From what Google's said, it appears the government can't arbitrarily query Google's servers. Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government can access and that the data cannot be accessed without this happening.
That's Google. We've yet to hear from many of the other companies in the program about whether this sort of access is technically impossible, or whether it's an honor system that the government is supposed to follow.[1] I haven't been closely following the Facebook, Microsoft, or Apple statements, so maybe they have also been explicit that it is a restriction that is implemented by technical means. Some of the companies haven't said anything yet.
How many of the companies really make sure there is legitimate documentation for each request? Do they really do this every time, or have they become resigned to the fact that there's nothing they can do, so they just rubber stamp each request coming through, even without the proper legal documentation?
[1] This seems to be a major issue--the President and NSA leaders have claimed that analysts "cannot" access your phone metadata and phone call content without the correct legal instruments. But by "cannot", they seem to mean "they are not allowed to" rather than "it is not possible for them to".
> Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government
my understanding of PRISM and all this is that the entire internet is vacuumed and everything is stored, just in case. I cannot imagine a guy "checking off" on every email or every mailbox for millions of gmail users every day or even once a month manually. With 11K terabytes of digital data created per hour by US, I cannot imagine any sort of manual system being implemented.
It has to be totally entirely automatic, otherwise it won't fly.
Any understanding of PRISM outside the classified world seems to be incomplete. Some people version of PRISM seems to involve caching the whole Internet. That might sound implausible, yes. But we won't know until or if the whole thing gets declassified.
Yes, but that vacuuming is apparently being done, just not under PRISM (for example, see https://en.wikipedia.org/wiki/Room_641A). PRISM is just one method of getting the data.
There was a fifth Powerpoint slide published by the Guardian[1] which clearly distinguished between PRISM and "Upstream" methods which collect "communications on fiber cables and infrastructure as data flows past."
The PRISM program mentioned in the Powerpoint slides is very likely the same program that is mentioned in unclassified documents such as Army Field Manual (FM) 3-55, Information Collection[2]:
> 6-12. Two joint ISR planning systems—the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers. In joint collection management operations, the collection manager coordinates with the operations directorate to forward collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit responsible for the collection operations. At the selected unit, the mission manager makes the final choice of platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The Air Force uses the collection management mission application. This application is a Web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines
They don't need to store all the data if they can just compel whoever is storing it to give them access to said data. (Which seems to be what is alleged).
re: [1]... Right. In fact, this morning I think we heard this is definitely policy and not technology. We were told that for this to happen [paraphrasing from memory] "One person would have to break the law [analyst], his boss would have to break the law [because he's supposed to approve the access], and remember this entire process is 100% auditable, so we'd catch them for sure."
Of course, this isn't remotely reassuring for a bunch of reasons. Most of all though, I'd be curious to hear more about how the auditing process works. He kept saying "auditable" I noticed, not you know... "actually audited".
Snowden mentioned in the Q&A that 5% of the GCHQ accesses are audited, as one example. He mentioned 5% as if it's a low value but that's actually fairly high, especially if randomly-picked.
Yeah, there are generally two things keeping society in order. Ethical beliefs about right and wrong and fear of punishment from the powers that be for breaking the law. My concern with the NSA is that there is a culture of "the current laws are unduly stifling on our jobs, so us ignoring them is 'required'", coupled with management's belief in same and thus non-interest in prosecuting people that cross the line. Not to mention such prosecution would inevitably be public and thus the program exposed and the public seeing it is being abused. Taken together you have a perfect recipe for safeguards that exist in theory and are utterly ignored in reality, "for the greater good".
Why do people assume that Google has the only copy of what is on Google's servers. It is not hard for the NSA, since they are already admittedly the "man in the middle" to have copies of all data going in and out of any server they target.
That's Google. We've yet to hear from many of the other companies in the program about whether this sort of access is technically impossible, or whether it's an honor system that the government is supposed to follow.[1] I haven't been closely following the Facebook, Microsoft, or Apple statements, so maybe they have also been explicit that it is a restriction that is implemented by technical means. Some of the companies haven't said anything yet.
How many of the companies really make sure there is legitimate documentation for each request? Do they really do this every time, or have they become resigned to the fact that there's nothing they can do, so they just rubber stamp each request coming through, even without the proper legal documentation?
[1] This seems to be a major issue--the President and NSA leaders have claimed that analysts "cannot" access your phone metadata and phone call content without the correct legal instruments. But by "cannot", they seem to mean "they are not allowed to" rather than "it is not possible for them to".