PRISM-as-a-Service
Not Subject to American Law
Lynn Root | @roguelynn | roguelynn.com
Slide 3
Slide 3 text
rogue.ly/prism
Write-up and references
@roguelynn
Slide 4
Slide 4 text
@roguelynn
Who am I?
• Software Engineer at Red Hat
• PyLadies of San Francisco
• PSF Board Member
Slide 5
Slide 5 text
@roguelynn
Why am I here?
• What is PRISM?
• Unanswered Questions
• How does it affect cloud services?
• What can we do now?
Slide 6
Slide 6 text
@roguelynn
Disclaimer
• I am not a lawyer!
• I have no three-letter-agency or
PRISM-cooperative-company
insight
• Thoughts & opinions are my own
Slide 7
Slide 7 text
PRISM Overview
Slide 8
Slide 8 text
@roguelynn
Planning tool for
Resource
Integration,
Synchronization, and
Management
Slide 9
Slide 9 text
@roguelynn
What is it?
• electronic data mining tool
• purpose is for mass surveillance
• collect intelligence that passes
through US servers
• supposedly only metadata
Slide 10
Slide 10 text
@roguelynn
Who does it affect?
• Targets foreigners’ communication
• Can not specifically or intentionally
target US Citizens
Slide 11
Slide 11 text
@roguelynn
Who’s involved?
• 98% of PRISM data comes from
Google, Microsoft, and Yahoo
• Other companies: Apple, AOL,
Facebook, PalTalk, Skype, &
YouTube
Slide 12
Slide 12 text
@roguelynn
How does it work?
NSA Company
Slide 13
Slide 13 text
@roguelynn
How does it work?
FBI
Slide 14
Slide 14 text
@roguelynn
How does it work?
FBI
Company
Slide 15
Slide 15 text
@roguelynn
How does it work?
FBI
Company
Slide 16
Slide 16 text
@roguelynn
How does it work?
FBI
Company
NSA
Slide 17
Slide 17 text
@roguelynn
How does it work?
FBI
Company
NSA
Slide 18
Slide 18 text
Mass Surveillance
Timeline
Slide 19
Slide 19 text
@roguelynn
1952 1973 1978 2000 2001
1946
Five Eyes Group
• USA, UK, Australia, Canada & New Zealand
• Purpose to share intelligence,
concentrating on signal intelligence
Slide 20
Slide 20 text
@roguelynn
1952 1973 1978 2000 2001
1946
CSEC formed
• Responsible for foreign signal intelligence
• Canada’s national cryptologic agency
Slide 21
Slide 21 text
@roguelynn
1952 1973 1978 2000 2001
1946
NSA Established
Purpose for collecting, processing, and
disseminating intelligence information
from foreign electronic signals for
national foreign intelligence and
counterintelligence purposes and to
support military operations.
Slide 22
Slide 22 text
@roguelynn
1952 1973 1978 2000 2001
1946
Warrants needed
Supreme Court rules that warrants are
now required for domestic intelligence
surveillance.
Slide 23
Slide 23 text
@roguelynn
1952 1973 1978 2000 2001
1946
FISA signed to law
Foreign Intelligence Surveillance Act to
protect widespread abuse of wiretaps.
Slide 24
Slide 24 text
@roguelynn
1952 1973 1978 2000 2001
1946
“live on the network”
NSA transitions into 21st-century by
expressing desire to “live on the
network” to perform its offensive and
defensive missions.
Slide 25
Slide 25 text
@roguelynn
1952 1973 1978 2000 2001
1946
9/11 WTC Attacks
Culture against spying begins to shift at
the NSA.
Slide 26
Slide 26 text
@roguelynn
Winter ’01/02 Summer ’02
Fall ’01 Winter ’02
NSA resurfaces spying
plan from 1999
Originally illegal in 1999 as deemed by
FISA, NSA resurfaces its plan to perform
contact chaining on metadata it collected.
Slide 27
Slide 27 text
@roguelynn
Winter ’01/02 Summer ’02
Fall ’01 Winter ’02
Telecoms + Domestic
spying
US Admin gains access to large telecom
switches carrying the bulk of US’s phone
calls. Seems to be no obstacle to prevent
NSA from eavesdropping.
Slide 28
Slide 28 text
@roguelynn
Winter ’01/02 Summer ’02
Fall ’01 Winter ’02
Total Information
Awareness
Program to record and analyze all digital
information generated by all US citizens.
Defunded, but continued to run under different
names.
Slide 29
Slide 29 text
@roguelynn
Winter ’01/02 Summer ’02
Fall ’01
Room 641a
AT&T employees discover NSA officials on
an undisclosed mission; also discovered
secret rooms being built within AT&T offices.
Winter ’02
Slide 30
Slide 30 text
@roguelynn
Winter ’01/02 Summer ’02
Fall ’01
Telecoms enter formal
agreement to give data
Major telecommunication companies enter
into voluntary formal agreement to give
metadata of calling information to the NSA.
Winter ’02
Slide 31
Slide 31 text
@roguelynn
2007 2008 2011 2012
2005
NYT reveals companies
gave backdoor access
NSA gained cooperation with US telecoms
to obtain backdoor access to streams of
domestic and international communication.
Slide 32
Slide 32 text
@roguelynn
2007 2008 2011 2012
2005
Canada follows
Canadian defense minister, Bill Graham,
signs decree to collect communications
metadata on its citizens, renewed in 2011.
Slide 33
Slide 33 text
@roguelynn
2007 2008 2011 2012
2005
Protect America Act
President Bush signs bill to give NSA the
right to collect communications without
warrant and without court oversight.
Slide 34
Slide 34 text
@roguelynn
2007 2008 2011 2012
2005
PRISM data collection
September 2007, PRISM data collection
began with Microsoft, the first of the
PRISM-cooperative companies.
Slide 35
Slide 35 text
@roguelynn
2007 2008 2011 2012
2005
FISA Amendments
July 9th, Congress passes amendments
to FISA that gives telecoms legal
immunity for those that cooperated
with NSA’s wiretapping.
Slide 36
Slide 36 text
@roguelynn
2007 2008 2011 2012
2005
UK’s turn
Estimated launch of GCHQ’s Tempora
program, clandestine security electronic
surveillance program after first trialled in
2008.
Slide 37
Slide 37 text
@roguelynn
2007 2008 2011 2012
2005
NSA Datacenter
The NSA starts building its biggest spy
center in Utah for the purpose of
intercepting, deciphering, analyzing,
and storing vast swaths of the world’s
communications.
@roguelynn
? ? ? ?
2013
PRISM revealed
June 6th, Washington Post reveals PRISM
program, 6 years after data collection
started.
Slide 40
Slide 40 text
Unanswered
Questions
Slide 41
Slide 41 text
@roguelynn
• How is “foreignness” determined?
• What if foreigners and US citizens
communicate?
• What do words like “backdoor”, “direct”,
“intentional” mean?
• How is the PRISM-collected data
handled?
• What analysis is being done on
collected data?
Slide 42
Slide 42 text
@roguelynn
• US citizens abroad?
• US citizens using services abroad?
• Are US permanent residents
considered foreigners?
• Foreign persons/companies using
services from US-based companies
incorporated abroad?
What about...
Slide 43
Slide 43 text
Effects on the Cloud
Slide 44
Slide 44 text
@roguelynn
Recognized effects
• 56% less likely to use US-based services
• 10% cancelled US contracts
• Germany forbids future data transfers to
non-EU clouds
• US economy stands to lose $22-35
billion