How the PRISM Surveillance System Works

person demonstrating against PRISM
A demonstrator in Hanover, Germany, makes his feelings known about PRISM, the infamous U.S. surveillance system on June 29, 2013.
© Peter Steffen/dpa/Corbis

If you need a layman's analogy to understand the PRISM surveillance system, one of the more apt comparisons would be to the HBO show "The Wire." Just substitute "United States government" for Baltimore police, "Internet data and content" for phone wiretaps, and name the target as "pretty much anyone" instead of drug traffickers. (Unfortunately, you'll have to take out the copious beer drinking and crab eating altogether.)

Here are two things you might've learned from "The Wire" that also apply to PRISM (aka Planning Tool for Resource Integration, Synchronization and Management): First, it's illegal to target any random Jane Doe U.S. citizen without probable cause and a warrant. Second, it takes a lot of short stories to create the sprawling history of an intelligence-gathering program, and when it comes to PRISM, we're barely pushing novella, as information has only slowly leaked (ha!) out. Not entirely surprising, considering that the U.S. government (and cooperating companies) has a tendency to be a bit tight-lipped about top-secret intelligence programs.


But that perceived silence also might be for an even more mundane reason: Could the super undercover, nefariously hidden program called PRISM actually be a fairly transparent tool for gathering information, not a mandate for snooping through your e-mail?

Well, yeah, sources in the intelligence community are saying it's a collection system or tool [source: Ambinder]. Whether or not it's transparent is still up for debate. Also important: A U.S. citizen -- or anyone within the United States -- cannot be targeted by the PRISM program. It's strictly for foreign intelligence. Lest you feel too comfortable, we'll discuss what kind of "reasonable" suspicion government officials need to assume they're dealing with a foreign target. (Hint: not much.)

So grab some snacks, open a "private" browsing window on your computer, and settle in for season 1 of "The PRISM System" (subtitle: "So Far As We Know.").


Season 1: The Detail

Keith Alexander
National Security Agency (NSA) Director U.S. Army Gen. Keith Alexander takes his seat to testify at the U.S. Capitol before a U.S. House Permanent Select Committee on Intelligence hearing on NSA surveillance programs on June 18, 2013.
© Jonathan Ernst/Reuters/Corbis

The first season of our show starts with a flashback. The year was 1978, and the Foreign Intelligence Surveillance Act (FISA) was signed into U.S. law. At the time, FISA was enacted to ensure the government obtained orders from a secret FISA court before conducting surveillance on suspected terrorists in the United States. After FISA, they had to go to a special court of federal judges to prove probable cause of compromised national security on each case [source: Totenberg]. This mirrors domestic law enforcement: Unless there is a warrant issued through probable cause, you can't put a wire up to intercept phone calls or telecommunications.

After Sept. 11, 2001, things changed. President George W. Bush authorized warrantless wiretaps, skipping the part where the special court reviewed each case. When there was outcry after the program became public, the Bush administration proposed changes to FISA that were adopted in 2008 through the FISA Amendments Act. The result was that now the federal intelligence agencies like the National Security Agency still didn't need a warrant but did have to have that FISA secret court review the target and techniques.


Now we get to Section 702 of FISA. Let's hear it from the Director of National Intelligence: "In short, Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight" [source: Wittes]. When it comes to the Internet, "foreign" isn't hard to find: There's loads of foreign Internet traffic going through U.S. servers, or saved on them. E-mailing Saudi Arabia from Afghanistan? Still probably going through a U.S. server to get there. FISA's rejiggering basically allowed for the government to ask companies to pretty please let them look at that information -- including content -- if they could be "reasonably sure" it wasn't a U.S. citizen or anyone inside the U.S.

According to the initial reports, PRISM was a program that allowed the government to directly access servers from some huge players, like Facebook and Google. As the Guardian first reported, "Companies are legally obliged to comply with requests for users' communications under US law, but the Prism program allows the intelligence services direct access to the companies' servers" [source: Greenwald and MacAskill]. (We'll discuss – and dispel -- this claim more later.)

In other words, if the leaked documents were to be believed, the government was basically able to search private company servers for anything it wanted, without having to make individual, targeted requests. Once they had that data, they just had to make sure -- with "51% confidence" -- of the "foreignness" of the target [source: Gellman and Poitras]. So if you're thinking no problem, you're outside the U.S. or have no foreign contacts, not so fast. The reality is with such a large search, there's a huge trove of "incidental" data collected. Although analysts may be scrutinizing only foreign data, that doesn't mean they're not collecting information about U.S. citizens or those on U.S. soil in the process [sources: Gellman and Poitras, Fresh Air].


