So there’s been 100s of articles posted about PRISM, which also now has a lengthy Wikipedia article – PRISM (surveillance program). Apparently PRISM (2007-present) is the program that replaces the previous (2001-2007) NSA warrantless surveillance program.
So the US government has been watching everyone, no shit (Nineteen Eighty-Four?).
PRISM is a clandestine national security electronic surveillance program operated by the United States National Security Agency (NSA) since 2007. PRISM is a government codename for a data collection effort known officially as US-984XN. It is operated under the supervision of the United States Foreign Intelligence Surveillance Court pursuant to the Foreign Intelligence Surveillance Act (FISA).
The existence of the program was leaked by NSA contractor Edward Snowden and published by The Guardian and The Washington Post on June 6, 2013. A document included in the leak indicated that the PRISM SIGAD was “the number one source of raw intelligence used for NSA analytic reports.”The President’s Daily Brief, an all-source intelligence product, cited PRISM data as a source in 1,477 items in 2012. The leaked information came to light one day after the revelation that the United States Foreign Intelligence Surveillance Court had been requiring the telecommunications company Verizon to turn over to the NSA logs tracking all of its customers’ telephone calls on an ongoing daily basis.
It’s a revelation for a lot of people however, who are unaware of how easy it is to capture data online (that isn’t encrypted) – like e-mail for example. I’ve always told people don’t write anything in an e-mail that you wouldn’t write on a post-card – because reading them both is at about the same difficulty level.
Most people think because they are logged onto Gmail/Hotmail etc using https, that their transmissions are secure. But unfortunately the majority of the e-mail infrastructure is using zero encryption – so all your messages are floating around in plain text, unless of course you are using PGP/GPG – they you are pretty safe. But how many people do that, and it requires both sender and receiver to using the same system.
There are of course specialist e-mail services for the paranoid like Hushmail Tormail.
It’s a big kick in the face for the US Government though with their hyperbole about freedom, now it turns out they are invading the whole World’s privacy and ignoring human rights.
There have been statements from Microsoft, Yahoo!, Google, Facebook, Apple & Dropbox stating they do not take part in PRISM and that they do not give any direct server access to any agencies.
The guy that kicked this whole thing off was Edward Snowden, who intentionally revealed his identity and is ready to deal with the consequences. More here – Edward Snowden: the whistleblower behind the NSA surveillance revelations.
He was basically a sys admin for a government contractor called Booz Allen Hamilton, parked under the NSA in Hawaii. As we all known, sys admins typically have full access to EVERYTHING, ever server, every system – as they need it to do their job.
Very few companies implement silos, or transparent encyrption to protect themselves from sys admins. More on that discussion here – Prism doesn’t have CIOs in a panic — yet .
Either way, it’s a pretty interesting story and it’s getting spectacular global press coverage – there’s plenty more to read if you’re interested.
Garry Pilkington says
Yes, very scary stuff. If MS, Yahoo etc are not giving access to the PRISM system, then surely they are hacking into some where else to get that information. The big IT companies (especially cloud providers) need to bolster their security and provide guarantees that their data is secure or smaller companies are not going to store corporate data with them.
anon says
Hushmail is known honeypot. Better example would be Tormail.
Anon says
Don’t recommend hushmail. They’re known to just hand over information whenever asked.
zzx375 says
Is this really any different than ESCHELON? Perhaps in scope, its targeting, and technology but otherwise are they different?
nobody says
But is PGP really that safe anyway?
agilob says
Yes, it’s the only safe solution. Unless you publish you private key ;)
BitMessage is a distributed ala ’email’ network fully encrypted with your private key. Everything works in background, user even doesn’t know about encryption. I strongly recommend.
James says
PGP is pretty good ;)
Darknet says
Yah it’s pretty safe, as Bruce Schneier said, it’s the closest a civilian can get to military grade encryption.
Bogwitch says
A note of caution with regards to using PGP – while the contents of your email will be mostly protected (assuming the TLAs haven’t figured out a way to crack the encryption), the agencies will still use the metadata – and form assumptions based on that. The metadata in question will be who you communicate with, etc. The way intelligence agencies work is that they will produce an association map based on this metadata. If person A communicates with person B and person B communicates with person C, there will be a one-hop link between person A and person C.
An interesting side note to this story is that if you practice good OpSec (encrypting communications, etc) this raises a red flag with the agencies. From what I have read, ALL encrypted communication is stored, the intention, I guess, would be to utilise advanced cracking techniques as and when they become available. Almost all encryption (1) can be broken given enough time and Moore’s Law suggests that this is only going to get easier. Quantum computing will add to this capability. It’s why we don’t use DES for encryption any more, it’s why many websites don’t use 512 bit certificates any more.
If you’re going to use PGP, be aware that although the contents of the email are encrypted, the envelope is not.
As for the analog of email and postcards, I don’t know of any government program of scanning and analysing postcards – doing this to email is trivially simple. Email is significantly easier to intercept than postcards.
(1) The only encryption that is provably secure is One Time Pads. One Time Pads are notoriously difficult to implement and manage and it raises the issue of key exchange – One Time Pads introduce a whole new set of problems.
Darknet says
Yah totally agree, that’s why the terrorists resorted to using e-mail drafts and shared accounts to communicate – as it’s a lot safer if it never even goes over the wire.
Pretty relevant article I just happened to spot a couple of days back:
A massive snail mail surveillance program lets the government know about your pen pals
I’m pretty sure it probably happens in Europe too.
And yah OTP is always the safest, it’s also the hardest to implement properly and yah..it tends to introduce a whole new set of of problems.
hawake says
Hi,
honestly i’ve not been surprised to read about PRISM, since “to know everything” is the primary objective of any intelligence agency. I fear much more of chinese secret espionage programs, of which unfortunately no one has already publicly talked about.
“As for the analog of email and postcards, I don’t know of any government program of scanning and analysing postcards – doing this to email is trivially simple. Email is significantly easier to intercept than postcards.”
It already happend some times back when Nixon was USA president. CIA used to litterally watch inside any letter, postcard etc..
Thanks for the article,
Bye
hawake
Bogwitch says
Hi Hawake,
“It already happend some times back when Nixon was USA president. CIA used to litterally watch inside any letter, postcard etc..”
I daresay you are correct. However, postcards in Europe, etc. tend not to pass through the US!
hawake says
Hi Bogwitch,
“However, postcards in Europe, etc. tend not to pass through the US!”
True. We could say that this is the “amplification” introduced by the Internet and the technology in general.
Thanks for the answer,
Bye
hawake