Sunday, June 9, 2013

Solving the mystery of PRISM


** PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, cross-check different data types provided to the NSA from Interret companies located inside the United States. ** ====================================================================

Solving the mystery of PRISM

June 7, 2013, at 11:40 PM




What exactly is PRISM? How does it work? Who uses it?


Let's assume that the companies whose data is sucked in by a National Security Agency tool called PRISM are denying their knowledge of the word and its associations in good faith. And let us also accept their denials that they've someone given the NSA "direct access" to their servers.


So where are we?


First, the term "PRISM." The fact something at the NSA is called "PRISM" is unclassified.


There are many types of nicknames and words that the NSA uses. Some refer to collection tools. Some refer to data processing tools. The NSA has a specific name for data processing tools. They call them "SIGADs," short of "signals activity designator." PRISM is a SIGAD. It is a data processing tool.


Other NSA nicknames refer to databases. "Marina" is a database for metadata collected from telephone records. These two classes of words are not classified, but their association with a particular technology or a dataset is classified. That is, Marina=telephone metadata -- classified. I think, but don't know, that the Verizon metadata contained in the FISC order we saw goes into the Marina database.


Generally, the NSA assigns short alphanumerical designators to the hundreds of collection cells that focus on particular targets.


Associating one of these alphanumerics with its target or analytical group is classified.


On top of this, for especially sensitive programs, like those involving analysis and collection of domestic telephone or e-mail metadata, or those involving offensive cyberwarfare, the NSA creates "special access programs"

that are identified by a code word, an unclassified nickname, and a digraph.

The existence of these SAPs and their code words are classified TOP SECRET.

Sometimes, small NSA collection cells access particularly sensitive or advanced collection platforms, like, say, tiny flying bugs. These technologies are not shared with every NSA collection cell; the technologies themselves are classified. (I don't know if NSA actually uses tiny flying bugs).


So: an analyst sits down at a desk. She uses a tool, like PRISM, to analyze information collected and deposited in a database, like CONTRAOCTAVE. Then she uses another tool, perhaps CPE (Content Preparation Environment), to write a report based on the analysis. That report is stored in ANOTHER database, like MAUI. MAUI is a database for finished intelligence products.


If the analyst was analyzing the content of telephone traffic, he or she would access the desired traffic stream through the use of a "selector,"

which is the NSA's term for production lines. A system called XKEYSCORE processes most of the SIGINT traffic that comes into the NSA by way of various collection platforms, and compartmentalizes it by selector. A selector might be "RUSFOR," which would stand for Russian foreign ministry intercepts. Or something like that. Recorded signals intercepts are stored in a database called PINWALE.


This is all very complicated, and that is on purpose. But this brief tutorial is important. PRISM is a kick-ass GUI that allows an analyst to look at, collate, monitor, cross-check different data types provided to the NSA from Internet companies located inside the United States.


The programs that use PRISM are focused, as the government said yesterday, on foreign intelligence. A lot of foreign intelligence apparently runs through American companies and American servers.


The chain of action works like this.


Under the FISA Amendments Act of 2008, the NSA and the Attorney General apply for an order allowing them to access a slice of the stuff that a company like Facebook keeps on its servers. Maybe this order is for all Facebook accounts opened up in Abbottabad, Pakistan. Maybe there are 50 of them. Facebook gets this order. Now, these accounts are being updated in real-time. So Facebook somehow creates a mirror of the slice of stuff that only the NSA can access. The selected/court-ordered accounts are updated in real-time on both the Facebook server and the mirrored server. PRISM is the tool that puts this all together. Facebook has no idea what the NSA is doing with their data, and NSA doesn't tell them.


The companies came online at different points, according to the documents we've seen, maybe because some of them were reluctant to provide their data and others had to find a way to standardize their data in a way that PRISM could understand. Alternatively, perhaps PRISM updates itself regularly and is able to accept more and more types of inputs.


What makes PRISM interesting to us is that it seems to be the ONLY system that the NSA uses to collect/analyze non-telephonic non-analog data stored on American servers but updated and controlled and "owned" by users overseas. It is a domestic collection platform USED for foreign intelligence collection. It is of course hard to take a Facebook account in isolation and not incidentally come into contact with an account that is owned by an American. I assume that a bunch of us have Pakistani Facebook friends. If the NSA is collecting on that account, and I were to initiate a Facebook chat, the NSA would suck up my chat. Supposedly, the PRISM system would flag this as an incidental overcollect and delete it from the analyst's workspace. Because the Internet is a really complicated series of tubes, though, this doesn't always happen. And so the analyst must sometimes "physically" segregate the U.S. persons data.


What happens if I, in America, tell my Pakistani friend via Facebook chat that I am going to bomb a bridge? We don't know precisely what happens when, in the course of a foreign intelligence intercept, a US person creates evidence of their complicity with terrorism. The analyst must be able to distinguish between relevant and non-relevant communication. If the analyst catches my threat, then he or she will immediately initiate a procedure that sends the information to the FBI, which begins its own investigation of me.

The NSA does not continue to collect on me. The FBI does -- and probably uses the NSA tip as probable cause to obtain a FISA order to start collecting data using a PRISM-type tool of its own.


What if the location of the other person is unknown? The NSA has a tool called AIRHANDLER that helps them geolocate the origin of these special signals.


Here is an important thing to know: everything the NSA analyst does leaves an audit trail. And the NSA has a staff of auditors who do nothing but sample the target folders for over-collects.


There are many unknowns, of course, and many places where the system could break down. We do not know the minimization rules. They are highly classified. We do not know how long minimized data sits in storage. We don't know how many NSA analysts are trained to handle US persons data, or HOW they are trained. We don't know the thresholds to determine what the NSA finds to be relevant enough. We don't know how long the NSA can collect on a target without getting a FISA order, though we do know that they can start collecting without one if the circumstances demand it.



(F)AIR USE NOTICE: All original content and/or articles and graphics in this message are copyrighted, unless specifically noted otherwise. All rights to these copyrighted items are reserved. Articles and graphics have been placed within for educational and discussion purposes only, in compliance with "Fair Use" criteria established in Section 107 of the Copyright Act of 1976.

The principle of "Fair Use" was established as law by Section 107 of The Copyright Act of 1976. "Fair Use" legally eliminates the need to obtain permission or pay royalties for the use of previously copyrighted materials if the purposes of display include "criticism, comment, news reporting, teaching, scholarship, and research." Section 107 establishes four criteria for determining whether the use of a work in any particular case qualifies as a "fair use". A work used does not necessarily have to satisfy all four criteria to qualify as an instance of "fair use". Rather, "fair use" is determined by the overall extent to which the cited work does or does not substantially satisfy the criteria in their totality. If you wish to use copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to:









No comments:

Post a Comment