknowledging any error on its part, the Post substituted the following phrase:
It is possible that the conflict between the PRISM slides and the company spokesmen is the result of imprecision on the part of the NSA author. In another classified report obtained by The Post, the arrangement is described as allowing “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” rather than directly to company servers.
Of course, it is more than a little weasely for the Post to refer to the “conflict between the PRISM slides and the company spokesmen,” since the slides were never meant to describe or explain PRISM to the Post or anyone else outside the NSA, and the PowerPoint’s authors can hardly be held responsible for assumptions made by reporters.
The Guardian’s Greenwald, a longtime proponent of the “Obama is worse than Bush” school of civil libertarians, has been even more reluctant to concede his own fallibility.  In an interview with MSNBC’s Chris Hayes on June 12, Greenwald steadfastly refused to admit any error in his reporting:
Our story was the following: we have documents, a document, from the NSA that very clearly claims that they are collecting directly from the servers of these Internet giants. That’s the exact language that this document used. We went to those Internet companies before publishing and asked them, and they denied it, and we put into the story very prominently that they denied it. Our story is that there is a discrepancy between the relationship that these, that the private sector and the government has, in terms of what the NSA claims and what the technology companies claim.
There’s a “discrepancy” all right, but it’s not between the PowerPoint slides and the statements of the Internet companies. It’s between Greenwald’s article, on the one hand, and the reporting of the New York Times, the Washington Post, the Wall Street Journal, Mother JonesThe Nation  – oh hell, just about everyone who has done any digging on this story – on the other.  Indeed, even the Guardian now implicitly concedes that its “direct access” charge is a crock. But rather than run a correction, it buried the admission deep in a follow up story that ran almost a week after the original piece, and then continued to pretend that it was the Internet companies – rather than the Guardian itself – that are being evasive:
The Guardian understands that the NSA approached those companies and asked them to enable a ‘dropbox’ system whereby legally requested data could be copied from their own server out to an NSA-owned system. That has allowed the companies to deny that there is ‘direct or indirect’ NSA access, to deny that there is a ‘back door’ to their systems, and that they only comply with ‘legal’ requests – while not explaining the scope of that access.
In fact, as the Guardian well knows, the companies are precluded by the very court orders compelling them to turn over the data from disclosing the targets or scope of the FISA Court’s orders. That is why Google, Facebook, Microsoft and Twitter have pleaded with the U.S. Department of Justice to permit them to disclose the number of government requests they receive and their scope.
Some of the best reporting on PRISM has come from tech blogs such as ZDNet and CNET. Within 24 hours of the original publication, ZDNet’s Ed Bott did an epic takedown of the Post’s sloppy reporting and surreptitious updates, even posting a redlined comparison of the original and modified articles. CNET’s Declan McCullagh schooled the Post and its Pulitzer Award-winning reporter Gellman on how to quickly and thoroughly vet and run down a source’s story about the NSA and Internet surveillance, obtaining interviews with former government officials, Google’s former deputy counsel and the NSA’s former general counsel. McCullagh also provided a succinct layman’s explanation of Section 702 of FISA, the statutory provision under which the NSA obtains data from Internet companies.
The difference between the original Post and Guardian stories about PRISM, alleging “direct access” by the NSA to Internet companies’ servers, and the reality emerging from the companies’ denials and the reporting of multiple news outlets is enormous. Without this key and now debunked allegation, the only “stories” here are the poor PowerPoint skills of our country’s premier cyber warriors and Mr. Snowden’s handiness with a thumb drive. The fact that the government can compel Google, Yahoo, Microsoft, etc. to produce data from a user’s account pursuant to a warrant or court order is most decidedly not news. Companies have been complying with subpoenas and warrants for their customers’ records for decades, if not centuries. Nor does it make much difference whether the companies produce such data in the form of reams of paper packed in banker’s boxes, a DVD, or through a secure FTP server or electronic drop box.
Indeed, there is some reason to believe that PRISM is not a data collection program at all, but an unclassified data management tool for use by the military, which after all, is in charge of the NSA. If so, PRISM is less a surveillance program than a software app through which NSA analysts can retrieve data already produced in response to court orders.
As Mother Jones’ Kevin Drum notes, these questions about the nature of PRISM also go to Snowden’s credibility as he continues to serve as a source for additional revelations, something Greenwald has repeatedly promised. Snowden either knows what PRISM is but failed to explain it to Gellman and Greenwald, or he really is just a glorified tech support guy who stole classified files he did not fully understand and gave them to a couple of reporters. Given Snowden’s dubious boasts that he could wiretap anyone, even the president, and that he had access to every CIA station around the world, his credibility is hardly a given.
Snowden’s motives are also coming under increased scrutiny. His apparent disclosure of NSA documents detailing the hacking of computers in China to the South China Morning Post, a Hong Kong newspaper whose owners are reported to be friendly with the leadership in Beijing, seems to belie his claim that he is not out to harm U.S. interests. The same can be said of his disclosure of a directive by President Obama to draw up a list of targets for cyber attacks in the event of a crisis. Whatever the wisdom or morality of cyber warfare (and yes, I know the Obama administration’s hands are hardly clean given the Stuxnet attack on Iran’s uranium centrifuges), there is no doubt that America’s adversaries are planning for attacks on the U.S. as well.
But this isn’t just about the messenger. The questions about the nature of PRISM are more than a matter of semantics. The original stories’ suggestion that the government has been monitoring Americans’ emails and Internet usage and indiscriminately vacuuming up audio, video, photographs, messages, documents and connection logs has caused widespread alarm. Such a program would be far more intrusive than the telephone metadata collection that was the subject of the Verizon court order. Moreover, the failure of the Post and the Guardian to issue any corrections or clarifications has left pundits, bloggers and cable news hosts free to repeat and perpetuate the original conjecture about “direct access” to Internet companies’ main servers. Allusions to “Big Brother” are all the rage. On the bright side, I’m betting that a record number of Americans now know the phrase originated with a George Orwell novel and not the CBS reality show.
Suddenly, millions of Americans who never gave much thought to third-party tracking cookies, call center workers in Mumbai accessing their credit card records, or spring break photos posted on friends’ Facebook pages are freaking out over the government learning about the porn sites they’ve visited, the subversive (or reactionary) blogs they’re reading and the boxes of ammo they’re buying online. Woe unto anyone who tries to talk them down. It will only get you labeled an “apologist,” an “Obamabot,” a “fascist,” or worse.
Don’t get me wrong. I’m not saying the government isn’t engaged in pervasive snooping, and some future whistleblower may well expose a nefarious government conspiracy to spy on all of us 24/7. Just because you’re paranoid doesn’t mean they’re not out to get you. But if such a program exists, it doesn’t appear that PRISM is it.
Post a Comment