NSA PRISM Slides: Notice Anything Unusual or Missing?

We haven’t seen (and likely will never see) all of the NSA slides former Booz Allen employee Edward Snowden shared with the Guardian-UK and the Washington Post. But the few that we have seen shared by these two news outlets tell us a lot — even content we might expect to see but don’t tells us something.

First, let’s compare what appears to be the title slide of the presentation — the Guardian’s version first, followed by the WaPo’s version. You’d think on the face of it they’d be the same, but they aren’t.

[NSA presentation, title slide via Guardian-UK]

[NSA presentation, title slide, via Guardian-UK]

[NSA presentation, title slide, via Washington Post]

[NSA presentation, title slide, via Washington Post]

Note the name of the preparer or presenter has been redacted on both versions; however, the Guardian retains the title of this person, “PRISM Collection Manager, S35333,” while the WaPo completely redacts both name and title.

This suggests there’s an entire department for this program requiring at least one manager. There are a number of folks who are plugging away at this without uttering a peep.

More importantly, they are working on collection — not exclusively on search.

The boldface reference to “The SIGAD Used Most in NSA Reporting” suggests there are more than the PRISM  in use as SIGINT Activity Designator tools. What’s not clear from this slide is whether PRISM is a subset of US-984XN or whether PRISM is one-for-one the same as US-984XN.

Regardless of whether PRISM is inside or all of US-984XN, the presentation addresses the program “used most” for reporting; can we conclude that reporting means the culled output of mass collection?

Here’s the next slide referred to most frequently, from the WaPo’s site. No redactions were made by either Guardian or WaPo to this slide:

[NSA presentation, PRISM collection dates, via Washington Post]

[NSA presentation, PRISM collection dates, via Washington Post]

Note the use of the word collection here in the title.

Note also that the entire slide does NOT mention metadata (nor do any of the other slides released by Guardian-UK and WaPo).

Let’s look next at the slide entitled “PRISM Collection Details” from the WaPo’s site. Again, no redactions were made by either Guardian or WaPo.

[NSA presentation, PRISM collection details, via Washington Post]

[NSA presentation, PRISM collection details, via Washington Post]

Note again the use of the word collection, and the lack of the word metadata in the description of materials obtained by collection process. (Note, too, just how much content is available without making a special request.)

Granted, the same slide makes reference to a NSA internal site PRISMFAA, suggesting the FISA Amendments Act may have been utilized to collect content, but this, too, is another interesting feature. Why is PRISM so tightly integrated with FAA?

Does the possibility they are not completely separate explain why Director of National Intelligence James Clapper, Senate Intelligence Committee Chair Dianne Feinstein, and House Intelligence Committee Chair Mike Rogers appear to confuse PRISM with Section 215 of the the Patriot Act?

The slide entitled FAA702 Operations contains some points which have not been examined very closely by the media, apart from the Guardian. This slide was included by itself in a followup report dated 08-JUN-2013:

[NSA presentation, FAA702 operations, via Guardian-UK]

[NSA presentation, FAA702 operations, via Guardian-UK]

Note that FAA is once again tied to a section of the Patriot Act, this time to Section 702. (See Marcy’s previous post about 702’s intended use with regard to hacking in addition to counterterrorism and counter-proliferation.)

This slide suggests to its audience that two major forms of collection should be used, one of which is PRISM. The other appears to be network sniffing capabilities farther away from the subject entities of PRISM, installed somewhere on the communications system wide area network.

Given this duality of methods, it might be implied that PRISM consists solely of collection of content on these nine social media firms, and not telcos.

Further, the Guardian reported in its initial article on PRISM:

“…Companies are legally obliged to comply with requests for users’ communications under US law, but the Prism program allows the intelligence services direct access to the companies’ servers. The NSA document notes the operations have “assistance of communications providers in the US”. …”  [emphasis added]

It’s not clear from the FAA702 slide which US communications providers are assisting, or whether they do so voluntarily. We can only guess that the court order granted by Foreign Intelligence Surveillance Court to the FBI in late April allowing collection of Verizon users’ data demonstrates the kind of assistance provided by telcos in the absence of other publicly available information.

The slide also indicates four programs are used on the upstream network, the names of two having been redacted. The WaPo only describes one of them — BLARNEY — as tool which “gathers up ‘metadata’” and is “an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks.”

What does this suggest about the other three programs, two of which have not been revealed in any fashion?

Finally, the background image used in the slide raises more questions; underseas cable routes are shown, as are major network trunks across the US. Are there collection systems installed on these underseas cables routing a substantive portion of all communications into/out of the US?

This calls to mind another older program, ECHELON, about which the public already knows. It isn’t mentioned in this slide, and the chances it is a redacted name are slim. Has it been replaced by a new program?

Given the analysis methodology described by WaPo:

“Analysts who use the system from a Web portal at Fort Meade, Md., key in “selectors,” or search terms, that are designed to produce at least 51 percent confidence in a target’s “foreignness.” That is not a very stringent test. Training materials obtained by The Post instruct new analysts to make quarterly reports of any accidental collection of U.S. content, but add that “it’s nothing to worry about.”
Intelligence analysts are typically taught to chain through contacts two “hops” out from their target, which increases “incidental collection” exponentially. The same math explains the aphorism, from the John Guare play, that no one is more than “six degrees of separation” from any other person.

