If you’re like me, you haven’t quite figured out what to think about the revelation that the National Security Administration has been amassing a huge database of our phone and internet contacts for more than seven years. Of course, it sounds bad. Really bad. Orwell bad. I’m even afraid that I share some concerns with people on the right—and that’s frightening. But before I knee-jerk react and espouse uninformed opinions, I’d like to hear the answers to some big questions about the program known as Prism. So, I was glad to see that one of my favorite news sources—ProPublica—is asking precisely the big questions that need answering. Here’s ProPublica’s list, with some of the answers—and further questions—they’ve found so far. Bottom line: We don’t know very much about any of it, and so far, nobody’s talking.
Has the NSA been collecting all Americans’ phone records, and for how long?
It’s not entirely clear.
According to The Guardian, there’s a court order directing a Verizon subsidiary to turn over phone “metadata” for a three-month period. There’s also evidence that the program covers AT&T and Sprint.
How long has the dragnet has existed? At least seven years, and maybe going back to 2001.
What surveillance powers does the government believe it has under the Patriot Act?
The Verizon court order relies on Section 215 of the Patriot Act. That provision allows the FBI to ask the Foreign Intelligence Surveillance Court for a secret order requiring companies, like Verizon, to produce records – “any tangible things” – as part of a “foreign intelligence” or terrorism investigation. As with any law, exactly what the wording means is a matter for courts to decide. But the Foreign Intelligence Surveillance Court’s interpretation of Section 215 is secret.
…it appears that the court is allowing a broad interpretation of the Patriot Act. But we still don’t know the specifics.
Has the NSA’s massive collection of metadata thwarted any terrorist attacks?
It depends which senator you ask. And evidence that would help settle the matter is, yes, classified.
How much information, and from whom, is the government sweeping up through Prism?
It’s not clear.
Intelligence director Clapper said in his declassified description that the government can’t get information using Prism unless there is an “appropriate, and documented, foreign intelligence purpose for the acquisition (such as for the prevention of terrorism, hostile cyber activities, or nuclear proliferation) and the foreign target is reasonably believed to be outside the United States.”
One thing we don’t know is how the government determines who is a “foreign target.” The Washington Post reported that NSA analysts use “search terms” to try to achieve “51 percent confidence” in a target’s “foreignness.” How do they do that? Unclear.
We’ve also never seen a court order related to Prism — they are secret — so we don’t know how broad they are. The Post reported that the court orders can be sweeping, and apply for up to a year. Though Google has maintained it has not “received blanket orders of the kind being discussed in the media.”
So, how does Prism work?
In his statement Saturday, Clapper described Prism as a computer system that allows the government to collect “foreign intelligence information from electronic communication service providers under court supervision.”
That much seems clear. But the exact role of the tech companies is still murky.
Relying on a leaked PowerPoint presentation, the Washington Post originally described Prism as an FBI and NSA program to tap “directly into the central servers” of nine tech companies including Google and Facebook. Some of the companies denied giving the government “direct access” to their servers. In a later story, published Saturday, the newspaper cited unnamed intelligence sources saying that the description from the PowerPoint was technically inaccurate.
The Post quotes a classified NSA report saying that Prism allows “collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,” not the company servers themselves. So what does any of that mean? We don’t know.