PRISM Planet

The government’s cybersurveillance program targets foreigners, not Americans. But can it tell the difference?

A woman using an iPhone visits the 27th Janadriya festival on the outskirts of Riyadh February 13, 2012. The two-week-long festival showcases Saudi Arabian culture and traditions.
A woman using an iPhone in Riyadh, Saudi Arabia, Feb. 13, 2012

Photo by Fahad Shadeed/Reuters

Under U.S. law, our government can spy on foreigners using methods it can’t apply to Americans. This is tricky, because espionage has changed. Surveillance now focuses less on monitoring locations—stakeouts, cameras, listening devices—and more on monitoring global information networks. In cyberspace, it’s hard to tell who’s an American and who’s a foreigner.

This is the problem at the core of PRISM, a U.S. surveillance program disclosed yesterday by the Washington Post and the Guardian. The government has decided that the difficulty of distinguishing foreigners from Americans won’t be its problem anymore. It will be your problem. Counterterrorism officers will scan everything that goes through the Internet, collect the stuff that sounds like it might belong to foreigners, and figure out later whether what they’re reading actually belongs to a U.S. citizen.

Unlike the NSA’s phone surveillance program (code-named BLARNEY), which I defended yesterday, PRISM captures the content of electronic communications, not just “metadata” such as the time and length of phone calls. A PRISM briefing slide lists the kinds of materials intelligence analysts can get through the system, including email, videos, VoIP, and online chats. The Post, paraphrasing a “User’s Guide for PRISM Skype Collection,” says Skype “can be monitored for audio when one end of the call is a conventional telephone and for any combination of ‘audio, video, chat, and file transfers’ when Skype users connect by computer alone.” The official who leaked this document told the Post that through PRISM, surveillance officers “literally can watch your ideas form as you type.”

James Clapper, the Director of National Intelligence, all but conceded this crucial difference between the two programs when he issued two statements yesterday: one about BLARNEY, in which he emphasized that only metadata was collected, and one about PRISM, in which he omitted that defense.

Clapper’s defense of PRISM is that it targets foreigners, not Americans. He explains:
“Section 702 is a provision of FISA [the Foreign Intelligence Surveillance Act] that is designed to facilitate the acquisition of foreign intelligence information concerning non-U.S. persons located outside the United States. It cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States. Activities authorized by Section 702 … involve extensive procedures … to ensure that only non-U.S. persons outside the U.S. are targeted, and that minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.”

But that argument collides with a central theme of the PRISM briefing slides. One slide, published by the Post, diagrams the global network of Internet bandwidth among various regions of the world, with “U.S. & Canada” as the principal hub. “Much of the world’s communications flow through the U.S.,” the slide points out. “Your target’s communications could easily be flowing into and through the U.S.” According to the Guardian, the slide presentation claims that the U.S. has a “home-field advantage” against terrorists by virtue of hosting much of the world’s Internet infrastructure. The slides list several U.S. Internet behemoths—Microsoft, Google, Yahoo!, Facebook, Apple, and others—that have been roped into the program.

This is the paradox of PRISM: It targets foreigners by targeting U.S. communications channels. It creates a constant tension between the law, which forbids blanket surveillance of Americans, and the program’s strategy, which is to exploit the domestic location of the surveilled information.

If you’re spying on domestically hosted data, how do you distinguish foreigners from U.S. citizens? Originally, the Guardian reports, the government had to produce “individual warrants and confirmations that both the sender and receiver of a communication were outside the US.” The Guardian quotes the PRISM slide presentation: “It took a Fisa court order to collect on foreigners overseas who were communicating with other foreigners overseas simply because the government was collecting off a wire in the United States. There were too many email accounts to be practical to seek Fisas for all.” According to the presentation, this ruined “our home-field advantage.” Our spy agencies were being hindered, not helped, by the fact that the world’s leading Internet companies operate in our country.

So the rules were changed. According to the Guardian, the FISA Amendments Act redefined key legal terms to permit surveillance of anyone “reasonably believed” to be outside U.S. borders at the time. Case-by-case court orders were no longer required.

Instead, the new policy emphasizes a general procedure, which in turn has to meet an aggregate statistical standard. According to the Post, “Analysts who use the [PRISM] system from a Web portal at Fort Meade, Md., key in ‘selectors,’ or search terms, that are designed to produce at least 51 percent confidence in a target’s ‘foreignness.’ ”

The Post points out that 51 percent is a low bar. But the problem goes deeper. We’re now talking about categorizing and treating people as foreigners, subject to extensive government surveillance of their communications, based on statistical correlations of various search terms. It’s verbal profiling.

Clapper contends that when Americans are inadvertently surveilled, the system catches the errors and halts the intrusions. The government’s “extensive procedures,” he asserts, “minimize the acquisition, retention and dissemination of incidentally acquired information about U.S. persons.” But he offers no explanation of what these procedures are. Once you’re flagged as a likely foreigner based on the search terms, how does the government decide to unflag you? Are your communications purged from the system? It’s hard to believe that an agency too swamped to file case-by-case FISA surveillance requests takes the trouble to delete every “incidentally acquired” email belonging to an American.
The legal conundrum also extends to PRISM’s definition of “facilities.” The Post reports that in the old days, if counterterrorism agents wanted to spy on you, they had to show probable cause that both the “target” and “facility” in question were linked to terrorism. Bush administration lawyers changed that rule, persuading the FISA court to define huge data sets as “facilities.” This makes it easy to associate them with terrorism so they can be monitored. But you’re part of that association. Your email can be found at, and obtained from, a terrorism-related facility. Thanks to the Internet, concepts such as “facility” and “foreign” are no longer strictly geographic. They’re aggregational and statistical.

Today, when President Obama was asked about PRISM, he insisted that the program “doesn’t apply to” Americans and that it has plenty of “safeguards.” But he said nothing about what those safeguards are. That won’t cut it. PRISM changed the rules so that the government’s accidental surveillance of its own citizens became our problem. If we don’t like that—or his answers to our questions—we’ll make it his problem, too.

Read more on Slate about the NSA’s secret snooping programs.

William Saletan’s latest short takes on the news, via Twitter: