Please take all my upvotes. This is the first useful article I've seen about PRISM, with the _possible_ exception of the scoop itself, but not excluding the existing analysis from the Guardian and WaPo.
For $20M, you can't do what Prism claims to do for $20M. Even suppose you limited your scope only to Google, AND now you limit only to GMail, AND your development and installation costs are free, and all you're spending on is bandwidth and servers and cooling and maintenance staff, I still doubt you can read all of GMail for $20M/year.
Then there's the bit where they claim that analysts, what's the phrasing, "quite literally can watch your ideas form as you type". Seriously, think for a second what it would mean to be able to do that. Think of how that would work, in terms of network protocols. Now go install wireshark and open a gmail window and start composing an email, or writing half of a chat (without hitting Enter). I haven't done the experiment; maybe you can be the first and break a scoop!
Obviously the people who reported on PRISM have told some lies about what it does. Either it can't do what they say it does, or it cost a lot more than $20M, or both.
(I don't want to minimize the seriousness of the accusations... they should be given due appraisal. But they basically cannot be literally true as written.)
And look. Google gets about 100 "requests" (legal demands) from government per working day, and responds (under legal duress) about 30 per working day in the US alone. You think maybe some kind of workflow management software might be appropriate here, or you're imagining this all goes back and forth over email? Or maybe you're imagining an anonymous FTP server somewhere? Obviously the right thing to do is build a secure custom ticket-tracking system, to manage demands, push-back, authorization, fulfillment, etc. If we want to believe it's all okay, here's a plausible story. Maybe it's true, maybe it's not.
About the "quite literally can watch your ideas form as you type" quote, it's not clear that it's referring to PRISM. It came at the end of the long WaPo article and comes across to me as something Snowden might have said about NSA's capabilities in general, not necessarily PRISM.
Firsthand experience with these systems, and horror at their capabilities,
is what drove a career intelligence officer to provide PowerPoint slides
about PRISM and supporting materials to The Washington Post in order to
expose what he believes to be a gross intrusion on privacy. “They quite
literally can watch your ideas form as you type,” the officer said.
If the NSA is snooping at the line level, which we know since the AT&T closet revelation a decade ago that they do, then they could see real-time typing in apps like Google Instant.
1) Their budget is an order of magnitude higher;
2) PRISM is just an efficient legal data collection framework, an API that companies are forced to comply with
If they can snoop SSL'd content, that would be a bombshell. Many of the implicated companies use SSL for most of their properties. FB is all over SSL, for example.
For stuff in FB, FB could be pushing that target-specific data to collection points in real-ish time. Instead of doing daily dumps, you just provide a targeted stream of data.
He was a sysadmin for three months. He never claimed to have firsthand knowledge of this tool. He found the slides on the intranet and jumped to conclusions.
Where did Snowden himself claim firsthand experience? Nowhere. That sentence is the author's conjecture. It's shoddy journalism.
This is exactly the same as how the slides saying that the NSA collects data directly from the companies was misinterpreted by WaPo to mean direct access to all the companies' user data. I suspect Snowden jumped to the same conclusion when he came across those slides while sysadminning, and that's why he's in the mess he's in now.
I agree, this is one of the few useful analyses of the PRISM leaks that makes much sense. One begins to feel that the Snowden person is a relatively low-level employee of government contractors, with a predisposition to the EFF/EPIC/ACLU end of the spectrum, who came across some slide decks, misinterpreted them, and constructed some far-fetched conclusions therefrom, and wrapped himself in the middle. Greenwald probably didn't do him any favors, because he has a history of grabbing any barely-true story and detonating it (see: dozens of wrong things written by him in regards to the Plame thing.)
Under rational scrutiny the PRISM story has fallen to pieces. It doesn't make any sense that all of the high-level executives and hundreds of thousands of top engineers have no idea what is happening, while some guy from Booz Allen and a blogger are the only people with the truth.
I also agree that the article poses useful questions that need answers. However, in this case I think it is extremely important that we get real answers, and don't allow ourselves to be swayed by ad-hominem or other specious arguments. Greenwald may be a flake, and it is one unknown's word against that of many public and powerful people... but lets not let that stop us demanding those answers.
These allegations are very serious and if by any remote chance they were true, those powerful people would be busy trying to make Greenwald look like a flake and Snowden like a confused tech incompetent.
Excerpt: "How is this apparent contradiction possible? It is generally done via secret arrangements not with the company, but with the employees. The company does not provide back-door access, but the people do. The trick is to place people with excellent tech skills and dual loyalties into strategic locations in the company. These 'assets' will then execute the work required in secret, and spare the company and most all of their workmates the embarrassment. ..."
