FAQ: The NSA Metadata and PRISM Programs

The details of extensive government surveillance of U.S. citizens through collection of cell phone metadata, and email and Internet activities through the PRISM program has raised a lot of questions and caused quite a bit of confusion about what’s actually happening. To help users sort through the mess, Threatpost put together an FAQ about the revelations, the implications and what steps users can take to protect their privacy.

The details of extensive government surveillance of U.S. citizens through collection of cell phone metadata, and email and Internet activities through the PRISM program has raised a lot of questions and caused quite a bit of confusion about what’s actually happening. To help users sort through the mess, Threatpost put together an FAQ about the revelations, the implications and what steps users can take to protect their privacy.

What kind of data is the NSA collecting from phone companies under the FISA court orders?

The technical term for what the NSA is collecting is “metadata”, which is a conveniently obtuse word. That word means virtually nothing to anyone not intimately involved in such a program, but what it comes down to is the NSA is getting data such as originating number, terminating number and length of call for every customer of the phone companies involved in the program. What the NSA is NOT getting apparently is the contents of the calls. William Binney, one of the predecessors of Edward Snowden in blowing the whistle on NSA abuses, said in a panel discussion at the Computers, Freedom and Privacy conference last week that he does not think the agency is consuming all Americans’ phone calls. “I don’t believe they’re recording all of our phone calls. That would be on the order of three billion a day,” he said.

Why are the phone companies handing over this data?

Because the FBI has orders from the Foreign Intelligence Surveillance Act court requiring them to do so. The FISA court as been in existence for more than 30 years, but does its business behind closed doors and few of its decisions ever come to the public’s attention. The orders that the court issues for the phone metadata records are secret, and the one issued to Verizon that Snowden leaked last month is thought to be the first one made public. Though that specific order is targeted at Verizon, experts say that the other major phone companies likely are receiving identical ones on a regular basis. “There is no indication that this order to Verizon was unique or novel. It is very likely that business records orders like this exist for every major American telecommunication company, meaning that, if you make calls in the United States, the NSA has those records,” Cindy Cohn and Mark Rumold of the EFF wrote in their analysis of the order. The orders are authorized under Section 215 of the PATRIOT Act, which enables the government to collect “tangible things” that could be of interest in an investigation into terrorist activity or espionage.

Can I opt out of this program somehow?

No. The phone companies store this data as a matter of course and they have little choice but to comply with the FISA court orders.

How can I prevent the NSA from getting this data about my calls?

Don’t use a phone.  That may sound trite, but it’s about the only real answer. Alternatively, you can use pre-paid cell phones, but they’re inconvenient at best. There are some commercial alternatives such as Silent Phone, a mobile app for Android and iOS that assigns a new number to each user and provides end-to-end encryption of calls. The company, Silent Circle, does not keep the encryption keys for customers and the calls go through the company’s servers, not the carrier’s. Skype is not a perfect alternative as there are indications that the government may have access to Skype communications, as well. Microsoft, which owns Skype, has not commented on this possibility.

What’s this PRISM program about?

PRISM is a comprehensive data-collection program conducted by the NSA. The data is collected under the authority of the FISA Section 702 and the program is not supposed to intentionally target U.S. citizens or other so-called U.S. persons. A leaked set of slides describing PRISM says that many of the world’s most powerful Web companies are involved in the program, including Google, Microsoft, Yahoo, Apple and Facebook. Original stories on the program described it as providing “direct access” to these companies’ networks for the NSA, something that several of the companies have denied publicly. What the NSA can do is collect a wide variety of content under FISA court approval, including emails, chat logs, videos, photos, VoIP data and social networking activity data. The program is intended to be used against foreign intelligence targets. “Let be very clear: Section 702 can’t be and isn’t used to intentionally target U.S. citizens or persons,” Chris John Inglis, deputy director of the NSA, said in a Congressional hearing last month.

I notice the word “intentionally” in that quote. What about unintentional targeting?

Good catch. This is where things get fuzzy. Much of the world’s Internet traffic passes through servers in the U.S., which is one of the reasons that the NSA and FBI say they need the PRISM program. An email from a terror target in Syria to a collaborator in Iraq may well go through several hops in the U.S., hence the desire to collect data from U.S.-based companies. However, it’s also quite possible that a foreign national targeted by PRISM could be communicating with a U.S. citizen about something completely innocuous and those communications could end up being collected under PRISM. The NSA says it has procedures in place to scrub any of this kind of data from its databases and the NSA’s Inglis said that the agency hasn’t ever been found in violation of the restriction on targeting Americans with Section 702 surveillance. “The Department of Justice does site reviews of 702 collection efforts and across the four-year history of the program, the court hasn’t identified one willful violation of the program,” he said.

Can I protect myself by using encryption and things like TOR?

In some cases, yes. Using a secure email service such as Hushmail or Rpost can prevent collection of email. These services provide encrypted email and the messages users send are not stored on third-party servers. The HTTPS option in webmail services such as Gmail is not enough, as that only encrypts the messages during transmission. The messages still sit on Google’s servers after they’ve been sent. TOR is a viable option for Web browsing activities, but it can be slow and cumbersome to use, especially on a slower Internet connection. The system works by encrypting your Web traffic and bouncing it through a random network of nodes and then bringing it out the other end and sending it to your destination site. The system provides good anonymity and protection against location tracking and can be a good option for preventing eavesdropping on chats and Web surfing sessions. However, some of the leaked NSA documents show that the NSA has some special procedures for handling encrypted and anonymous content. “In the United States, it has long been held that there is a Constitutional right to anonymous speech, and exercising this right cannot be grounds for the government to invade your privacy.  The NSA blows by all that by determining that, if the person is anonymous, then necessarily the NSA is not intentionally targeting a US person, with a rare exception when they have “positively identified” the user as an American.  Thus, in the NSA’s view, if you use Tor, the protections for a US person simply do not apply,” Kurt Opsahl and Trevor Timm of the EFF wrote in an analysis of the documents. “More appallingly, the NSA is allowed to hold onto communications solely because you use encryption.  Whether the communication is domestic or foreign, the NSA will hang on to the encrypted message forever, or at least until it is decrypted.  And then at least five more years.”

I don’t have anything to hide. Why should I care about any of this?

We can’t tell you how to feel. But large-scale surveillance programs such as PRISM and the phone metadata collection provide broad opportunities for abuse. The targeting and minimization procedures the NSA uses to reduce the risk of collecting Americans’ communications and data have come under sharp criticism and in 2011 the FISA court issued a secret opinion finding that the intelligence collection done under these minimization procedures were unconstitutional. And as long as the data sits in a database somewhere, it’s at risk of misuse or compromise.

Image from Flickr photos of Hunter Peddicord.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business