What We Need to Know About PRISM
Deeplinks 2013-06-12
Summary:
A lot remains uncertain about the number of users affected by the NSA PRISM surveillance program that is taking place, the extent to which companies are involved, and how the NSA handles this sensitive data. Does the NSA regularly collect and examine a huge swath of the cloud communications of American and foreign Internet users? Does the agency present evidence and seek careful judicial review to obtain limited amounts of user data related to individual investigations? Or is the answer somewhere in the middle, with queries being constructed such that algorithms scan most or all of the accounts, identifying a smaller set of "interesting" accounts whose contents are sent to the NSA?
This post attempts to set out some fundamental questions that we need answered in order to gain enough clarity on the surveillance taking place to have an informed democratic policy debate. 1 We also give our approximations of the realistic "Best case" and "Worst case" scenarios given what we already know about the program, to highlight to range of possible realities.
For each company involved, how many user accounts have had some private data transmitted to the NSA? [+]
While companies have denied giving the NSA "direct access" to their servers, those denials have been carefully worded and the companies have admitted that they do comply with what they consider to be lawful orders — especially 702 FISA orders2 — and push back if these orders are too broad. The New York Times reported that some of these orders can be "a broad sweep for intelligence, like logs of certain search terms." Unfortunately, without more specificity from companies detailing the approximate number of user accounts whose data is touched by such orders, we are left in the dark about exactly how broad the orders are.
Could the NSA, for example, ask for all Gmail emails that contain the word “golden gate bridge” that were sent or received in the last 24 hours? For all private Facebook messages of any user that signed up through an IP address associated with a particular country over a one month period? Are there orders for information which has to be provided on an ongoing basis? Is information filtered by the companies so that no information on Americans is handed over? In order to have a better grasp of the scope, we have been encouraging companies to provide more granular information in their transparency reports or elsewhere.
We're pleased to see requests from Google and Facebook to the government for more leeway to publish this information in transparency reports. These requests should be taken seriously, and we also encourage the NSA to itself be more forthright with what information is collected.
Best case: The NSA sends a small number FISA 702 orders that are narrowly targeted for specific investigations and touch upon only a small number of user accounts; ideally at most hundreds or perhaps thousands of accounts have information passed on to the NSA every year.
Worst case: Companies receive incredibly broad FISA 702 orders that result in turning over huge swaths of user data to the NSA on a regular or ongoing basis, such as the emails of all users in a particular country, or any that contain a phrase like “golden gate bridge”.
What information about users' activities is being collected without the cooperation of companies? [+]
There is a lot we do not know about what the NSA can collect without the cooperation of companies. While entities like the NSA are in a position to gather some forms of metadata without involving a company, the encryption deployed by companies such as Google and Facebook in recent years makes it hard for the NSA to obtain content without involving companies. Still, one interpretation of PRISM is that the NSA is using aggressive tactics like stealing private encryption keys from company servers in order to conduct spying without company knowledge. Alex Stamos has
Link:
https://www.eff.org/deeplinks/2013/06/what-we-need-to-know-about-prismFrom feeds:
Fair Use Tracker » DeeplinksCLS / ROC » Deeplinks