Season 2: The Players

Edward Snowden
Of course, you know that face by now, that of Edward Snowden, the former NSA contractor.
© Bobby Yip/Reuters/Corbis

As we enter season 2 of our saga, we begin to focus in on some of the specifics -- and specific players -- that are part of the PRISM program. And there are some doozies: Microsoft, Yahoo, Google, Facebook, PalTalk (what, you don't know PalTalk?), YouTube, Skype, AOL and Apple all agreed to cooperate, according to the leaked documents between 2007 and 2012.

And what are they supposedly taking from those servers? Well, e-mail, chats (video or voice), videos, photos, stored data, Skype conversations, file transfers, logins, social networking. Everything.


To understand why these companies might agree to a PRISM arrangement, let's go back to those few years after 9/11. The government was getting the idea that to track terror, it needed e-mails -- and the content of those e-mails -- from key terrorism players. The NSA would go to Microsoft and ask for boatloads of information from its servers, related to foreign targets. It was time-consuming for all involved (engineers had to comb through masses of information), especially as the targets and the information piled up [source: Braun et al.]. Finally, the government threw up its hands and probably said something like, "There oughta be a better way!"

And that's when, in 2008, Section 702 was added. Section 702 changed the FISA process. Instead of specific individual targets, an order from the Director of National Intelligence and Attorney General is written that broadly describes the surveillance that they want to take place -- maybe a list of e-mails, or even people living in a certain area. It just can't target any U.S. citizen or anyone on U.S. soil. A group of judges approves this broad plan, to ensure that "special court review" takes place. From there, the government can give directives to these specific companies, like Google and Yahoo, asking for the information they need [source: Braun et al.]. No judge is reviewing each case, in other words, on these targeted, specific directives. But the companies also appear to not be just handing over wide troves of content or information, nor do they report giving access to their servers [source: Braun et al.].


Season 3: The Whistleblower

So scene one of season 3 unfolds on one Edward Snowden, 29-year-old contract employee with the NSA. Having just finished copying various classified documents from the NSA Hawaii office, he tells his boss he needs time off for epilepsy treatment; he gives his girlfriend a vague story about having to work out of office for a while. (At the time of posting, he was in Russia.) He promptly flies to Hong Kong, and begins contacting a few reporters with his story.

What exactly he leaked to the media outlets is not entirely clear, although we know there's at least a PowerPoint presentation of 41 slides. (Proving that secret government meetings are just as boring as your weekly office check-ins.) It appears to be a presentation designed to train operatives, but keep in mind the Guardian and Washington Post only released a few of these slides.


There's not much doubt that the slides are a bit verbose when describing the program: the first slide reads in part, "The SIGAD Used Most in NSA Reporting" (bold theirs) [source: Washington Post]. (A SIGAD is a data collection site) [source: Ambinder]. As Stewart Baker, former NSA general counsel, said in an interview after reviewing the documents, they seem "suffused with a kind of hype that makes it sound more like a marketing pitch than a briefing" [source: McCullagh].

First reports from the Washington Post and other outlets initially claimed that one of the major differences of PRISM was that it allowed the government direct access to company servers.

It's important to note the press backed off that claim and subsequently acknowledged that instead companies are likely setting up secure servers or dropboxes to facilitate easier transfers when given a direct order by the government [source: Gellman and Poitras]. So that's kind of like a accessing a server directly, but only semantically -- it's much different than the government scrolling through our e-mails whenever they want, in real time.


Season 4: The Surprise Ending

There we have it. The government, we learned, seems to be using a little bit of legal chicanery to create broad orders (reviewed by a court) that let the NSA request specific, targeted information from companies. By pretty much every account, government agents are not getting direct access to servers as initially reported. They are making it really easy to obtain lots of information without some slow-reading judge reviewing every single request, or an engineer sifting through tons of data to find it. No problem, you might say, if you're the kind of person who doesn't mind Agent Z from the Maryland field office knowing you plan on eating ice cream for dinner and watching "The Bachelorette" after work.

And let's be straight: After the initial leak and subsequent outrage, the PRISM program began to look a little less intrusive on further review. Pretty much every company rather forcefully denied giving access to nontargeted data, in general [source: McCullagh]. People even began to question Edward Snowden's own knowledge of how the NSA works and his lack of discretion when deciding what to actually leak [source: Toobin, Drum].


