Snowden has definitely been the biggest newsmaker of the last two months. Unprecedented revelations by The Guardian and The Washington Post, a dramatic escape of the American whistleblower via Hong-Kong right into Putin's tight grip, and the Bolivian President Evo Moralez's plane forced to land since Amercian authorities had reasons to believe the new American dissident-slash-traitor was hiding there. Anyway, there's more about Snowden disclosed to people than about himself. The revealed workings of the NSA surveillance system remain largely obscure to the general public. We have tried to sum up the most important information about them here.
PRISM is the most hyped up and most modest Web surveillance project by the NSA, both in terms of its scale and legal dubiousness.
Officially known as US-984XN, PRISM is a data-mining program consisting of software surveillance mechanisms implanted into the servers of US-based IT corporations, enabling NSA officers to view and analyze the data stored there. Some documents obtained by The Washington Post indicate that NSA may actually have no direct access to the servers but rather sends its surveillance data requests to specific equipment in company-controlled locations. The companies, in their turn, gather and send the required data to the intelligence services.
The free access to the users' confidential information is ensured by close teamwork between the security agencies and IT companies, their engineers and technicians often working together to bypass the companies' own encryption techniques as efficiently as possible. The PRISM project reportedly involves such US-based companies as Facebook, Google, Microsoft, Apple, and other IT service providers with a global presence. A prime example of this collaboration effort between the intelligence services and private businesses could be Microsoft instructing the NSA how to bypass the allegedly perfectly safe mail encryption on Outlook.com: this and many other instances of cooperation between the two organizations were reported by The Guardian this July.
However, this cooperation doesn't happen on a voluntary basis. The NSA acts only with a court order, compelling the companies to cooperate and, more importantly, forbidding them to disclose it. The court orders are issued by the so-called FISA court, specifically created to oversee the surveillance carried out by intelligence agencies. Unlike the overwhelming majority of other US courts, the FISA court hears only the governmental side, abandoning the adversarial principles of the American legal procedures: apparently, due to the classified nature of the NSA materials. The rulings of this court include a number of highly controversial decisions, like the authorization of the NSA to collect Verizon users' call medata on a daily basis. According to The New York Times, the FISA court issued nearly 1,800 surveillance orders in 2012 whithout denying a single request from the intelligence agencies.
This surveillance program is actually run by GCHQ, a British intelligence service. However, the data mined by Tempora is actively shared with the NSA. Moreover, the American partner actively participated in unrolling and testing the system, so it won't be much of a stretch to regard it as a joint project of the two intelligence services.
The primary concept behind Tempora is as simple as it goes. The geographical location of Britain in the westernmost Europe led to an extremely high concentration of Translantic Internet cables from the USA on the British coast. America being the home country of most of the Web service providers, the amount of data transmitted by these cables accounts for the largest part of the European traffic by a huge margin. To get access to these data, GCHQ only had to tap into these cables, and this is what they did.
Unlike PRISM, which doesn't allow for blanket surveillance of traffic, Tempora is aimed at copying the entire data that can be reached. To that end, GCHQ utilizes high-capacity probes, capable of carrying 10 GB/s. The Guardian reports that the estimate amount of data processed through Tempora exceeded 21,000,000,000,000,000 bytes (21 petabytes) per day - 'equivalent to sending all the information in all the books in the British Library 192 times every 24 hours.' This enormous figure makes it virtually impossible to store all the data perpetually, so the content is deleted after 3 days, and metadata are usually kept for 30 days. Nevertheless, the data, presenting a special interest for the intelligence services, are sorted out through a number of complex filtering procedures and are apparently used for long-term surveillance. The details about the criteria used to filter the data, let alone any specific examples, are classified and thus unknown to the public.
Logically, operating such a complex system of Web surveillance would hardly have been possible without the help of private businesses. The Guardian claims it possesses Snowden's leaked documents wherein those are referred to as 'intercept partners'. Some of these documents allegedly prove that the participant companies are paid for their services, despite being essentially compelled to cooperate in the best PRISM traditions. Anyway, the British government seems to be taking great paints to prevent the intercept partners names from being disclosed, as it can cause 'high-level political fallout'.
This surveillance behemoth is definitely the most impressive surveillance project the NSA paper has told the world about. Potentially, it allows the intelligence services to store and analyze the entire communication of whole countries. Quite impressive. In fact, XKeyScore is a surveillance Google, delivering its users highly precise search results. Examples of search queries for XKeyscore as claimed in a leaked NSA presentation include: 'Show me all the Microsoft Excel spreadsheets containing MAC addresses coming out of Iraq so I can perform network mapping' or 'Show me all the VPN startups in country X, and give me the data so I can decrypt and discover the users.' An especially impressive example is: 'Show me all the exploitable machines in country X', which means the USA could use XKeyScore for planning cyberattacks.
XKeyscore obtains information from three primary sources:
- F6, an NSA and CIA organization, the primary goal of which is to gather information from difficult-to-reach places like embassies;
- FORNSAT, programs used for intercepting data processed by foreign country satellites;
- SSO (Special Source Operations), an NSA department responsible among other things for collecting US domestic communication metadata.
As the amount of harvested data is gargantuan, XKeyscore employs a strategy very similar to the one used by Tempora. While the regular content can be stored for only three to five days and metadata is usually deleted after 30 days, the gathered information is sorted out by a number of criteria, embracing the use of key terms and specific e-mail addresses. Other possible criteria include the use of language not typical for the country the user's IP is located in (e.g. German in Pakistan) or browsing suspicious Web pages or documents (e.g. a Jihadist book). These data of itnerest are subsequently saved in specialized databases (e.g. one called 'Pinwale'), where they can be stored for up to five years.
The major cause of concern about XKeyscore is that the NSA doesn't need any warrant to use it. Theoretically, it can even intercept communication of US citizens, for instance if they talk to a foreign target person. The methods applied to determine if a potential target person is foreign are also everything but watertight: an NSA officer can merely select an option from a dropdown list of justifications, and that's it. This decision is not reviewed by the court or other NSA officers – the user is granted immediate access to the suspect's data. At the same time, the justifications available to the user do not sound really convincing. So, the NSA may examine the target person's private correspondence if their phone number was registered overseas. Even more spectacular is the justification that sounds like 'In direct contact with overseas, no info to show proposed tgt in US'. In other words, the NSA officer has no reasons to believe the person in question is an American citizen; therefore, this person is a foreign citizen and can be surveilled without a warrant.
That's basically what the three NSA surveillance projects boil down to. Of course, there is much more to say about each of them, but detailed desciptions of PRISM, Tempora, and XKeyscore would take much more place than I can give them here.
I have tried to distance myself from expressing any personal opinion. The matter of Web surveillance by intelligence agencies is too complicated to think you can grasp it after reading a couple of articles and watching a dozen of YouTube videos. Yet, it may well be possible I've failed to be completely objective. Like any of you would when it comes to your rights and your security. Anyway, I am positive most of you will agree with my strong belief that it's good Snowden's affair has fuelled so much controversy. The discussion about whether personal security should be valued higher than personal liberties, and to what extent, is a very hard one. It is also possible that there is no right answer at all. What matters is that we're holding this discussion in the first place. It means that the democracy is not dead (yet?).