PRISM: Here's how the NSA wiretapped the Internet

Editor's note: The following article should be treated as strictly hypothetical. It has been editorialized to simplify the content in certain areas, while maintaining as much technical detail as we can offer. Companies named in this article have been publicly disclosed, or used in example only. This piece should not be taken necessarily as fact but as a working theory that portrays only one possible implementation of the U.S. National Security Agency's PRISM program as it may exist today. Several ZDNet writers contributed to this report.

Let's start off with what we know, and then we'll explain what we have discovered.

A secret court known as the Foreign Intelligence Surveillance Court (FISC), created under the Foreign Intelligence Surveillance Act 1978 and subsequently amended by the Patriot Act in 2001, forced Verizon to hand over "tangible things" to the U.S. National Security Agency (NSA).

The news was first reported by London, U.K.-based newspaper The Guardian.

A day later, another leak pointed to a surveillance program known only as PRISM, which was funded by the NSA. A classified document in form of a PowerPoint deck, designed to train new operatives, was published online. Only four out of 41 slides were published in The Washington Post.

It was later revealed, on Saturday, June 8, that the source of the NSA document leak was 29 year-old Edward Snowden, an employee of government security contractor Booz Allen Hamilton who was stationed at the NSA's operations center in Hawaii and had since fled to Hong Kong.

The slides indicated that AOL, Apple, Facebook, Yahoo, Google and YouTube, Microsoft and Skype, and little-known company PalTalk were involved in some way. The slides described how these companies were "current providers" but did not explicitly state that these firms knowingly or directly handed over data to the intelligence agency.

The wording on the fourth slide described the "dates when PRISM collection began for each provider," and not, for example, "dates when each provider began PRISM collection."

One by one, nearly all of the named companies denied knowledge of either knowing about PRISM, or providing any government agency user content, data or information without a court order or a search warrant.

But during that time, almost everyone forgot about Verizon. It's the cellular and wireline giant that makes the whole thing come together.

Update at 2:30 p.m. ET on June 8: A new PRISM slide has been released by The Guardian. 

The newspaper believes the new slide "clearly distinguishes PRISM," which collects data "directly" from these technology companies, from a separate set of four different programs involving the collection of data from "fiber cables and infrastructure as data flows past."

It also says the slide suggests that the NSA also collects some data under the Section 702 of FISA — but that these four programs, two of which have been redacted, are "distinct from PRISM."

Section 702 of FISA effectively says the U.S. Justice Dept. must show that its proposed snooping will not intentionally target U.S. residents or U.S. citizens abroad, and it must comply with the Fourth Amendment. This recipient of an order served under Section 702 of FISA can in fact be appealed, but it has proven difficult based on a 2009 case [PDF], because there were "several layers of [...] safeguards."

That said, we still believe PRISM, as we suggest later, to be an application of sorts that sits on top of, or across a vast constantly updating data set. CNET's Declan McCullagh notes that PRISM also happens to be the acronym of an existing data processing tool, which has long been in common military use. PRISM stands for "Planning Tool for Resource Integration, Synchronization, and Management."

We do not know if the two are related or connected.

Because the slide says that analysts "should use both" the upstream data collection and PRISM collection, it does indicate that there may in fact be two methods of acquiring private user data. 

And here's what we think. We believe the new slide published on Saturday does not alter what is in this article, which of course remains a hypothetical working theory.

However, based on this leaked material so far, we strongly suspect that the leaked PowerPoint slides are probably not written by technical people. It's likely that these slides were prepared as a internal marketing tool for new recruits. So, when the slides say: "direct access to servers," that statement may well be an oversimplification of the facts, and we, the media, are latching too much onto it.

The "direct" server data from these named companies may well be retrieved from cached copies maintained by the content delivery networks, which are located in the Tier 1 provider's datacenter.

Because the infrastructure required to deliver media and Web applications, for instance, from these content delivery networks worldwide is so immense, many of them need to lease datacenter space offered by Tier 1 providers, such as AT&T and Verizon. 

It's possible that a network equipment maker has built a router that looks indistinguishable from other core routers in that datacenters, which contains a beam splitter that literally splits the Tier 1 fiber connection — with one split beam passing a copy of that data to an external NSA datacenter or storage. 

Update at 5:00 p.m. ET on June 8: The U.S. Director of National Intelligence James Clapper has released a statement addressing the "collection of intelligence" under Section 702 of FISA.

In a published document [PDF], it highlights certain key facts, according to the U.S. government:

• "PRISM is not an undisclosed collection or data mining program," the document says, adding that it is an "internal government computer system" designed to "facilitate [...] authorized collection of foreign intelligence." It notes that PRISM was "widely known and publicly discussed" since its inception in 2008. However, according to the leaked slides, collection of data began for Microsoft in late 2007. It seems to corroborate CNET Declan McCullagh's article published on Friday.

It's also worth noting that most of this document considers Section 702 of FISA, rather than PRISM directly or any related NSA application or system. As follows:

Section 702 of FISA "does not unilaterally obtain information from the servers of U.S. electronic communication service providers." It notes that such data is collected is under the authority of the FISC and with the "knowledge of the provider."

This bit is interesting. An "electronic communications service provider," according to the EFF, in regards to the Wiretap Act: "As a rule, a communication is an electronic communication if it is neither carried by sound waves nor can fairly be characterized as one containing the human voice (carried in part by wire)."

