Gibson Index

2013-06-07: Thoughts on PRISM

I started the Gibson Index as a way to gauge the "real" impact of cyber attacks, and also to help combat overzealous persecution of people for what amounted to trivial pranks. The US Department of Justice has an interpretation of existing cyber law that is completely at odds with the true fault or actual damages caused by some recent incidents - a sure sign that the laws in this field are outdated. Recently, examples have been made of Aaron Swartz, Andrew Auernheimer, Deric Lostutter, and a host of other individuals and organizations (Bradley Manning and WikiLeaks come to mind, but even mainstream media outlets have been threatened and intimidated).

In this climate of extreme prosecutorial zeal, in the name of protecting the "homeland", news has come to light of a heretofore top secret Signals Intercept program that can access raw customer data as it flows through such organizations as Microsoft, Apple, and Google. Documents were leaked of this program, dubbed PRISM, and the claims they make are rather extraordinary:

Information collected:

  • Email
  • Chat - video and voice
  • Videos
  • Photos
  • Stored Data
  • Voice over IP
  • File Transfers
  • Video conferencing
  • Notifications of activity (such as login events)
  • Online social networking details
  • Special requests

Organizations providing this access:

  • Microsoft (including Hotmail and Skype)
  • Google (including YouTube)
  • Yahoo (presumably including Flickr)
  • Facebook
  • PalTalk (huh?)
  • AOL (they're still a thing?)
  • Apple

If you're the sort of person who thinks "Well, this surveillance program doesn't affect me, I'm not concerned by it" or "They know what they're doing, they wouldn't violate their regulations" - you need to go back and read the first paragraph of this post. Government organizations will bend the law to their will, when it suits them, or when they can gain leverage from it.

If an individual were running PRISM, the Department of Justice could potentially seek hundreds of years in prison or the death penalty.

But, even with that in mind, you should not be surprised or shocked by the existence of PRISM.

For many years, programs such as ECHELON have been monitoring citizens and non-citizens alike (and the organizations in charge of them insist that only information gathered against foreign parties and non-citizens is used). The programs have even been referenced in popular movies - in Tony Scott's movie "Enemy of the State" (1998), an overzealous NSA agent uses intelligence gathering programs to spy on citizens so he can cover up evidence that he murdered a Senator (in order to force passage of a surveillance bill). In the movie "Clear and Present Danger" (1994), the CIA collects a favor from a national surveillance program to scan all outgoing calls - all calls leaving the United States - searching for the voiceprint of a particular person of interest.

In real life, such programs are likely a lot more innocuous than their movie counterparts - based on emerging information, it's possible that PRISM could actually just be a data warehouse for information collected in the course of legitimate investigations. For their part, several organizations (Yahoo, Dropbox and Google) have emphatically denied that the Government has unfettered access to their servers, casting some doubt on the suggestions of real-time monitoring of all data.

However, one has to wonder what steps need to be taken for official acknowledgements of such systems and their capabilities. It seems to me that this generally only happens once the systems have been deprecated by newer, more powerful programs. Similar to how the A-12 Oxcart/SR-71 Blackbird were top secret until recently; once they were obsolete, there was no reason to protect them.

So - why was this information leaked? It could be from a true whistleblower with deep concerns about the program. It could be a strategic decision by the organizations in charge of the program - maybe they've upgraded to a new platform and want to end-of-life the existing one (not likely, based on the optimistic tone of the slides). It could even be someone who really dislikes ugly powerpoint presentations (but it's doubtful that anyone would risk their career or life over that, even if Papyrus had been used).

It's going to take a long time to sort out the extent of the program, the validity of the leaked information, and the legality of the surveillance effort. In all likelihood, legislation such as the Patriot Act ensures that the program is 100% legal - but then one must ask, should your government really be bestowed such a gift of insight into your private lives, while simultaneously working to enforce outdated and/or panic-driven legislation that persecutes your fellow citizens and destroys their lives?

If I were to classify PRISM as a Gibson event, based on available information (which at this point is complete hearsay), I'd be tempted to call it a Level Five Attack.

Except, it's not an attack. It's a very real way of life.

And it doesn't sound very American.


"You are being watched. The government has a secret system: a machine that spies on you every hour of every day. I know because I built it. I designed the machine to detect acts of terror, but it sees everything."

Harold Finch (Person of Interest, CBS)

Footnotes:

This is an editorial opinion type article. It's sparse on firm facts and citations, and full of insinuations, movie references, and conspiracy theories. Take it all with a grain of salt, like you should do with every blog post and news article.

Also, the whole PRISM thing could be a hoax. That would be very interesting.



comments powered by Disqus