Bombshell Report: NSA and FBI 'Tapping Directly' Into Tech Companies' Servers

By Alexis C. Madrigal
prismoverview.jpg

The first slide of the PowerPoint deck on which the Post's report is based (Washington Post).

Following in the wake of The Guardian's revelation that the National Security Agency had compelled at least one telecom company (Verizon) to hand over its customers' call records, the Washington Post has published a startling report that says nine major Internet companies have been secretly cooperating with the NSA and FBI as well.

The government is "tapping directly" into servers at Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple, "extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person's movements and contacts over time."

The program is code-named PRISM. It began in 2007 and has experienced what the Post called "six years of exponential growth." It is now "the number one source of raw intelligence used for NSA analytic reports." Here's how the story's authors, Barton Gellman and Laura Poitras, describe the operation:

The PRISM program is not a dragnet, exactly. From inside a company's data stream the NSA is capable of pulling out anything it likes, but under current rules the agency does not try to collect it all.

Analysts who use the system from a Web portal at Fort Meade key in "selectors," or search terms, that are designed to produce at least 51 percent confidence in a target's "foreignness." That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, "but it's nothing to worry about."

Even when the system works just as advertised, with no American singled out for targeting, the NSA routinely collects a great deal of American content. That is described as "incidental," and it is inherent in contact chaining, one of the basic tools of the trade. To collect on a suspected spy or foreign terrorist means, at minimum, that everyone in the suspect's inbox or outbox is swept in. Intelligence analysts are typically taught to chain through contacts two "hops" out from their target, which increases "incidental collection" exponentially.

The Guardian, which ran its own story on PRISM (presumably from the same source), got several tech companies on the record denying "any knowledge of any such program."

This article available online at:

http://www.theatlantic.com/technology/archive/2013/06/bombshell-report-nsa-and-fbi-tapping-directly-into-tech-companies-servers/276633/