I, sitting at my desk, certainly had the authorities to wiretap anyone, from you or your accountant, to a federal judge or even the President, if I had a personal e-mail.
—Edward Snowden
It's the money quote of this whole affair, and, putatively, the reason we should all care about it. In Snowden's telling, PRISM is the ravenous spider at the center of a vast web of electronic surveillance that gives shadowy government figures the ability to reach out a bony finger and tag anyone, anywhere in the world, for immediate, comprehensive, and ongoing monitoring by the security state, based on nothing more than personal whim. Truly, it's a scary story, and one that should outrage every living person plus several of the higher orders of mammals.
There's only one problem. That word, PRISM? I don't think it means what Edward Snowden thinks (or perhaps says) it means.
I want to emphasize that what I am about to talk about is entirely speculation, based on my understanding of the PRISM revelations we have received. I have no actual knowledge of any of the people or technology involved. For that matter, it's not impossible that I've overlooked some crucial bit of information that would render my supposition invalid. I could be completely wrong about all of this. It wouldn't be the first time, and it won't be the last. So take all of this with a grain of whatever you feel is appropriate. I'll try to make this as layperson-friendly as I can, but readers who have an understanding of some of the technologies involved will probably get a bit more out of it than someone who doesn't. Sorry.
We begin with the FISA Amendments Act of 2008, which granted the Foreign Intelligence Surveillance Court, or FISA Court, the power to issue "programmatic warrants," a new class of warrants that are much, much more expansive than anything U.S. courts had ever been able to issued. According to Sen. Ron Wyden (D-Ore.), a programmatic warrant "lasts for an entire year, and authorizes the government to collect a potentially large number of phone calls and emails with no requirement that the senders or recipients be connected to terrorism, espionage, the threats that we are concerned about." The NSA embraced the new rules with relish, and expanded its surveillance programs so zealously that even the FISA court—often caricatured as a rubber stamp—has found the agency's efforts unconstitutional on multiple occasions.
So imagine you're in charge of operations at FooSoft, a large multinational provider of email and social networking services, and suddenly the NSA is constantly coming to you with these expansive warrants covering large groups of people, which you are required by law to comply with. Software companies design their operations around use cases, or statements of activities customers will want to engage in: sending email from a mobile device, adding a conventional telephone user to an ongoing voice chat, and so forth. Paranoid fantasies aside, complying with electronic search warrants is probably not a use case envisioned by most software companies, for a variety of reasons. When warrants are rare and apply only to individuals, that's not a problem; in most cases, it's probably fairly easy to pull the requested data from the database on demand.
Programmatic warrants, however, are a different story. Suddenly a warrant might require pulling data from multiple databases pertaining to large sets of user accounts that may or may not be well-defined: "Mail records and chat logs from all user accounts that were involved in sending mail between New York City and Tehran on August 9, 2011," or something like that. FooSoft would never have developed systems for processing this kind of query previously, because creating that kind of infrastructure would be a significant undertaking, and doing it for no reason would just be a waste of resources. So when the programmatic warrants start coming in, FooSoft has to handle each one on an ad hoc basis, using whatever tools are available to it. In a worst case scenario, that might mean manually crafting direct database queries (which is time consuming and could even be dangerous if not performed correctly) on multiple databases to retrieve data in a raw form that's difficult to work with. This is bad not only for FooSoft, but for the NSA too. It quickly becomes clear to both the company and the government that there's got to be a better way. PRISM, in this scenario, is that better way.
In this scenario, PRISM simply provides a standardized Web interface or API that automates the process of providing warrants to a partner company and receiving data from it. Each participating company would build its own PRISM system that connects to its own databases in whatever way the company sees fit, and presents a standardized common interface for data retrieval. In a greatly simplified form, it might work something like this:
One way the PRISM system might work
Here, the NSA or other agency obtains a digitally signed warrant from the FISA court. (A digital signature is a way to prove that no one but the signer could have created or modified the signed file.) The warrant file is structured in a standardized way that makes it possible for a computer at the targeted company to read and process the warrant. The NSA operative uses a web browser to visit a special web page hosted by the targeted company, and uploads the warrant file. (This special server would be the entity labeled "FBI DITU" on the PRISM slides, I believe.) The PRISM server at the company then collects data from its databases as specified by the warrant, and offers the operative a data file for download.
This scenario is consistent with all of the PRISM slides we have seen. It would enable "collection directly from the servers" of the participating companies, but it does not mean that the NSA has unfettered access to the data on those servers—which I believe is the clear but highly misleading implication of Snowden's revelations. It would explain why all of the companies involved have so adamantly denied providing the NSA with "direct access" to their data—not that I would put it past a company to lie, necessarily, but these companies have to assume that more details about the program could come out at any minute, and I would expect them to be a lot more circumspect in their denials if they were trying to hide something. It would definitely explain why several of the companies involved are champing at the bit trying to obtain official permission to provide the public with more detail about how PRISM works.
And what of Snowden's "sitting at my desk" claim? Judged on the literal words he used, it would have to be considered a flat-out lie, which frankly should not be terribly surprising to anyone not fully invested in the Snowden-as-heroic-hero-of-heroism idea. It is possible, however, that in his role as intelligence analyst, Snowden might have had full access to the central database of information collected through the PRISM system (shown on the "REPRISMFISA TIPS" slide in the PRISM deck). This would place a huge amount of surveillance data at his fingertips, which may or may not have been scrubbed to eliminate data collected about American citizens. (The slides imply that the systems labeled FALLOUT and CONVEYANCE, among others, are responsible for performing this scrubbing, although it's not clear whether that's true, or whether an analyst might be able to access any of the pre-scrubbed data.) In this sense, it may be possible that Snowden could have called up a considerable amount of previously collected data on many or perhaps even most Americans. But that would not be the same thing as being able to spontaneously order a wiretap on any random selected American citizen without warrant or oversight.
My scenario, if accurate, would change the narrative considerably. PRISM goes from being a new and terrifying incursion into the private communications of ordinary Americans to being an implementation detail, of interest to few people other than those tasked with overseeing it. The real story becomes the programmatic warrants being issued by the FISA court, and the apparent fact that they are sufficiently numerous and sweeping to justify building this kind of system to deal with them.
Strictly speaking, of course, that's not new information either. Sen. Wyden and others have been speaking out about the scope of FISA warrants for years. Still, it's possible that we needed something like the PRISM revelations to put the scope of the program into perspective for us, and in that case Snowden has done us a service.
Unfortunately, I believe that Snowden—a distinctly paranoid and conspiracy-minded individual, to all appearances—has either misunderstood or deliberately misrepresented what this program is about, in service of an agenda we can only guess at. If so, he has done immeasurable undeserved harm not only to the companies involved, but to our own perception of the world we live in, while at the same time giving what amounts to aid and comfort to some of this country's bitterest enemies. I worry that the damage he has done to our relations with other states will take years to undo, and I find myself wondering what any of it has accomplished.