According to Edward Snowden, the National Security Agency (NSA) leaker, the US government has recruited several major Internet corporations, especially Facebook, Google, Microsoft, and Yahoo, to help it harvest emails, videos, and web traffic from unsuspecting US and foreign citizens through a data collection system code-named PRISM. The news was broken by the Guardian and Washington Post. According to a slideshow stolen from NSA by Snowden and shared with the media, PRISM collects 98% of the data from Microsoft, Google, and Yahoo. Some observers believe that PRISM is an extra judicial operation, run without much executive or judicial supervision, and thus it might be illegal and even criminal. What do we really know about PRISM and about the size of the data it collects from the companies listed above?
On June 8th, in an unprecedented step, NSA released some basic information about PRISM: Facts on the Collection of Intelligence Pursuant to Section 702. According to this NSA document:
PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision, as authorized by Section 702 of the Foreign Intelligence Surveillance Act (FISA) (50 U.S.C. § 1881a). This authority was created by the Congress and has been widely known and publicly discussed since its inception in 2008.
Under Section 702 of FISA, the United States Government does not unilaterally obtain information from the servers of U.S. electronic communication service providers. All such information is obtained with FISA Court approval and with the knowledge of the provider based upon a written directive from the Attorney General and the Director of National Intelligence. In short, Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight. Service providers supply information to the Government when they are lawfully required to do so.
The Government cannot target anyone under the court-approved procedures for Section 702 collection unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation) and the foreign target is reasonably believed to be outside the United States. We cannot target even foreign persons overseas without a valid foreign intelligence purpose.
In addition, Section 702 cannot be used to intentionally target any U.S. citizen, or any other U.S. person, or to intentionally target any person known to be in the United States. Likewise, Section 702 cannot be used to target a person outside the United States if the purpose is to acquire information from a person inside the United States.
Finally, the notion that Section 702 activities are not subject to internal and external oversight is similarly incorrect. Collection of intelligence information under Section 702 is subject to an extensive oversight regime, incorporating reviews by the Executive, Legislative and Judicial branches. 2
The Courts. All FISA collection, including collection under Section 702, is overseen and monitored by the FISA Court, a specially established Federal court comprised of 11 Federal judges appointed by the Chief Justice of the United States. o The FISC must approve targeting and minimization procedures under Section 702 prior to the acquisition of any surveillance information.
Targeting procedures are designed to ensure that an acquisition targets non- U.S. persons reasonably believed to be outside the United States for specific purposes, and also that it does not intentionally acquire a communication when all the parties are known to be inside the US.
The key point is that PRISM is a legal operation, which is supervised and approved by the US courts. PRISM is run under the shield of Foreign Intelligence Surveillance Act and it seems to be a part of a targeted, rather than a “vacuum cleaner” operation. Washington Post suggests, and some other informed observers agree, that it is in fact no more or less than a form of file transfer akin to SFTP, which secures the transfer of information requested about specific individuals after the requests and data have been inspected by legal analysts on the company side of things. Running it costs $20 million dollars a year, which represents 0.002% of NSA’s budget of $10 BILLION a year and .0004% of the entire Directorate of National Intelligence. How targeted is it, though? Microsoft, Google, and Facebook have released aggregated information about the total amount of data they have provided to governmental and law enforcement agencies at all levels during the last six months of last year. The number of users affected by court ordered disclosures is somewhere in the tens of thousands. For some, this is too large, while for others too small a number, given that there are over 100 million users in the US alone, and over 2 billion in the entire world. This chart summarizes the reports:
The data was gleaned from the press releases issued by these Internet companies.
For the six months ending December 31, 2012, the total number of user-data requests Facebook received from any and all government entities in the U.S. (including local, state, and federal, and including criminal and national security-related requests) – was between 9,000 and 10,000. These requests run the gamut – from things like a local sheriff trying to find a missing child, to a federal marshal tracking a fugitive, to a police department investigating an assault, to a national security official investigating a terrorist threat. The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.
With more than 1.1 billion monthly active users worldwide, this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months. We hope this helps put into perspective the numbers involved, and lays to rest some of the hyperbolic and false assertions in some recent press accounts about the frequency and scope of the data requests that we receive.
For the six months ended December 31, 2012, Microsoft received between 6,000 and 7,000 criminal and national security warrants, subpoenas and orders affecting between 31,000 and 32,000 consumer accounts from U.S. governmental entities (including local, state and federal)
Google reported for the same period 21,389 requests from governmental agencies from all over the world, of which about 66% produced data for the government, impacting 33,634 individual accounts. Of these requests, only 8438 were US requests affecting 14,791 accounts.