(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]
How to talk about PRISM and not get entirely blown-off, if you’re an activist
2017-02-14 11:17:19.272000+00:00
I am not a lawyer, nor have I any special insight into these matters, but I imagine that instead of asserting that social network companies allow the Government to access or obtain data ‘direct’ from their servers — and we can perhaps blame Ed Snowden himself for popularising use of the emotive and incorrect word ‘direct’? — instead asking the companies to comment:
…upon the degree of oversight they have over the information which is legally sought under Section 702 requests; what they feel about the volume of Section 702 requests which they are obliged to process, and to what lengths do they go to minimize the information provided in response to Section 702 orders?
…would possible be more fruitful, or at least amusing and interesting?
Also: don’t call it “PRISM”. Officially nobody knows that that exists, so they can truthfully say we don’t know anything about anything called PRISM, too…
Footnote
It’s entirely possible to argue that “there is no practical difference between giving the Government direct access to your {databases, servers} as opposed to the Government forcing you to run queries for different selectors upon their behalf and sending them the results”
I have a lot of sympathy for this viewpoint, but regrettably the legal world does not work on the basis of “there is no practical difference”.
Therefore: we must fix our grammar and avoid providing get-out-of-jail-free passes to folk by “asking the right questions the wrong way”.
Footnote #2
Just in case you are one of the “…but Wikipedia is not a source” brigade, see instead the US Government report into how Section 702 of FISA works, from the “Privacy and Civil Liberties Oversight Board” report into “…the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act” at
https://www.pclob.gov/library/702-Report.pdf
Extract attached, see highlighted text:
Once foreign intelligence acquisition has been authorized under Section 702, the government sends written directives to electronic communication service providers compelling their assistance in the acquisition of communications. The government identifies or “tasks” certain “selectors,” such as telephone numbers or email addresses, that are associated with targeted persons, and it sends these selectors to electronic communications service providers to begin acquisition. There are two types of Section 702 acquisition: what has been referred to as “PRISM” collection and “upstream” collection. In PRISM collection, the government sends a selector, such as an email address, to a United States-based electronic communications service provider, such as an Internet service provider (“ISP”), and the provider is compelled to give the communications sent to or from that selector to the government. PRISM collection does not include the acquisition of telephone calls. The National Security Agency (“NSA”) receives all data collected through PRISM. In addition, the Central Intelligence Agency (“CIA”) and the Federal Bureau of Investigation (“FBI”) each receive a select portion of PRISM collection. Upstream collection differs from PRISM collection in several respects. First, the acquisition occurs with the compelled assistance of providers that control the telecommunications “backbone” over which telephone and Internet communications transit, rather than with the compelled assistance of ISPs or similar companies.
Interestingly, regarding the Yahoo case, this section continues:
Upstream collection also includes telephone calls in addition to Internet communications. Data from upstream collection is received only by the NSA: neither the CIA nor the FBI has access to unminimized upstream data. Finally, the upstream collection of Internet communications includes two features that are not present in PRISM collection: the acquisition of so-called “about” communications and the acquisition of so-called “multiple communications transactions” (“MCTs”). An “about” communication is one in which the selector of a targeted person (such as that person’s email address) is contained within the communication but the targeted person is not necessarily a participant in the communication. Rather than being “to” or “from” the selector that has been tasked, the communication may contain the selector in the body of the communication, and thus be “about” the selector. An MCT is an Internet “transaction” that contains more than one discrete communication within it. If one of the communications within an MCT is to, from, or “about” a tasked selector, and if one end of the transaction is foreign, the NSA will acquire the entire MCT through upstream collection, including other discrete communications within the MCT that do not contain the selector.
Footnote #3
“How do selectors get from DITU to the Communications Service Provider?”
The boring answer: This is an implementation detail, and frankly it does not really matter; we are in a modern era of networking where vast amounts of data can be quickly and economically sent and received by any person with a phone, so shipping however-many tens/hundreds/thousands/more of selectors around is not a big deal, and is likely dealt with in means commensurate with the risk, and the capabilities of the Communications Service Provider.
The fun answer: Excel Spreadsheets of “Selectors” are written to USB thumb-drives which are then tied to the legs of heavily-vetted carrier pigeons that fly between Ft Meade and the vast data-farms of Silicon Valley.
Which are actually in a potato field in Idaho.
[END]
[1] URL:
https://medium.com/@alecmuffett/how-to-talk-about-prism-and-not-get-entirely-blown-off-if-youre-an-activist-e2a79d2cd2ad
[2] URL:
https://creativecommons.org/licenses/by-sa/3.0/
DropSafe Blog via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/
