Completing the PRISM jigsaw puzzle

The NSA takes such great quantities of data legally that it has built a system to manage it.

A week on from the revelations in the Guardian and Washington Post about the PRISM revelations, and the dust is settling. The tech companies have issued their denials; Edward Snowden has revealed himself as the source of the leak; and the Guardian has published five of the slides from the presentation in which the NSA lay out the scheme. At the same time, the recontextualisation of what we previously knew has brought more information forward.

Putting it all together, we can start getting our first really good guess at what PRISM actually is:

A system for requesting and managing data from major online companies using the FISA provisions which allow for secret collection of information.

That guess comes from examining the constraints which are laid out by the various pieces of information made public:

  • PRISM only cost $20m: That's an astonishingly low price, and suggests that the vast majority of the work was done by the companies themselves. It rules out anything involving breaking encryption, or significant amounts of hardware being installed externally.
  • The firms involved have all denied it: "Well, they would say that, wouldn't they?" Nonetheless, many of the denials are worded incredibly strongly. Take Google's chief architect:

    Even if I couldn't talk about it, in all likelihood I would no longer be working at Google: the fact that we do stand up for individual users' privacy and protection, for their right to have a personal life which is not ever shared with other people without their consent, even when governments come knocking at our door with guns, is one of the two most important reasons that I am at this company.

    That suggests that the majority of what the NSA considers to be the PRISM program is in their hands, not the companies'.

  • FISA requests are not public: The Foreign Intelligence Surveillance Act, a thirty-year-old law which was most recently amended in 2008, allows US government agencies to make demands for data through a secret court. Requests to the court for warrants are rarely turned down, and companies are not allowed to publicise how many requests they make.
  • The NSA describes collection of data "directly from the servers" of participating companies: This is the claim which has got everyone into such trouble. The Washington Post appears to have based its claim that PRISM consisted of "direct access" to their servers on this phrasing; it has since retracted that claim. The Guardian has not retracted, but has now provided an alternative description of what it means:

    The Guardian understands that the NSA approached those companies and asked them to enable a "dropbox" system whereby legally requested data could be copied from their own server out to an NSA-owned system.

    That would involve collecting data "directly from servers" while not quite involving the NSA having "direct access" to the companies data. (By way of analogy, when you visit Google.com, you are downloading data from Google's servers, but it would probably be misleading to say you had "direct access" to their servers.) That matches information Google has disclosed about how it transfers data to the NSA: through good, old-fashioned FTP.

So it seems like PRISM is the name for the scheme by which FISA demands for data are transferred to the NSA. If that's the case, the technology of PRISM isn't the scary thing. Neither is the possibility of illegal activity on the part of the NSA.

Instead, it's that FISA requests are served in such great quantities that the NSA has spent $20m building special infrastructure to speed up receiving the data. Microsoft, Twitter, Google and Facebook are now lobbying the NSA to allow them to reveal how many FISA requests they've been served with: if it's astronomical, we'll have confirmation that that's the real scandal.

Alex Hern is a technology reporter for the Guardian. He was formerly staff writer at the New Statesman. You should follow Alex on Twitter.

Getty
Show Hide image

Fark.com’s censorship story is a striking insight into Google’s unchecked power

The founder of the community-driven website claims its advertising revenue was cut off for five weeks.

When Microsoft launched its new search engine Bing in 2009, it wasted no time in trying to get the word out. By striking a deal with the producers of the American teen drama Gossip Girl, it made a range of beautiful characters utter the words “Bing it!” in a way that fell clumsily on the audience’s ears. By the early Noughties, “search it” had already been universally replaced by the words “Google it”, a phrase that had become so ubiquitous that anything else sounded odd.

A screenshot from Gossip Girl, via ildarabbit.wordpress.com

Like Hoover and Tupperware before it, Google’s brand name has now become a generic term.

Yet only recently have concerns about Google’s pervasiveness received mainstream attention. Last month, The Observer ran a story about Google’s auto-fill pulling up the suggested question of “Are Jews evil?” and giving hate speech prominence in the first page of search results. Within a day, Google had altered the autocomplete results.

Though the company’s response may seem promising, it is important to remember that Google isn’t just a search engine (Google’s parent company, Alphabet, has too many subdivisions to mention). Google AdSense is an online advertising service that allows many websites to profit from hosting advertisements on its pages, including the New Statesman itself. Yesterday, Drew Curtis, the founder of the internet news aggregator Fark.com, shared a story about his experiences with the service.

Under the headline “Google farked us over”, Curtis wrote:

“This past October we suffered a huge financial hit because Google mistakenly identified an image that was posted in our comments section over half a decade ago as an underage adult image – which is a felony by the way. Our ads were turned off for almost five weeks – completely and totally their mistake – and they refuse to make it right.”

The image was of a fully-clothed actress who was an adult at the time, yet Curtis claims Google flagged it because of “a small pedo bear logo” – a meme used to mock paedophiles online. More troubling than Google’s decision, however, is the difficulty that Curtis had contacting the company and resolving the issue, a process which he claims took five weeks. He wrote:

“During this five week period where our ads were shut off, every single interaction with Google Policy took between one to five days. One example: Google Policy told us they shut our ads off due to an image. Without telling us where it was. When I immediately responded and asked them where it was, the response took three more days.”

Curtis claims that other sites have had these issues but are too afraid of Google to speak out publicly. A Google spokesperson says: "We constantly review publishers for compliance with our AdSense policies and take action in the event of violations. If publishers want to appeal or learn more about actions taken with respect to their account, they can find information at the help centre here.”

Fark.com has lost revenue because of Google’s decision, according to Curtis, who sent out a plea for new subscribers to help it “get back on track”. It is easy to see how a smaller website could have been ruined in a similar scenario.


The offending image, via Fark

Google’s decision was not sinister, and it is obviously important that it tackles things that violate its policies. The lack of transparency around such decisions, and the difficulty getting in touch with Google, are troubling, however, as much of the media relies on the AdSense service to exist.

Even if Google doesn’t actively abuse this power, it is disturbing that it has the means by which to strangle any online publication, and worrying that smaller organisations can have problems getting in contact with it to solve any issues. In light of the recent news about Google's search results, the picture painted becomes more even troubling.

Update, 13/01/17:

Another Google spokesperson got in touch to provide the following statement: “We have an existing set of publisher policies that govern where Google ads may be placed in order to protect users from harmful, misleading or inappropriate content.  We enforce these policies vigorously, and taking action may include suspending ads on their site. Publishers can appeal these actions.”

Amelia Tait is a technology and digital culture writer at the New Statesman.