NSA and FBI Have Real-Time Access to Major U.S. Internet Companies to Track Individuals Outside U.S.

Bart Gellman and Laura Poitras have a huge new story in the Washington Post:

The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio, video, photographs, e-mails, documents and connection logs that enable analysts to track a person’s movements and contacts over time.

The highly classified program, code-named PRISM, has not been disclosed publicly before. Its establishment in 2007 and six years of exponential growth took place beneath the surface of a roiling debate over the boundaries of surveillance and privacy. Even late last year, when critics of the foreign intelligence statute argued for changes, the only members of Congress who know about PRISM were bound by oaths of office to hold their tongues.

An internal presentation on the Silicon Valley operation, intended for senior analysts in the NSA’s Signals Intelligence Directorate, described the new tool as the most prolific contributor to the President’s Daily Brief, which cited PRISM data in 1,477 articles last year. According to the briefing slides, obtained by The Washington Post, “NSA reporting increasingly relies on PRISM” as its leading source of raw material, accounting for nearly 1 in 7 intelligence reports.

That is a remarkable figure in an agency that measures annual intake in the trillions of communications. It is all the more striking because the NSA, whose lawful mission is foreign intelligence, is reaching deep inside the machinery of American companies that host hundreds of millions of American-held accounts on American soil.

The technology companies, which participate knowingly in PRISM operations, include most of the dominant global players of Silicon Valley. They are listed on a roster that bears their logos in order of entry into the program: “Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple.” PalTalk, although much smaller, has hosted significant traffic during the Arab Spring and in the ongoing Syrian civil war.

There’s an important caveat in the program that might get lost in coverage about it: the NSA only pulls out the data when there is a preponderance of the evidence indicates that the person is outside the United States:

Analysts who use the system from a Web portal at Fort Meade key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by the Post instruct new analysts to submit accidentally collected U.S. content for a quarterly report, “but it’s nothing to worry about.”

It’s important to realize something that few people think much about: Most U.S. based Internet services actually serve a primarily foreign user base. Here’s an excerpt from a forthcoming article of mine (the one I mentioned yesterday, that I’ll be posting online soon):

The reality of global Internet access means that U.S.-based Internet services often have a heavily foreign customer base. Consider Gmail, the popular e-mail service provided by Google. Google is headquartered in California, and its servers currently reside there. But Gmail’s business is truly international, and slightly less than 30% of Gmail’s users reside in the United States. This chart shows the percentage of Gmail’s users that are in a handful of different countries as of 2012:

Country % of Gmail Users
United States 29.7%
India 8.9%
Japan 3.4%
Russia 3.3%
Brazil 3.2%
United Kingdom 2.9%
China 2.7%
Iran 2.6%

Facebook’s user base is even more heavily foreign than is Gmail’s user base. To be sure, using Facebook has become as American as apple pie: About 54% of Americans presently have a Facebook account. At the same time, only about 16% of Facebook’s users are located in the United States. The rest, about 84%, access Facebook from abroad. For United States-based services like Gmail and Facebook, United States users form a small subset of its global customer base.

It sounds like the PRISM program takes advantage of that by giving the NSA access to the computers of the major U.S. based providers so it can search for the information of non-U.S. persons — subject to the NSA’s judgment of who is a non-U.S. person — and monitor them in realtime.

A huge story.