Over the weekend there were two "big" new leaks from the documents that Ed Snowden took. The first, about US spying on EU embassies we already covered
. The second one seemed bigger, but it also might have just made things murkier. It involves the Washington Post releasing four more slides about the PRISM program
from that original slide deck that already had 5 of its 41 slides revealed in previous leaks. These slides show a lot more details about PRISM. What's amazing is that I've seen people claiming completely contrary things in looking over these slides: some are insisting it shows that the companies who are "members" of PRISM don't -- as was originally reported -- open up their servers to the NSA. Others insist that the slides actually support that original reporting and show that the companies are lying.
First up, here are the slides (sorry visitors from the Defense Department
Things break down when people start to analyze these slides. A few news sources have zeroed in
on the claim on that last slide that there are 117,675 "records" in PRISM as of April 5th. But, there's some disagreement about what the hell that means. The Washington Post says that these are "active surveillance targets" but it's unclear how they know that. It's possible that there's other, as yet unrevealed info that would support that, but even then there's confusion. How "active" is active? And, what constitutes a "record" anyway? No one seems to be providing any answers.
Another thing that's not entirely clear: the Washington Post annotations claim that the "FBI DITU," the "Data Intercept Technology Unit" (DITU), is on the premises of the companies listed as a part of PRISM -- but all of the companies have pretty strenuously denied this. And, honestly, from the slides, it's not at all clear that the DITU really is on-premises. Google has said in the past that when it receives a valid FISA court order under the associated program, it uses secure FTP
to ship the info to the government. From that, it seems like the "DITU" could just be a government computer somewhere, not on the premises of these companies, and info is uploaded to those servers following valid FISC orders.
Others have focused in on the claims of "real-time surveillance," implying the ability to watch actual key strokes, but the slide in question (the third one above) suggests something slightly different: which is real time notifications
for certain trigger events, such as logging into email or sending a message. Now, it does note that other forms of communication are available through the program, but it's not at all clear that's "real time." It's also not at all clear if the "real time" notifications apply to all companies in the program. It's entirely possible that a FISC order might require these companies to let the FBI/NSA know whenever a certain target logged into their email or chat. There are certainly some questions raised there about the appropriateness of that type of program, but it's not clear how much "real time" info is actually being sent.
It's entirely possible that the Washington Post's interpretation of these slides is accurate. It's also entirely possible that the other slides, or additional reporting from WaPo reporters allows them to have more knowledge on these things, and it could be true that the companies in questions are not being fully truthful. However, especially given how it appears that the WaPo's original reporting on PRISM was fairly sloppy, it seems worth reserving judgment until more information comes out.
Of course, if (as the NSA insists) this program is nothing more than these companies responding to valid FISC orders, I don't see why the NSA itself can't be a hell of a lot more transparent about these programs. If there's real oversight
over these programs and they're really only used against actual threats (stop laughing...), then nothing revealed so far seems like it should be secret. It just shows how the system works for delivering the information that is legally required. The fact that there's so much secrecy over the program suggests either a stupid overclassification insistence by the NSA, or that there's a hell of a lot beyond this that they don't want to talk about (such as revealing that the program isn't
what they claim). That seems like the most likely situation given what's been revealed so far.