The PRISM Details Matter

[mpyne]

I'll note (again) that the NSA slides could indeed be talking about direct from the central servers of the company without actually having direct access to the central servers of the company.

This is also not a pedantic point. It's almost literally like adding a getter method to a class instead of giving direct access to a member variable. E.g, for range-checking.

  class GoogleCentralServers
  {
    vector<CompanyApprovedFISA> m_fisas;
    vector<PersonalData>        m_persons;

    // ...
    PersonalData PRISM_get(int fisa_id) const
    {
      if(fisa_id < 0 || fisa_id >= m_fisas.size())
        throw GFY::NSA{};
      else
        return m_persons[m_fisas[fisa_id].person_id];
    }
  };

In our 20¢ implementation of PRISM we can see that the data is still coming directly from the personal data store, but that the NSA does not actually have direct access to that data; it has to go through a company-provided intermediary that checks that the request is valid and only then proceeds to obtain the data and return it.

In fact I'm pretty convinced this is the most probable explanation of all the different testimony and evidence provided to this point. You could later add provisions to do real-time updating of the data in the lockbox, etc. etc., but that wouldn't change the core of the system.

[cpleppert]

The slide says "collection directly from the servers." If you look at the context it is comparing traditional SIGINT wiretapping with PRISM. Now it seems clear (as you suggested) that this refers not to the method(direct access) but rather to the provenance(where does it come from, directly not indirectly from wiretaps) of the data.

I'm not sure what to make of this article though: http://www.washingtonpost.com/world/national-security/us-com... Everything in this article from the Wash Post directly contradicts what the government and the companies are claiming. It really is real time, direct access to data without any mediation from company staff at all.

The article seems credible as it comes from multiple intelligence sources and executives(!) at the company. I don't really expect executives to lie in a way would raise suspicions about their company like that. If PRISM was really just a dropbox executives would be very happy to say so(in private at least so reporters could calm people down)

It is a lot easier to imagine intelligence sources saying it is just a dropbox than executives at companies admitting they installed a back door for the government.

Right now, I'm undecided.

[mpyne]

What would make sense to me is that the company is able to "mediate" the FISA warrant, not the access request itself. Kind of like the TLS CA architecture; once you go and "trust" the root CA you would automatically trust requests that were signed by that CA.

Presumably they could ensure that their automated mediator limits the data collection only to things approved by the FISA warrant, in this case there would be no need to keep manually double-checking as the computer would do that for the company.

Likewise the automated system could continue to update the data in the "drop box". Think long-polling techniques or push notifications to the NSA analyst's machine.

[Terretta]

Thank you. Assuming it's true that email address in, data out, then to the agent getting the info, and to the user whose info is gotten, the layers involved are irrelevant.

[jack-r-abbit]

The layers are relevant if one of those layers checks that the request is valid and legal. Assuming it's true that email address in, [access check layer], data out, then we have nothing to worry about.

[mpyne]

Well, we still have to worry that only the NSA has access to the layer. But even with ongoing crypto breaks I trust computers more than I trust people (in a world of spear phishing) to do the right thing.

[jack-r-abbit]

Being worried about unauthorized access to your server is not a new worry and is not limited to this topic. So if that is our only worry, then this whole thing is a non-issue.