Separately, the EFF also notes that anyone from ISPs to message boards and some websites are conisdered electronic communications service providers. On a side note, an Ars Technica article from 2009 says that the definition remains vague and under scrutiny by the U.S. courts.

We thought that this meant the U.S. government is saying it doesn't wiretap optical cables, such as those provided by Tier 1 companies.

But then we read it again.

The U.S. government [emphasis ours] "does not unilaterally obtain information from the servers of U.S. electronic communication service providers." This means the servers, such as those in the datacenters, "owned" by the named seven companies. Except many of those servers are in fact managed by the datacenter company — the Tier 1 companies.

Other interesting snippets from the document:

• "In short, Section 702 facilitates the targeted acquisition of foreign intelligence information concerning foreign targets located outside the United States under court oversight." 
  
  
• "Service providers supply information to the Government when they are lawfully required to do so." This means court orders and FISC orders, which in some cases cannot be appealed, and always come with gagging orders.

The document also says the U.S. government cannot target "anyone" under Section 702 "unless there is an appropriate, and documented, foreign intelligence purpose for the acquisition." This includes for the prevention of terrorism. 

"In addition, Section 702 cannot be used to intentionally target any U.S. citizen, or any other U.S. person, or to intentionally target any person known to be in the United States," it says, adding: "cannot be used to target a person outside the United States if the purpose is to acquire information from a person inside the United States."

The rest of the document, which can be read online [PDF], continues on for another page or two about accountability and the minimization procedures of how the intelligence agencies treat information.

[Update ends.]

Verizon Business was at the heart of a FISC order that invoked Section 215 of the Patriot Act [PDF] which forced the company to hand over any "tangible things," which was effectively anything it had.

Verizon Business Network Services, or simply "Verizon Business," is what is known as a Tier 1 network provider, after it acquired a number of firms during the late-1990s and early 2000s. It offers Tier 1 services under the brand UUNET.

We believe the FISA court order authorized the NSA to place a wiretap device on Verizon Business' Tier 1 network, which effectively vacuumed up every bit and byte of data that flowed through its networks. If this is the case, Verizon would have been forced to comply, with no grounds to appeal.

The key to this is what a Tier 1 network actually does, how it works, and which companies use it. Because all of the aforementioned companies use Tier 1 networks, and as a result they may have unknowingly had their customers' data siphoned off simply by being connected to the Internet.

Tier 1s: The super-fast network arteries that power the Web

To use Edward Snowden's own words "We hack network backbones – like huge Internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one."

The Internet may be distributed and decentralized in nature, but there is a foundation web of connectivity that enables major sites and services to operate. These are referred to as "Tier 1" network providers. Think of these as pipes of the main arteries of the Internet, in simple terms.

The data that flows on them goes directly to the location they are needed, which ultimately allow datacenters to communicate with each other across oceans in the matter of microseconds. Businesses and their datacenters do not miss a beat.

There are only just over a dozen Tier 1 network providers in the world, including AT&T, Level 3, and Sprint in the U.S.; Deutsche Telekom in Germany; NTT Communications in Japan; and Telefonica in Spain, just to name a few major brand names. Verizon Business is, of course, also on that list as a U.S.-based Tier 1 network provider.

These networks allow major businesses, television networks, science labs, and governments, for instance, to share vast amounts of data across the Internet in a very short space of time. This isn't being done on the public Internet, in which data "hops" about different networks looking for the cheapest path. Instead data flowing on Tier 1 networks take the simplest path. 

Plus, many of the aforementioned companies have datacenters in multiple locations around the world. These need to communicate instantaneously to ensure geo-redundancy, so if one datacenter goes down, the data is stored elsewhere safely.

Edge devices, known as "peers," are entry points of Tier 1 Internet service providers to their enterprise customers.

For example: CBS (which owns ZDNet) is connected to a Tier 1 network via a peering connection so it can broadcast material instantly without delays or hitches. Verizon and AT&T, as examples of home and business Internet providers, are also hooked into the Tier 1 network and offer similar peering connections. 

Companies with peering connections to Tier 1 networks include corporations like AOL, Apple, Facebook, Yahoo, Google and YouTube, Microsoft and Skype. Peering connections to Tier 1 networks not only allow these companies to participate as enterprises to the wider Web with the fastest connection possible, but also to enable users sitting at home on their broadband providers' network to access various services and included content without routing through the public, slower Internet.

Simply put, it's why Facebook and Google load so quickly and function instantly for so many users.

Take Facebook as a good example. Users expect extremely fast response times. As you sit at home browsing the site, at each request your copper telephone wire or fiber connection then links up to your Internet provider's network, which is likely a Tier 2 network, the most common kind of network. That data then travels through a private optical carrier link to Facebook, which will have an edge connection connecting the Tier 1 connection to its network or its datacenter. The data is pulled for the user and sent back over the Tier 1 connection. 

In even simpler terms, Facebook and other companies have created a private connection to your Internet provider at home or work so that these sites can load up almost instantly without using the public Internet at all.

How can the NSA capture this user data? Good ol' fashioned wiretapping

The chances are that the aforementioned companies have indeed had their customers' data intercepted by the NSA. It is almost entirely the case that these companies had no idea about PRISM before it broke in the media, as their respective statements have claimed, or that any data was passed by these companies directly to the NSA or any other intelligence agency. 

The easiest way to acquire this data — with as few people know about it — would be to simply wiretap the data as it's traveling along the Tier 1 optical carrier lines.

How the NSA can do it —>