But let's pretend, for one moment, we're all on the "encrypt everything including the throw pillows" side of protecting privacy. Wouldn't it follow suit that these companies would have to lie about their involvement to protect a top secret program? Wouldn't the government also lie about the existence of it, or at least fudge some details to make it more appetizing (or legal) to media outlets and the general public? Why, in other words, should we trust the technology conglomerates and the government when presented with some data that says they're lying? (This sounds like a job for the Stuff They Don't Want You to Know team!)

And thus -- our series continues to unfold. We won't know the answers for a good long while, and it's doubtful any resolution will come in the finale. But in the meantime, it's probably best to assume that if government security analysts want to read your e-mail, listen to your phone calls or check your calendar -- they can.


Lots More Information

Author's Note: How the PRISM Surveillance System Works

Like a lot of us, my initial reaction to PRISM was something along the lines of, "go ahead, government -- have a ball reading my e-mails where I complain about how long I have to wait until lunch and question the value of juicing." But after learning about PRISM, there was a shift in thinking. It's not so much the actual program as it's taking place now, but the fact that our government isn't static. While I certainly don't fear that I've said anything that could get me in trouble ... policies change. Administrations change. Regimes, in fact, change. It's the fact that the government might not necessarily be analyzing my information -- but able to access it, now or in the future -- that should give one pause.

Related Articles

  • Ambinder, Marc. "Solving the mystery of PRISM." The Week. June 7, 2013. (June 20, 2013)
  • Braun, Stephen, et al. "Secret to PRISM program: even bigger data seizure." The Associated Press. June 15, 2013. (June 20, 2013)
  • Buchanan, Matt. "The NSA's Prism remains opaque." The New Yorker. June 13, 2013. (June 20, 2013)
  • Change, Alisa. "Secret surveillance credited with preventing terror acts." National Public Radio. June 19, 2013. (June 20, 2013)
  • Dreyfuss, Ben and Dreyfuss, Emily. "What is the NSA's PRISM program?" CNET. June 7, 2013. (June 20, 2013)
  • Drum, Kevin. "Some questions for and about Edward Snowden." Mother Jones. June 13, 2013. (June 20, 2013)
  • Eichenwald, Kurt. "PRISM isn't data mining and other falsehoods in the NSA 'scandal'." Vanity Fair. June 14, 2013. (June 20, 2013)
  • Firestone, David. "Snowden's questionable new turn." The New York Times. June 17, 2013. (June 20, 2013)
  • Fresh Air. "'The Watchers' have had their eyes on us for years." National Public Radio. June 19, 2013. (June 20, 2013)
  • Gellman, Barton and Poitras, Laura. "U.S., British intelligence mining data from nine U.S. internet companies in broad secret program." The Washington Post. June 7, 2013. (June 20, 2013)
  • Greenwald, Glenn and Ewan MacCaskill. "NSA Prism program taps into user data of Apple, Google and others." The Guardian. June 6, 2013. (June 20, 2013)
  • Greenwald, Glenn et al. "Edward Snowden." The Guardian. June 9, 2013. (June 20, 2013)
  • Harris, Shane. "Total recall." Foreign Policy. June 19, 2013. (June 20, 2013)
  • Kerr, Dara. "Obama: NSA spying doesn't mean 'abandoning freedom.'" CNET. June 17, 2013. (June 20, 2013)
  • Lee, Timothy B. "Here's everything we know about PRISM to date." The Washington Post. June 12, 2013. (June 20, 2013)
  • Logiurato, Brett. "Here's the law the Obama Administration is using as legal justification for broad surveillance." Business Insider. June 7, 2013. (June 20, 2013)
  • McCullagh, Declan. "No evidence of NSA's 'direct access' to tech companies." CNET. June 7, 2013. (June 20, 2013)
  • Miller, Claire Cain. "Tech companies conceded to surveillance program." The New York Times. June 7, 2013. (June 20, 2013)
  • The Washington Post. "NSA slides explain the PRISM data-collection program." June 6, 2013. (June 20, 2013)
  • Totenberg, Nina. "Why the FISA court is not what it used to be." National Public Radio. June 18, 2013. (June 20, 2013)
  • Weiner, Eric. "The Foreign Service Intelligence Act." National Public Radio. Oct. 18, 2007. (June 20, 2013)
  • Wittes, Benjamin. "DNI statement on 'Facts on the collection of Intelligence Pursuant to Section 702 of the Foreign Intelligence Surveillance Act." June 10, 2013. (June 20, 2013)