(Updated: June 10, 2013)
Yesterday, Thursday June 6, The Washington Post and The Guardian came with a breaking news story about a Top Secret NSA program called PRISM, which reportedly collects data directly from the servers of nine major internet companies like Microsoft, Google, Facebook, Skype and Apple.
Many of these firms have already denied that the government has access to their networks. Today both president Obama and director of National Intelligence James Clapper said there is no gathering of information about US citizens or of any person located within the United States.
> See for the latest information:
PRISM as part of the BLARNEY program
New insights into the PRISM program
The Guardian claimed to have obtained 41 slides of an NSA presentation about the PRISM collection program, and showed some of them on its website. But some strange looking details caused a number of people, especially on Twitter, think the slides might be fake.
Here we take a more close look at these slides, which, if genuine, give a very rare look at a recent Top Secret document from the US National Security Agency.
The strangest thing about the slides is probably the PRISM program logo, which is shown at the top right side of each slide. On the Guardian website this logo is also shown separately with an orange background box - the same way it appears on their slides. But as we look at the same slides on the website of The Washington Post, we see that the orange background has been cropped away.
This can only mean that the logo was added somewhere afterwards, and therefore wasn't part of the original slide deck. On Twitter, it was also noticed, that the PRISM logo was made by using a standard clipart image.
> UPDATE: One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).
Details and explanation of the first PRISM slide
This does not automatically mean the whole slide deck is fake, so let's take a closer look at the rest of the slide contents:
- At the top left and the bottom right corner of each slide we see the standardized classification marking line, showing the classification level and the dissemination control markings.
In this case the slides are marked: TOP SECRET // SI // ORCON // NOFORN, which combines:
TOP SECRET - the classification level, meaning that public disclosure of the document would cause 'exceptionally grave damage' to national security.
SI - Special Intelligence, formerly known as COMINT or COMmunications INTelligence, which means this document is part of a control system for Sensitive Compartmented Information (SCI).
ORCON - ORiginator CONtrolled, meaning the originator controls dissemination and/or release of the document. Therefore these are always viewed in secured areas that are cleared for top-secret data and one cannot view or copy such a document without leaving an audit trail.
NOFORN - NO FOReign Nationals, meaning distribution to non-US citizens is prohibited, regardless of their clearance or access permissions.
- At the top of each slide we also see the logos of the internet companies involved in the PRISM program. The way these logos are grouped at the top of each slide looks not very professional, it distracts from the content and there's also no good reason for showing them on every slide. Therefore this part is also seen as a typical photoshop work.
- Top left we also see a seal with the words Special Source Operations, which is a department of the NSA responsible for important intelligence collection programs. This seal cannot be easily found elsewhere on the internet and looks well designed, so is most likely real.
- The title of the presentation is: PRISM/US-984XN Overview or The SIGAD Used Most in NSA Reporting Overview. SIGAD is the abbreviation of SIGINT Activity Designator, which is a unique addresss for every signals intelligence collection station, ship, or method and consists of a country code followed by alphanumeric characters. Thus the second part of the title (The SIGAD Used Most in NSA Reporting) refers to the first part, where US-984XN is the SIGAD of the PRISM program.
- Underneath the title there's a line which is partly (Guardian) or fully (Washington Post) blacked out. From what we can read, this line most likely started with the name of the person being the PRISM collection manager, followed by a kind of service/department number. Understandably the name has been blacked out because of privacy and security reasons, and the American paper even blacked out the rest.
- Finally, at the bottom right we see a red bordered box with three lines:
Derived from: NSA/CSSM 1-52 - meaning this was derived from the NSA/CSS Manual 1-52 about Classified National Security Information, which describes additional responsabilities of holders of NSA/CSS protected information.
Dated: 20070108 - meaning the presentation was derivative of work dated January 8, 2007, which appears to be the date of the NSA/CSS Manual 1-52.
Declassify On: 20360901 - meaning the slide deck was meant to be declassified on September 1, 2036. In general, this has to be 25 years from the date of the document’s origin, which seems to indicate that this presentation was classified on September 1, 2011, allthough the first slide itself is dated April 2013.
After this close look at the first slide of the PRISM presentation we have seen that there are a few strange elements, but also that most of the content looks realistic.
Another difference between the slides
Not only there's a difference between the PRISM logo on the slides at the Guardian and the Washtington Post websites, but, as noticed at this website, also on the slide showing in which years the various internet companies were "added" to the program:
As we can see in the picture, the slide on the Guardian website shows a different green arrow underneath the yellow circles than the Washington Post slide does. Both papers each seem to have some slightly different slides, which is quite strange if they really obtained a copy of such a higly classified slide deck.
> UPDATE: One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).
As the presentation concerns signals intelligence, it has to be handled either trough the highly secured JWICS network used by the US intelligence community, or through NSAnet, which is the classified intranet of the NSA. It looks like PRISM is related to NSAnet, as one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA". Using a command like this appears to be common practice for NSAnet.
As it is very difficult and risky to get the slides themselves out of NSA's control, it is of course far more easy for someone who has seen the presentation, to tell a journalist what was in it. Then some graphic artist at the newspaper could have made these slides according to what was told to him. In this way, the differences between the slides of both newspapers can easily be explained by an internal messing up of some different versions.
