On Thursday, The Guardian reported on an NSA program called “PRISM.” The article claimed that this program has the NSA connecting directly to the servers of countless Internet companies in order to obtain data and communications of their users. The report further suggested the NSA could be using this program to track the communications of American citizens.
This story was based on a leaked PowerPoint presentation reportedly used to train intelligence operatives on the program. The Washington Post followed with a similar article based on this same presentation.
However, it now appears the report was incorrect — or at least exaggerated — based on a misinterpretation of the document.
As CNET’s Declan McCullagh reported, the actual program appears to be quite different than the one described by The Guardian. According to a former official, the program actually involves a process set up by Congress that includes judicial oversight. The former official explains:
“The government delivers an order to obtain account details about someone who’s specifically identified as a non-U.S. individual, with a specific finding that they’re involved in an activity related to international terrorism. Both the contents of communications and metadata, such as information about who’s talking to whom, can be requested.”
This account is supported by several other relevant reports.
First, all of the companies cited as being involved have denied the NSA has access to their servers. The New York Times explains these companies may have created special processes through which to transfer requested data easier, but that the companies only hand over data related to “legitimate court orders.” The Times also explains the data transferred only includes that of “foreign users in response to lawful government requests.” Furthermore, the original Washington Post article was changed to specify the NSA was tracking “foreign targets.”
In addition, Section 702 of the Foreign Intelligence Surveillance Act, which authorizes this program, requires that the Justice Department request:
(1) may not intentionally target any person known at the time of acquisition to be located in the United States; (2) may not intentionally target a person reasonably believed to be located outside the United States if the purpose of such acquisition is to target a particular, known person reasonably believed to be in the United States; (3) may not intentionally target a United States person reasonably believed to be located outside the United States; (4) may not intentionally acquire any communication as to which the sender and all intended recipients are known at the time of the acquisition to be located in the United States; and (5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of the United States.
There is a huge difference between the NSA collecting data on American citizens without warrants and them getting judicial approval to specifically obtain communications of foreign targets suspected of terrorist activity. The latter is clearly covered under the law — the former is not — and has reportedly led to the government stopping possible attacks.
This report does not relate to a separate Guardian story that the NSA obtained an order to collect the metadata of Verizon customers or a report that the NSA has mistakenly intercepted e-mails or phone calls of innocent Americans in the past.