Ambinder: Solving the mystery of PRISM

Solving the mystery of PRISM

by Marc Ambinder, June 7, 2013, TheWeek

What exactly is PRISM? How does it work? Who uses it?

Let’s assume that the companies whose data is sucked in by a National Security Agency tool called PRISM are denying their knowledge of the word and its associations in good faith. And let us also accept their denials that they’ve given someone at the NSA “direct access” to their servers.

So where are we?

There are many types of nicknames and special words that the NSA uses.

Some refer to collection tools. Some refer to data processing tools.

Each data processing tool, collection platform, mission and source for raw intelligence is given a specific numeric signals activity/address designator, or a SIGAD. The NSA listening post at Osan in Korea has the SIGAD USA-31. Clark Air Force Base is USA-57.

PRISM is US-984XN.

Each SIGAD is basically a collection site, physical or virtual; the SIGAD alphanumerics are used to indicate the source of intelligence FOR a particular report.

The NSA often assigns classified code names to the product of SIGADs. These can be confused with the nicknames or proper names of the collection platforms themselves, which may or may not be classified. What PRISM does is classified; the fact that there is a “PRISM” tool that does something is not.

Analysts working on a problem can request that a particular collection site be tasked, or used. The form they fill out is known as an SP0200. Additionally, when they wish to discontinue using a SIGAD for a mission, they send in another SP0200.

To make things even more complicated, the NSA assigns every administrative and technical operation, location and cell its own alphanumeric designation. The NSA office that tasks and troubleshoots the SENIOR SPAN platform, attached to U2 spy planes, is known as G112. The agency’s Special Collection Service, which operates out of embassies, is F6.

Other NSA nicknames refer to databases. “Marina” is a database for metadata collected from telephone records. Most database names are not classified, but their association with a particular technology or a dataset is classified.

That is, Marina=telephone metadata — classified. Marina by itself … unclassified.

I think, but don’t know, that the Verizon metadata contained in the FISC order we saw goes into the Marina database.

On top of this, for especially sensitive programs, like those involving analysis and collection of domestic telephone or email metadata, or those involving offensive cyberwarfare, the NSA creates “special access programs” that are identified by a code word, an unclassified nickname, and a digraph. The existence of these SAPs and their code words are classified TOP SECRET. Sometimes, small NSA collection cells access particularly sensitive or advanced collection platforms, like, say, tiny flying bugs. These technologies are not shared with every NSA collection cell; the technologies themselves are classified. (I don’t know if the NSA actually uses tiny flying bugs).

So: An analyst sits down at a desk. She uses a tool, like PRISM, to analyze information collected and deposited in a database, like CONTRAOCTAVE. Then she uses another tool, perhaps CPE (Content Preparation Environment), to write a report based on the analysis. That report is stored in ANOTHER database, like MAUI. MAUI is a database for finished NSA intelligence products. Anchory is an intelligence community-wide database for intelligence reports.

If the analyst was analyzing the content of telephone traffic, he or she would access the desired traffic stream through the use of a “selector,” which is the NSA’s term for production lines. The stuff inside a selector comes from one or more SIGADs. A selector is kind of like an RSS feed that fills itself with content from several sources.

A system called XKEYSCORE processes most of the SIGINT traffic that comes into the NSA by way of various SIGADs, and compartmentalizes it by selector. A selector might be “RUSFOR,” which would stand for Russian foreign ministry intercepts. Or something like that. Recorded signals intercepts are stored in a database called PINWALE.

This is all very complicated, and that is on purpose. But this brief tutorial is important. PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from internet companies located inside the United States.

The programs that use PRISM are focused, as the government said yesterday, on foreign intelligence. A lot of foreign intelligence runs through American companies and American servers.

The chain of action works like this.

Under the FISA Amendments Act of 2008, the NSA and the attorney general apply for an order allowing them to access a slice of the stuff that a company like Facebook keeps on its servers. Maybe this order is for all Facebook accounts opened up in Abbottabad, Pakistan. Maybe there are 50 of them. Facebook gets this order.

Now, these accounts are being updated in real-time. So Facebook somehow creates a mirror of the slice of stuff that only the NSA can access. The selected/court-ordered accounts are updated in real-time on both the Facebook server and the mirrored server. PRISM is the tool that puts this all together. Facebook has no idea what the NSA is doing with the data, and the NSA doesn’t tell them.

The companies came online at different points, according to the documents we’ve seen, maybe because some of them were reluctant to provide their data and others had to find a way to standardize their data in a way that PRISM could understand. Alternatively, perhaps PRISM updates itself regularly and is able to accept more and more types of inputs.

