7 Unanswered Questions About PRISM (Such As, How Could It Only Cost $20 Million?)
The known unknowns
Yesterday, the Washington Post and The Guardian reported about the existence of a previously secret NSA/FBI program called PRISM. Working largely from a classified PowerPoint, the stories described a program that allowed the government to pull data from Internet companies. Taken at face value, it appeared that the government had a kind of back door to extract information about users of Google, Facebook, Microsoft, and six other companies. While the Director of National Intelligence James Clapper all but acknowledged the program's existence in a statement, he also said the reports contained "numerous inaccuracies" that he did not detail.
The PowerPoint indicated that "the new tool [was] the most prolific contributor to the President's Daily Brief, which cited PRISM data in 1,477 items last year," making it the "raw material" for "nearly 1 in 7 intelligence reports," according to the Post. Yet it supposedly only costs $20 million a year to operate.
There are some things that are simply confounding about the two original reports, including the named companies' stronger-than-expected denial of their involvement, its low price tag, its supposed effectiveness, and how the whole thing might work.
- How can a program that supposedly supplies one-seventh (!) of the intelligence tidbits in President Obama's daily briefings only cost $20 million? As Clay Johnson noted, it cost the government $181 million to build SAM.gov.
The $20 million is probably hopeful accounting. It may be that the $20 million just paid for some hardware or software and that the real big costs are on another budget. Or it could be that large-scale surveillance is actually really, really inexpensive. Either way, the combination of the low price and big impact make this a central mystery of the project.
- Why is PalTalk on the list of nine companies?
Maybe because they've been linked in media reports to extremists? Maybe because PalTalk is popularish in the Middle East? Maybe because of its specific use in Syria?
- Why isn't Twitter on the list? How about Amazon?
Unclear. Of the large tech companies, Twitter has the best track record of protecting user data from the US government. On the other hand, we don't really know why Twitter or Amazon aren't on the list.
- Assuming some level of cooperation by the listed companies, what incentives or disincentives were offered to the companies on the list?
Let's say, for the sake of argument, that Twitter (or other entities, say Amazon or PayPal) has been secretly battling the FBI/NSA. What kind of pressure can the authorities apply? Alternatively, what benefits do these technology companies receive if they cooperate. Did Microsoft get anything by jumping on board first? In essence: how did power do its work in this case?
- Why/how did Apple hold out so long and why did they recently get on board?
Apple did not get added to the PRISM network until October 2012, five years after Microsoft became available, according to the PowerPoint obtained by The Guardian and Washington Post. Why? Who knows.
- Why are the big tech companies denying the existence of the program? Or to rephrase: Could what they're saying be technically true, but still allow PRISM's reported capabilities?
While James Clapper has all but admitted that the program exists, technology company after technology company has issued statements like Google's claiming that their service "does not have a back door for the government to access private user data." Other companies have said that no government has "direct" access to their servers. And yet here we have the NSA saying that they do have direct access to servers. How do we square this? Two possibilities seem likely: 1) that the access is "indirect" in some way, say, via an API or 2) that the direct access comes through some intermediary, say, Palantir, or another government vendor. Or the tech companies are just lying and/or forbidden to acknowledge the program's existence.
The Washington Post suggests that another classified report, says the "arrangement is described as allowing 'collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,' rather than directly to company servers." Is this different than a "back door" for the government, which Google chairman Eric Schmidt has specifically said does not exist? It's hard to tell.
- One of the Washington Post's documents said that "98 percent of PRISM production is based on Yahoo, Google and Microsoft." Why is that?
We don't know, but I would guessing it's because these companies provide email service to many, many, many people.