Monday, June 17, 2013

How the NSA PRISM Program Works

On June 6th, 2013 and in the days following, a series of leaks about a secret program run by the US National Security Agency were published by The Guardian newspaper.  These leaks detailed a program in which the NSA was tapping the data, emails, voice conversations, and other Internet activities of millions of innocent American citizens without a warrant and claimed to have 'direct access' to the servers of six major Internet companies: Google, Yahoo, Microsoft, Skype, PalTalk, and Apple.

The companies involved immediately rushed to deny the claims. All involved seemed to assert two thing 1) That they only complied with 'lawful requests' made by the government for user data and 2) that the government did not have 'direct access' to their servers.  Some, like Google, claimed the very first time they ever heard the term PRISM was in that days newspaper reporting.

Of course, these companies might just be lying. Certainly any kind of order for such access would also be accompanied by a companion order that would prevent the companies from talking about the program or their involvement in it. But I think it's something deeper and perhaps more sinister than that. I think that both the government and the companies involved are being honest and I'd like to discuss how I believe that is in this blog post (or website, if you're coming to it through

Going Back to the Beginning: Mark Klein, 2006

In May 2006, AT&T technician Mark Klein blew the whistle on a secret collaboration between his employer and the National Security Agency. According to Kleins sworn testimony, the agency set up a special room at AT&T where they were able to tap a large amount of American Internet traffic as it flowed through the AT&T wires. While most of this data was intended for or sent by AT&T customers, because the company carries a large amount of data from other carriers, it is widely believed that much of the traffic captured had nothing to do with AT&T or their customers. The equipment in the secret room simply scooped up everything that came through it and a lot of that 'everything' was domestic Internet traffic that did not come from foreign countries and was not going to foreign countries.

According to Klein, the system worked by installing a fiber optic 'splitter' on the AT&T network. All traffic that came into the location was 'copied' by the splitter and a copy of it was sent to the secret NSA room for recording while the other copy was routed over the network as usual.

Fiber optic cables carry their data in light form. That means that what goes over these cables isn't sound or regular electrical pulses but light. The splitter installed on the network divided that light into two copies and, thus, we have the program name: PRISM.

It is particularly interesting that all of the companies involved used some pretty precise wording while refuting the NSA claims on how they monitored millions of Americans. In each case, the companies specifically denied that the government had 'direct access' to their servers. I believe this language is important because I believe this is the key to how we were all monitored.

How the internet shuffles data from place to place

The key to this scandal isn't 'servers' like everyone reported. Servers are the physical location where data is stored. This is where the data lives. If for nothing more than security reasons, it is highly unlikely that major Internet companies like Google and Microsoft would give anyone direct access to their servers. The key instead is another part of the foundation of the Internet called routers.

Routers are single purpose machines that connect to a network with the sole purpose of moving data from one place to another. You may be familiar with routers in that many of us have them in our home. They are the small, plastic, boxes that provide wireless access or allow us to share our Internet connection with several computers.

Large networks like the ones run by the companies listed by the NSA program also use routers. The routers they use are capable of routing enormous amounts of data into and out of their networks and pushing that data closer towards its destination.

When a 'packet', a small piece of data representing an email, IM, voice chat, etc, leaves a computer, it is sent through whatever the closest router to that computer is. This packet contains some identifying data including the source address (where that packet came from) and the destination address (where that packet is going to). The initial router will take that packet and 'forward' it to another router that is closer to the destination which will in turn forward it to yet another router still closer. This forwarding process continues until the packet reaches its final destination. This means that a packet may go through hundreds of routers before reaching its destination, any of which could make a copy of that packet before forwarding it on.

As a packet gets closer to its destination, the routers it is forwarded through tend to become more and more concentrated. That is, the closer a router is to a specific location, the more likely that the majority of the traffic that router carries is for that location. So routers that are closest to Google will often carry mostly traffic for or from Google while routers closer to Microsoft will usually carry mostly traffic for or from Microsoft.

At some point, there is one final hop in the packet transfer process: the point where the last router in the chain directly connects to a network (say, Google) and transfers data to and from that network.  I believe this final hop, or the ones directly before it, are the key to how both the government and the comnpanies could both be telling the truth about PRISM.

What likely happened.

Most likely, the government did not go to each of these companies and compel their participation in the program. They didn't have to. All they had to do was to install a tap immediately upstream of each target company and capture any data going in or coming out of their network. This would not require the companies tapped to participate or even know that such surveillance was going on. In fact, they likely didn't know and didn't comply.

The best part, for the government, is that having deals with these 'upstream' companies instead of individual companies like Google or Microsoft, allows a much wider and comprehensive surveillance net to be thrown. The providers who provide connectivity to Google, for example, likely also provide connectivity to hundreds or thousands of other companies. Going to Google would allow the NSA to tap Google. Going to an upstream provider would allow them to tap anyone who they provided connectivity to without the need to approach and compel each company. It's a beautiful solution.