The story revised?
Meanwhile, the Washington Post (because they had rushed the publication?) had to walk back a bit from its initial claims by citing a second classified report that identified PRISM as a program to "allow ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers."
Also the New York Times came with a story which says that each of the large internet companies negotiated with the government about handing out information. As far as this concerns non-US citizens, they are legally required to share the data under the Foreign Intelligence Surveillance Act (FISA) and in this way these companies are providing intelligence agencies like NSA with specific data in response to individual court orders.
These FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms. Last year there were 1856 of such FISA requests. In order to make this more easy, some companies agreed with NSA to transmit these data electronically, using company’s servers or even government equipment at a company location. This however is different from giving the NSA wholesale bulk access to user data.
This version of the PRISM story was more or less confirmed by Director of National Intelligence (DNI) James Clapper, who released a statement with a fact sheet (PDF), which says "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision".
More about classification markings
Earlier on the evening of June 8, The Guardian published another slide, to clarify that PRISM, which involves data collection from servers, is distinct from four different programs involving data collection from "fiber cables and infrastructure as data flows past".
This newest slide (shown left in the picture above) seems to have an omission, which can also be seen in some of the earlier slides: allthough they have the obligatory classification line (as described above), and the slide title is marked with the so called portion marking (the (TS//SI//NF) which is an abbreviation of the full classification line), this portion marking is missing in the content.
As the DoD and intelligence community Classification Markings Manuals prescribe, all content of briefing slides, including bullets, captions, titles, and embedded graphs, charts and figures, have to be marked with portion markings at the beginning of each portion (except when a waiver for the portion marking has been obtained). This because parts of a document classified as Top Secret can have a lower classification level or can even be unclassified, which also clearly applies to some of the paragraphs of the slides.
Again, this omission alone does not mean these slides are fake, it's also possible that the author of the presentation was simply somewhat lazy. At least in case of the slide titled "Introduction. U.S. as World's Telecommunications Backbone" the content is public information, for which the overall Top Secret classification would clearly not be justified.
A correct implementation of the portion marking can be seen in some slides about the NSA's BOUNDLESSINFORMANT data mining tool, which were disclosed by The Guardian on June 8. Here we see the slides are marked as TOP SECRET // SI // NOFORN within an orange bar, which is the color code for Top Secret, but with the separate text portions marked as (U//FOUO) as they are Unclassified // For Official Use Only:
With correct markings and a more professional look, these new slides look more credible than those of the PRISM presentation. As government agencies apparently often produce bad looking presentations, this alone doesn't make the PRISM slides fake, but we always should be aware of things like hoaxes, sensationalism and disinformation from whatever source, and at the same time don't get trapped into conspiracy theories.
Other PRISM programs
As there are still questions about what exactly NSA's PRISM program does, it became clear that there are also a number of other intelligence and security related programs called PRISM, which may cause some confusion:
The journalist Matthew Keys discovered that in 2007 a classified Defense Intelligence Agency (DIA) intelligence job listing mentions "national intelligence community collection management systems" like PRISM, COLISEUM and HOT-R. A DIA job listing from earlier this year requires "Experience working in collection requirements management systems and procedures, to include PRISM, HOT-R, GIMS, NSRP, TORS, OSCR, COLISEUM, and CMST"
As this are DIA jobs, it seems however that this PRISM system is different from the one of the NSA. At the website of defense contractor IIT, PRISM is explained as an abbreviation of the "Planning tool for Resource Integration, Synchronization and Management", which just like COLISEUM, seems to be used in the field of Geospatial Intelligence, which analyses satellite imagery of the earth. In this way, PRISM is also mentioned in a number of documents on the Cryptome website. These are dating back to 2003, which is four years before the alledged start of the NSA PRISM internet program in 2007.
> More about this confusion: Is PRISM just a not-so-secret web tool?
The existence of what looks like a third PRISM system was unveiled by this PDF document at the Cryptome website. This document, dated March 21, 2004, describes PRISM (Protect, Respond, Inform, Secure, and Monitor) as a Homeland security Command and Control (C2) decision support system, providing a single end-user application for messaging, alerting, geo-referenced mapping, and asset tracking.
A program called PRISM is also used by the US Secret Service, where this is an acronym which stands for Protective Research Information System Management (PRISM-ID). This system is used to record information that required to assist the agency in meeting its protective mission that includes the protection of the President, and other top level officials. More about this program can be found in this PDF document from 2010 at the Cryptome website.
Links and Sources
- The Washington Post: U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program
- The Guardian: NSA Prism program taps in to user data of Apple, Google and others
- Business Insider: Is The Claim That The Government Has A Direction Connection To Tech Companies A Lie?
- Forbes: Startup Palantir Denies Its 'Prism' Software Is The NSA's 'PRISM' Surveillance System
- New York Times: Tech Companies, Bristling, Concede to Federal Surveillance Program
- ABC News: 4 Unanswered Questions About NSA Leaks
- The 2011 Intelligence Community Classification and Control Markings Implementation Manual (PDF)
- The 2012 DoD Marking of Classified Information Manual (PDF)
- ZDNet: The real story in the NSA scandal is the collapse of journalism
- The Week: Solving the mystery of PRISM
0 comments:
Post a Comment