What makes PRISM interesting to us is that it seems to be the ONLY system that the NSA uses to collect/analyze non-telephonic non-analog data stored on American servers but updated and controlled and “owned” by users overseas. It is a domestic collection platform USED for foreign intelligence collection. It is of course hard to view a Facebook account in isolation and not incidentally come into contact with an account that is owned by an American. I assume that a bunch of us have Pakistani Facebook friends. If the NSA is collecting on that account, and I were to initiate a Facebook chat, the NSA would suck up my chat. Supposedly, the PRISM system would flag this as an incidental overcollect and delete it from the analyst’s workspace. Because the internet is a really complicated series of tubes, though, this doesn’t always happen. And so the analyst must sometimes “physically” segregate the U.S. person’s data.

What happens if I, in America, tell my Pakistani friend via Facebook chat that I am going to bomb a bridge? We don’t know precisely what happens when, in the course of a foreign intelligence intercept, a U.S. person creates evidence of their complicity with terrorism. The analyst must be able to distinguish between relevant and non-relevant communication. If the analyst catches my threat, then he or she will immediately initiate a procedure that sends the information to the FBI, which begins its own investigation of me. The NSA does not continue to collect on me. The FBI does — and probably uses the NSA tip as probable cause to obtain a FISA order to start collecting data using a PRISM-type tool of its own.

What if the location of the other person is unknown? The NSA has a tool called AIRHANDLER that helps them geolocate the origin of these special signals.

Here is an important thing to know: Everything the NSA analyst leaves an audit trail. And the NSA has a staff of auditors who do nothing but sample the target folders for over-collects.

There are many unknowns, of course, and many places where the system could break down. We do not know the minimization rules. They are highly classified. We do not know how long minimized data sits in storage. We don’t know how many NSA analysts are trained to handle U.S. persons’ data, or HOW they are trained. We don’t know the thresholds to determine what the NSA finds to be relevant enough. We don’t know how long the NSA can collect on a target without getting a FISA order, though we do know that they can start collecting without one if the circumstances demand it.

Fernandez: The Broadband Empire and the Game of Drones

The Broadband Empire and the Game of Drones

Richard Fernandez, June 6, 2013, PJMedia.

At a recent dinner with friends last month, some of whom were writers, I was asked for a developer’s opinion on the security of various cloud-based products. I told them that ultimately, they had no security at all.  We were so thoroughly spied on, I suggested that “you have to regard yourself as potentially sharing every keystroke, every search, every message with the NSA. If you want security, encrypt. Or better still, buy untraceable clothes and while disguised send one time messages via disposable or public devices.”

My answer elicited a nervous laugh, but I meant it. And besides, who’s laughing now? Recent revelations have shown that the Obama administration is collecting traffic analysis data on Verizon’s customer base (and by implication has similar arrangements with every other provider) and is mining data straight from the servers of companies providing Internet services. The Washington Post ^[1] reports on codename PRISM:

That is a remarkable figure in an agency that measures annual intake in the trillions of communications. It is all the more striking because the NSA, whose lawful mission is foreign intelligence, is reaching deep inside the machinery of American companies that host hundreds of millions of American-held accounts on American soil.

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

Dropbox , the cloud storage and synchronization service, is described as “coming soon.”

For those who don’t know what this means, it means that the administration is able to draw a graph (like a network chart) of who is talking to whom. It is able to say what are the key nodes through which any business passes, find all its Internet ‘friends’ and interlocutors and potentially drill down into the comms themselves — in time series.

This would pick up every organization of significance, whatever its purpose. Medical associations, pedophile rings, prayer groups, Tea Party groups, lesbian sororities, gay date swapping groups, business networks, professional networks, spy rings and terrorist cells. The works. It picks up the civilians more easily than the players, because the players use encryption, buy untraceable clothes and while disguised send one time messages via disposable or public devices.

The civilians don’t.

Your only safety lies in being overlooked, that is to say, in not being part of an affinity group of interest to the Obama administration. Otherwise you become part of the result set of a query, or search pattern. The reason everyone must sooner or later fall into the toils of the data mining operation is something called Dunbar’s Number ^[1]. It holds that no cell can grow beyond 150 members in size without resorting to communications and hierarchies.

So unless your organization wants to doom itself to insignificance, you will use email. You will use cloud apps. You will use IM. And you will wind up on the administration’s database.

The fact that you belong to a large group, for example the 50% of the US population that is conservative or Republican, does not give you safety in numbers. Within this large group of millions are a much smaller number of key leadership nodes. They are the nodes that matter, the top of the hierarchy mandated by Dunbar’s Number.