What about SSL? 

When you connect to your Gmail account, your bank, and countless other services, you usually do so through an encrypted connection between your computer and the remote machine. So if you check your Gmail, anyone attempting to monitor the connection between you and Gmail would see nothing but garbage because the connection is encrypted. Capturing that information would be useless because it's practically impossible to decrypt even for the NSA.

Unfortunately, that usually isn't the end of your data's journey. Let's use Gmail for example:

  • Your computer establishes an encrypted connection to Gmail in order to compose and send an email. Nobody along the line can read what you're typing or the contents of your email.
  • You compose your email and click 'send'. Gmail will then reach out and send your email to the other persons mail provider. This is likely done without encryption. Most mail transfer between providers is done unencrypted in plain text.
See the problem here? Because the tap is installed on the routers and networks providing connectivity to Google, they are able to capture everything sent out of the Google network. That means that they can capture your email as it's being delivered to the remote service or as a remote email is being delivered to your Gmail.  Again, remember, Google does not have to be complicit in this spying nor do they have to even know about it (and they likely didn't).

That's how I believe the PRISM program works. It's deceptively simple and allows the government to work with a much smaller amount of companies to capture vast amounts of Internet traffic from multiple companies. It also allows the companies they're spying on to truthfully say they didn't participate because,. well, they didn't.  While these companies certainly knew this kind of capture was possible, I doubt any of them knew for certain that it was actually going on.

How can I stop my data from being captured?

It is impossible to prevent our data from being captured by PRISM or any similar programs the government might be running. They have tapped the foundations of the Internet and, thus, can likely capture the data of anyone they'd like to. The question then isn't how we can stop our data from being captured but how we can make it useless when it is captured.

The answer is quite simple: encryption. Email should always be encrypted, files that are stored on cloud providers should be encrypted before leaving your computer, and voice and IM conversations should be encrypted either using Off the Record Messaging or ZRTP.  Remember, these technologies would not stop your data from being captured, but it will make your data useless when it is captured.

In some cases it may be impossible to encrypt your data. For example, what happens when you must send email to someone who doesn't use encryption or you have a chat session with someone who doesn't use OTR? In those cases you really only have two choices: don't do it or do it and accept that your data will likely be captured and stored. It's as black and white as that.

What about hosting my own email, file storage, etc?

In all cases, hosting your own data is preferable to sending it to someone else else for hosting. It's trivial to set up something like SpiderOak instead of Dropbox or your own XMPP server instead of Google Talk or Yahoo Messenger.  But hosting your own data isn't a magic bullet and won't always save you from data capture.

As long as data stays on your local network (in your house), it's likely not being tapped. But the moment it leaves your network it's subject to interception. As we discussed above, there are multiple places that data can be captured and you should consider any data that leaves your network as up for grabs.

The main benefit of hosting your own data is 'where the court order goes'. If you host data with a provider like Google or Microsoft or anyone else, those companies are subject to a knock on their doors by someone with a court order demanding your data. That court order will likely come with a gag order that prevents the company from even telling you that knock and demand happened. You're defenseless.

If you host your own data, that knock and court order will come to you. You will know if they demand a copy of your data and you will be able to contact a lawyer and defend yourself. They can't hide behind secret court orders.


The above is a description of how I believe the PRISM data collection works. As you can see, it's comprehensive, Orweillan, and very hard to evade. In the end, it's going to take a combination of social, political, and technical manevures to defeat it and it's going to be an enormously difficult task.

The US Intelligence community is constantly demanding more access into our lives. The NSA, for example, has built a massive data center in Bluffdale, Utah that is capable of storing all of the worlds communications for 100 years.  When you're up against that sort of technology, it's very hard to fight against it and win. But I believe it is possible. We just have to use the right tools.

Lastly, I think it's important that we cut through the crap we're being told about how if we have nothing to hide then we have nothing to fear. The fact is that the things we do today may be illegal or suspicious tomorrow. When everything we do and say is captured and stored, it allows them to go back later, as the law or social and political climate changes, and retroactively define who 'has something to hide'. We might not have something to hide today, but who knows how our perfectly legal and just actions might be perceived in the future?

Additionally, think about this: we all go to the bathroom. We're not ashamed of it, there's nothing wrong with it, and it's not even socially improper. If someone announces to a table "I'm going to the bathroom" it's likely no secret what they are going to do in there. Why, then, do we demand privacy when we go to the toilet?

The fact is that we have a right to control our privacy. A society cannot be truly free unless each individual gets to decide what private information will be shared with whom. That decision never falls to the government or a corporation, or another individual.

Liberty without privacy isn't liberty. It's borrowing time until someone uses your private thoughts and actions to deprive you of liberty. That is not a society I want to live in and I suspect you don't want to either. That's why it falls to each of us to stand against these programs even if we have nothing to hide. It's a matter of principle. More importantly, it's a matter of freedom

How to Contact Me

Interested in discussing this article with me or have questions? Email me at 

No comments: