APT & Targeted Attacks
PRISM leak renews debate over privacy, legality
Following the leak of a classified slide deck by an NSA contractor last June, the agency's previously secretive PRISM program entered the public spotlight and inspired vigorous debate over its legality and overall implications for individual privacy.
Save to Folio
Following the leak of a classified slide deck by an NSA contractor this past June, the agency's previously secretive PRISM program entered the public spotlight and inspired vigorous debate over its legality and overall implications for individual privacy. Although confirmation of PRISM's existence was news to millions of consumers who had been unaware of government efforts to collect and collate private telecommunications data, its specific collection mechanisms were shown to rely on classic tactics like handover of user information by service providers.
As such, PRISM represents the latest high-water mark in a rising tide of expansive U.S. government data collection efforts, which have been buoyed by the broad permissions granted to law enforcement by the U.S. Patriot Act. Ostensibly designed to assist the Patriot Act in preventing terrorist strikes, the scope and sophistication of PRISM, especially its application to vast swaths of seemingly mundane consumer data both in the U.S. and Europe, has surprised both the cybersecurity community and U.S. legislators, even if its basic tactics have not.
The collation of vast amounts of sensitive data acquired via programs like PRISM ultimately raises the stakes for any malicious attack, since an incident could compromise countless records. Moreover, this information is often shared across numerous agencies and under vague guidelines, which could invite the attention of rogue nongovernmental actors and weaken overall Web and database security.
Telecoms, software companies have long complied with U.S. collection efforts
Writing for The Verge, T.C. Sottek and Josh Kopstein explained that PRISM collects data from a range of consumer-facing Web services, including email exchanges like Yahoo! Mail and Outlook.com, as well as social networks such as Facebook. In each collection instance, the NSA makes a request to the specific service provider. Historically, companies have complied with most subpoenas that seek data, but they have voluntarily disclosed information less often. In the case of PRISM, not much is known about its mechanics, although targeted companies and the U.S. government itself argue that all requests are expressly approved by the secretive Foreign Intelligence Surveillance Court (FISC).
Both parties have attempted to downplay their respective levels of agency in PRISM data collection efforts. Service providers like Apple, which manufactures the iPhone and operates the iCloud email and storage services, have insisted that they rarely, if ever, grant requests. Also writing for The Verge, contributor Chris Welch obtained a statement from Apple spokesperson Steve Dowling addressing the Cupertino company's role in PRISM.
"We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order," wrote Dowling, appealing to assumed legal and constitutional (in the U.S.) protections that theoretically restrict access to consumer information.
However, service providers, especially in the software and telecommunications sectors, have historically been acquiescent to such government requests, which the U.S. government has insisted are rare and done only in accordance with certain laws and with the approval of bodies like FISC.
PRISM was technically initiated by the passage of the Protect America Act in 2007. That legislation merely codified practices that had been developed in the wake of the September 11, 2001 attacks under the informal working banner of the Terrorist Surveillance Program. Additional intelligence permissions were granted to the NSA by the concurrent Foreign Intelligence Surveillance Act (FISA) of 2006 and 2007. FISC itself was established in the late 1970s, but has since been expanded by legislation like the Patriot Act.
In one notable instance of PRISM compliance, chronicled by ZDNet's Zack Whittaker, Microsoft U.K. managed Gordon Frazer stated that he could not guarantee the safety of data stored on the company's servers, even if said servers were located outside the U.S, due to Patriot Act provisions.
"Microsoft cannot provide those guarantees [about security]," said Frazer. "Neither can any other [U.S.] company."
Providing specific details about the extent of the NSA's access in this particular case, a group of The Guardian's contributors explained that the NSA has been given visibility into pre-encryption stage email and that both it and the FBI had been granted exceptions to the encryption algorithms for webchat and cloud storage services. In a similar case identified by Sottek and Kopstein, Verizon was found to be handing over telephony metadata and call records on an "ongoing, daily basis."
PRISM pushing the boundaries of the law, consumer comfort
Even when providers have not given explicit permission, government agencies have become increasingly aggressive in their collection tactics. According to Wired's David Kravets, the FBI and U.S. municipal police have recently taken up tactics such as warrantless collection of cellular and GPS data via placement of secret tracking devices. Although not necessarily or explicitly governed by PRISM, these tactics nevertheless target the same types of data that PRISM operatives seek, such as geolocation information, IP addresses and search histories.
Even a judge who approved this collection methodology referred to it as raising a "vexing question" in regard to whether law enforcement was respecting rights guaranteed by the Fourth Amendment to the U.S. Constitution. Also taking the constitutional angle, a group of plaintiffs sued the U.S. government in June, citing PRISM as "an illegal and unconstitutional program of dragnet electronic surveillance."
The legal and ethical issues broached by PRISM extend beyond the U.S. Constitution. Generally, European businesses and governments remain wary of how PRISM lets the NSA keep tabs on their activities by monitoring popular, primarily American-created Web services such as Google.
"I don't see how you have a pitch meeting with one of these European cloud providers and not have subject of the Patriot Act concerns come up," international litigation expert Alex Lakatos told Overby.
PRISM has surprised even cybersecurity experts and politicians
European and American politicians, as well as cybersecurity analysts, have been caught off guard by some of the NSA's cutting-edge methods in PRISM and similar operations.
A particular point of concern has been XKeyscore, a program that appears to be a potent extension of PRISM's powers. It permits holistic tracking and inspections of encrypted documents, social media posts, telephone conversations and email, explained Deutsche Weille writer Carla Bleiker.
German data protection commissioner Peter Schaar referred to XKeyscore's sophistication as "indeed surprising." Similarly, German politician Bruno Kramm likened XKeyscore to as an all-encompassing terminal with access to the Internet. "One could imagine that the entire world and everyone in it were saved on your own personal hard drive," Kramm told Bleiker.
While alarm over PRISM has been widespread in Europe, the U.S. politicians who theoretically have a say in what the NSA is authorized to do have had trouble obtaining more information about operations approved by the FISC and FISA. The Guardian's Glenn Greenwald explained that many members of Congress were unaware of PRISM's existence, and that congressmen who had asked for specific program details had been rebuffed.
The gravity of the PRISM revelations was such that U.S. President Barack Obama quickly moved to create greater transparency on NSA operations. At particular issue is Section 215 of the Patriot Act, which authorizes the FBI to aggressively investigate U.S. citizens suspected of terrorism, according to Global Post contributors Priyanka Boghani and Samantha Stainburn. This part of the legislation has come under repeated scrutiny in the past for its possible infringements on the Fourth Amendment.
"My preference, and I think the American people's preference, would have been for a lawful, orderly examination of these laws, a thoughtful fact-based debate that would then lead us to a better place," said Obama at a recent news conference. In particular, less secrecy about PRISM between U.S. intelligence agencies and politicians could create better understanding about when and how to gather data, and how it can be shared in a way that does not create security and privacy risks.