National security reporter Marc Ambinder, who has long been known for his contacts within the intelligence community (he used to work here at The Atlantic), just tweeted what seems like a plausible explanation for how PRISM might function.
His account resolves what has been a remarkably strange situation: Namely, that the government has basically acknowledged the program, yet the capabilities ascribed to PRISM seem incompatible with the full-throated denials of the technology companies who are supposedly working with the government.
The key sticking point was whether or not the government had "direct access" or, as the Washington Post put it, whether the government was "tapping directly" into servers at Google, Facebook, etc.
On the "no direct access"--[content providers]* push to a separate server the subset of accounts that the FISC order covers; NSA monitors them in real time.
Let's say court order says "all Yahoo accounts in Pakistan" Yahoo would push those accounts to the server; NSA could watch them in real time. They'd try & figure who & where the incoming emails were coming from. US persons data minimized automatically if possible (often it's not).
If they're up on a Pak bad guy email and someone in Denver sends that account an email saying "I need more explosives," NSA notifies FBI via a Guardian tip. Then FBI opens prelim investigation to determine if the Denver person is a bad guy & takes over. Of course, to ID the person sending the email to Pakistan, analysis of US persons email might be required. Incidental targeting happens now. And that's how it works. Basically.
* Ambinder originally tweeted that it was ISPs pushed to a separate server, but corrected himself in this tweet. He has also noted that he assumes the court orders are narrower than "all Yahoo accounts in Pakistan."