>Also, the "direct access to servers" meme that was categorically false doesn't help to take it seriously
I don't think this was ever determined. The documents specifically stated that access to the servers is "direct," and Glenn Greenwald seems to be sticking to his guns on that point.
You have to understand that in the intelligence world they worry about the provenance (source) of the data.
In this case the data comes directly from the company holding the data. There is no wiretap, no cypher breaking, no MITM attack, no bugs planted on suspect computers, no TEMPEST intercepts, no HUMINT concerns, none of that.
The data gets delivered by a secure channel over a point-to-point connection straight to an NSA server, where PRISM goes and makes magic happen from there.
But! Although the data's provenance is direct, there is still the intermediary that delivers it (or not): the company itself, which gets to determine whether or not they will make that SFTP (or equivalent) transfer occur. So the companies can all claim that NSA is not tromping around in their datacenters because the NSA is not. The NSA is asking the company to do the tromping for them.
I realize that sounds disingenuous, but that's the time-honored technique that's also used in OOP: Wrap access to data members around a getter function as part of a defined interface, to allow for modifying the getter later.
NSA may still be able to ask for information on anyone if a FISA warrant is only required after 7 days, and it's not as if many FISA warrants have been disapproved, so that's not to say that there are inherent limits to PRISM's ability to capture data on someone.
But at the same time it's also not like NSA has the ability to do rsync facebook.com:/users nsa.gov:/"$(date)", which is essentially what Greenwald has been claiming this whole time, and what Greenwald refuses to acknowledge even the possibility he might be wrong on.
Please describe (in a sketched terms) a technical method by which anyone could get "direct access" to the user-data servers of Facebook, AOL, Google, etc.
Remember that each company has its own homegrown user-data data storage format, homegrown distributed data storage system, homegrown datacenters(!), and firewalls. These companies aren't running MySQL or Oracle, and these systems are constantly being updated with new features and data model migrations.
Does that seem plausible? Contrast against what has been freely admitted since NSLs started appearing:
Each company sets up a "safe-deposit" server for delivering specific one-off subsets of subpoena'd data, and the company's engineers deliver data to that server upon demand.
> Each company sets up a "safe-deposit" server for delivering specific one-off subsets of subpoena'd data, and the company's engineers deliver data to that server upon demand.
But when it's been shown that a single subpoena can be "all phone data for three months for every customer", then describing that as "direct access" doesn't seem completely unreasonable to me.
It's clear that there are crucial and important technical details missing. But it's also clear that the NSA has much more fluid access than one-user-per-approved-subpoena-at-one-point-in-time. Depending upon the target audience of the leaked PRISM slides, the description "direct access" may be quite prudent.
In general the stuff coming out of PRISM seemed to me to just be the general name for how the NSA hands out the NSLs(which are awful in their own right) to all these comapnies. A good side-effect of all this hype is people are looking at those. But PRISM doesn't seem to bring anything "new" to the table. Correct me if I'm wrong
I know the phone data isn't part of PRISM, but everything that has come out seems deeply connected by section 215 of the Patriot act. Which is supposedly what's "justifying" all this data gathering.
I am a "big data" engineer, and I have no idea how they could do something like this. However my inability to theorize a potential method of collecting this data is not evidence for/against its existence. Remember the NSA employs some of the most brilliant software engineers and mathematicians on the planet whose job it is over the course of years to figure this sort of stuff out. I'm sure they've got a few tricks up their sleeve. Time will tell of course, and more revelations are reportedly "imminent"
I don't know about Google etc., but I used to work at Yahoo, and while there were substantial security measures in place, it would take a couple of engineers with sufficient access a couple of days to put together a solution to be able to pull out a stream of user data and e-mail data somewhere. In fact, all of this data was stored in systems prepared for easy replication anyway.
Somehow I doubt it'd be all that much more technically challenging elsewhere.
It's not a hard problem if there's people complicit at the right levels in these organisations. If there are no people complicit, then it would be difficult, yes. But we don't have enough information to determine whether "direct access" would involve a handful of people for a few days or weeks to get a feed or API set up, or if it would require covert interception of data and people sneaking around at night.
This is a good point. People asking for specifics on how PRISM works are just doing useless CNN-style modern "journalism": i.e. a bunch of time wasting speculation. The fact is, there are a million ways they could provide "direct" access to the data. Every company that has data has to have a way to replicate that data (e.g. to offsite locations in case the main site goes down, etc.). Replicating to the government would just take one person who knows how to turn on that replication and point it somewhere.
I like the explanation that it's basically a REST api with a required has_fisa_approval field[1]. In practice this gives unrestricted access because FISA only requires a hearing to be held after more than a week of surveillance against a single target.
The existence of the has_fisa_approval checkbox allows the companies to (dubiously) claim "no direct access" even though it is all but equivalent in practice.
Or each company sets up a continuous mirror. NSA has direct access to the data without (legalistically) direct access to the servers. Everybody's happy except democracy.
Not that I think this is the case - I suspect your scenario is what at least Google is doing. But if it's set up as an API (they submit a search query, Google approves it or even rubber stamps it in many cases, the query is run, the results sent to the dropbox), then the PRISM description is pretty accurate.
I don't think this was ever determined. The documents specifically stated that access to the servers is "direct," and Glenn Greenwald seems to be sticking to his guns on that point.