If you can control, corrupt or even bait those nodes you can reduce the entire group to impotence. You can effectively decapitate it, a strategy applied not only to al-Qaeda but apparently also by the IRS in its hunt of Tea Party and Republican fundraising groups. The virtual world let’s you dominate the virtual high ground. You don’t have to clobber all Muslims and Republicans. You just have to clobber the key nodes and the rest will mill around like leaderless ants.

What the IRS and AP wiretapping scandals demonstrated was the administration’s intent in action. They want to clobber key nodes.  What the FBI/NSA data mining operations show is capability. They can clobber key nodes. The Obama administration has demonstrated the intent to pick apart affinity groups with IRS. The Verizon and PRISM stories show how they have potentially been doing it.

From another vantage, the IRS actions and the drone program were loop closers. They were the shoot step in a look-shoot-look cycle that begins and ends in the virutal world. For conservatives the action step is the audit letter. For jihadis the end of the line is the Kill List.  This is where the Broadband Empire meets the Game of Drones.

It’s almost funny in a macabre sort of way, a kind of Second Life Universe which Jihadis enter via YouTube or some Islamic militant site run perhaps by an FBI webmaster and exit via a Hellfire controlled by a stream of bits. Call it the Jihadi Paradox, born by YouTube, died by GPS.

But what is most interesting about these breaking revelations is another question: “why now?” Why are all these programs, so long in gestation and so advanced in perversion now being brought to light?  The most reasonable conjecture is things have reached a tipping point in even the internal bureaucracy’s perception of their legitimacy.

For while there may be a difference of opinion over the initial character of these programs — the Bush started it versus the Obama did it debate — what cannot be denied is that the providers of these exposes to the media have decided that things have gone too far.

There must have been thousands of people who knew for a fact what I only gussed as a logical truth at that dinner party. The thousands or tens of thousands included those who worked for the data mining programs; or the legislators who had been briefed on the data collection efforts. Somewhere, somehow a critical mass of them said basta, enough, no mas, no more. For even the Broadband Empire and the Game of Drones are composed of people.  And so the leaks.

Why the change of heart? Take the established media which may known or suspected the existence of this control system for some time. To keep their friends or out of ideological conviction they long kept silent.  Well they are silent no more, a trickle that threatens to be a flood if only out of the fear that motivated Trotsky to speak out against Stalin.  They finally realized they too are in the cross-hairs, that what every Leftist fears in his DNA —  the purge — is coming.

Do you know why no hard-core Leftist ever publicly admits that he is?  It’s because he knows what membership in that club means.  A word about Purges. Once I was told that Leftists were smarter than conservatives, to which I retorted, “then how come they all wound up in the Gulag?” But they too can wise up.

By whatever process, the existence and operation of these vast data mining schemes have lost legitimacy within the establishment and even the bureaucracy itself. Perhaps it was because some saw these magnificent virtual machines perverted in ways they were never intended to serve, converted into political persecution machines, or worse taken over by an enemy who could bribe his way into anything.

Perhaps it was because some True Believer finally realized he was a True Chump. When he finally realized “it’s you they are talking about, your IM message they are hacking,  your email they’re analyzing, your phone calls they are tracing. You are not exempt.”

Well why would you be? But we should take luck as it comes. To those who’ve finally chosen put the questions out in the public space, welcome to the fight. And never say your part is small, for whatever you do may  prove more important then you think.

Yet things might have gone far otherwise and far worse. When you think of the Battle of Pelennor, do not forget the battles in Dale and the valor of Durin’s Folk. Think of what might have been. … ruin and ash. But that has been averted — because I met Thorin Oakenshield one evening on the edge of spring in Bree. A chance-meeting, as we say in Middle-earth.

When we act in conscious freedom, there are no chance meetings in this or in Middle-Earth.

“You don’t know what freedom is, because you’ve never lost it”

Thatcher: Media in Love with Bloomberg’s Nanny State Policies

Media in Love with Bloomberg’s Nanny State Policies Time and time again, news outlets promote and praise everything mayor proposes. By Liz Thatcher,  March 28, 2013, Media Research Center, Business and Media Institute. The media are in love – with … Continue reading →

WUWT: A Big Picture Look At “Earth’s Temperature” – “Extreme Weather

[Ed. Note 1: Cross posted from WUWT. This is a large, valuable, albeit semi-technical, discussion about the validity of the Global Warming meme so righteously (and religiously) promoted by mainstream media, and a variety of catastrophic climate scientists advocates and … Continue reading →

Watson: Threats to Assassinate Romney Explode After Debate

Threats to Assassinate Romney Explode After Debate Obama supporters voice desire to kill Romney over fears food stamps will be taken away by Paul Joseph Watson, October 17, 2012, Infowars.com Despite numerous media outlets attempting to downplay the issue, Twitter … Continue reading →