In a discussion of this article (on a cryptography list) I observed this incredulous response: "Hmm. So what does that mean a team of ex-military/intelligence security
people work there way up or get assistance with contacts and references,
replace all the key people in a companies inner security department and
start coding up backdoors, APIs and allowing VPN access to it? All without
telling anyone or getting noticed by ops people etc."
To which the other party retorted: "Been there. They are noticed, but you get orders from on high to shut up and not notice."
If that's all true, then it sounds like only a very few engineers and managers acting as moles will have specific knowledge of the program. A few non-mole engineers will sense that something's afoot, but they'll stay mum. Maybe that's as far as it goes.
Well that's great, but it's also stupid. Companies like Google and Facebook have hundreds of high-level engineers staring at all levels of their system all day long, trying to find out where their microseconds have gone. And these people are responsible for umpteen billions of dollars in capital expenditures every year, and responsible for capacity planning and so forth. The theory espoused at the link you posted requires that all of these people are either not smart enough to notice that an external entity is using their resources, or that these people, who I would point out are largely not Americans, are in on the conspiracy, or, finally, that the NSA is capable of pulling off their surveillance without having any detectable impact on production CPU, memory, storage, and networking.
It is also, as far as I know, illegal to hack or disrupt computer networks in that way (even for the NSA). If they had warrants giving them access to information they wanted it would have been overkill to do something like that, risk getting caught, and now have to go to the company for intelligence cooperation in the information.
and if the NSA should break the law that makes it illegal to hack networks in this way, what would be its punishment? Do we send the NSA to jail? Do we fine the NSA? Who do you think pays the for the lawsuit (punishment, legal team, etc) when the NSA breaks the law?
I had the same thought as you, which is why I posted the skeptical response "... All without telling anyone or getting noticed by ops people etc."
To anyone who notices, there's always "shut up and not notice." But there's also "oh that rsync you see there is for our geographically redundant backup facility" or whatever -- in other words, dissembling.
"For $20M, you can't do what Prism claims to do for $20M."
You seem to be assuming that the equipment budget is tied into that. I may have missed something in the details of this program, but I would guess that the NSA's equipment budget is separate. If I had to guess, I would say that the NSA has many software systems that share supercomputer resources (did you think that big new datacenter in Utah was just for storage?); PRISM is one of these, but probably not the only one.
I am guessing that $20M is the price of developing, maintaining, and improving the PRISM software only. The NSA's main problem is not hardware, it is algorithmic -- they are processing a lot of data, and they need software that can scale well and give good results. $20M is a big budget to pay top computer scientists to solve algorithmic problems.
GMail does send what you've typed to their servers and stores it as a concept so you don't lose your work in case your browser or computer crashes. I seriously doubt the NSA has access to that stuff, but technically it would be more or less possible ;)
When I read the slides, the $20M USD price sounds like what the US Gov was SELLING PRISM access for. Likely to contractors and governments I suppose. Only speculation, but yeah.
For $20M, you can't do what Prism claims to do for $20M. Even suppose you limited your scope only to Google, AND now you limit only to GMail, AND your development and installation costs are free, and all you're spending on is bandwidth and servers and cooling and maintenance staff, I still doubt you can read all of GMail for $20M/year.
Then there's the bit where they claim that analysts, what's the phrasing, "quite literally can watch your ideas form as you type". Seriously, think for a second what it would mean to be able to do that. Think of how that would work, in terms of network protocols. Now go install wireshark and open a gmail window and start composing an email, or writing half of a chat (without hitting Enter). I haven't done the experiment; maybe you can be the first and break a scoop!
Obviously the people who reported on PRISM have told some lies about what it does. Either it can't do what they say it does, or it cost a lot more than $20M, or both.
(I don't want to minimize the seriousness of the accusations... they should be given due appraisal. But they basically cannot be literally true as written.)
And look. Google gets about 100 "requests" (legal demands) from government per working day, and responds (under legal duress) about 30 per working day in the US alone. You think maybe some kind of workflow management software might be appropriate here, or you're imagining this all goes back and forth over email? Or maybe you're imagining an anonymous FTP server somewhere? Obviously the right thing to do is build a secure custom ticket-tracking system, to manage demands, push-back, authorization, fulfillment, etc. If we want to believe it's all okay, here's a plausible story. Maybe it's true, maybe it's not.