Does this mean that all communications between individuals who do not have an Anglo-Saxon name are likely to be sniffed if not collected?

Does this sketchy “(foreign) + (less than 3 hops)” approach executed by humans explain known false-positives? Could the relationships between the false-positives be as tenuous as shopping at the same store? What happens in the case of targets possessing a highly common name like “Ahmed” — the equivalent of Smith in terms of frequency among Arabic surnames — is collection so large it could be called a dragnet?

And what happens with searches or collections related to cyber attacks, in which names mean nothing?

Once again, many questions remain with the prospect of few straightforward, truthful answers ahead.

UPDATE — 1:26 PM EDT — I missed this rather obvious detail while combing through the content of the slides. The PRISM logo on the Guardian-UK’s title slide is different from the title slide the Washington Post published. Did these two outlets receive different sets of slides? Or did they publish different title pages from the same collection of NSA slides furnished by Edward Snowden? Why the logo change at all?

UPDATE — 3:45 PM EDT — Per readers in comments below, the differences in the PRISM logo are believed to be differences in rendering dependent upon the news outlets’ use of either open source OpenOffice’s Impress or proprietary Microsoft Powerpoint applications. If there are other likely explanations, please feel free to share in comments.

76 replies
  1. P J Evans says:

    The paragraph after the next-to-last blockquote seems to be truncated.

    “at least 51 percent confidence” is a damned low bar.

  2. Snoopdido says:

    On the slide entitled “PRISM Collection Details”, one should also note the sentence “What You Will Receive in Collection (Surveillance and Stored Comms)?”.

    This seems to say that the NSA defines surveillance and stored communications as 2 different things.

    As I’ve commented before, there has been much media attention devoted toward the stored communications part used for forensic or historical analysis (those call records of domestic communications of all Americans obtained by Section 215 orders over the last 7 years), but little attention paid to the real-time surveillance programs like Blarney and Fairview that NSA runs via their triggers placed in Narus systems on massive fiber optic pipes in the US.

  3. grayslady says:

    Frankly, I’ve wondered why AT&T has been pushing its fiber optic services at ridiculously low rates when the costs just to install that service have to be substantial. When I read that the government has had the ability to tap into fiber optic communications for at least 10 years, I couldn’t help but wonder if the government isn’t subsidizing the telcos in moving to fiber optic simply for purposes of ease of spying.

    On another issue, Rayne, what about all the documents that WaPo and the Guardian have seen that the rest of us haven’t? Are they stored somewhere “safe”? In paper format? On a hard drive, or several hard drives? What is the government supposed to do about the people besides Snowden who have seen those documents?

  4. emptywheel says:

    One of the things that’s going on is what you and I mean by “collection” is different from what the govt means (which is the dodge Clapper used to discuss the 215 program, though he fails on “data” not “collect”).

    They obtain all of this. BUt they don’t consider anything “collected” until they have accessed it.

  5. Rayne says:

    @P J Evans: I think there might be a formatting error. Might be the blog platform’s default spacing in blockquotes. Thanks, will look into it. [Edit: Nuts, it’s because of some over-zealous editing in my part, will fix shortly. Thanks again!]

    As for the 51% — jeebus, what names in this country aren’t “foreign”? Mine certainly isn’t Anglo-Saxon.

    @Snoopdido: I think the surveillance issue is slipping by as it is comparatively less threatening than collection.

    That said, I don’t believe these guys on the issue of surveillance versus collection, versus “sifting.” I think they are hoovering as much as they can and weeding through it as desired. Surveillance just doesn’t tell them enough anymore.

  6. Wassup NSA? says:

    Interesting speculation on the undersea cables – I remember a few years ago, I think 2007-2008 actually, reading about when at least one or two cables (near Egypt, I think?) snapped unexpectedly and had to be repaired. Makes me wonder who did the repairs and who cut the cables. It was suggested as terrorism at the time but that fizzled and then I believe it was reported as accidental.

  7. scribe says:

    @grayslady: Recall that the telecoms have not had to list all their income from the government, for going on 40 years. In short, back in the 70s, someone came up with the bright idea that the Russians could figure out how much wiretapping and related work the US was doing by looking at the SEC disclosures the telephone companies were required by securities (stocks and bonds securities) laws. I think it was just so they could cover up from the American public just how much the government was laying out for wiretapping. But that’s just suspicious, cynical me.

    So, they wrote an exception into the securities laws wherein the telcos were not required to give the public honest balance sheets and financials in their otherwise-required SEC filings: they are not to list the money the government gives them for wiretapping and similar work. But, rest assured, the telcos charge the gocernment for every wiretap and every pen register and so on. They charge handsomely.

    All of which is a longwinded way of confirming your supposition that the telcos are making a lot more than they say, and are turning that money into fiberoptic (and other stuff).

  8. Rayne says:

    @emptywheel: Yet another point at which to insert pop culture reference to The Princess Bride:

    “I do not think that word ‘collection’ means what you think it means.”


    It’s just weasel words.

    EDIT — 12:58 pm EDT —
    The obvious truth is the construction of massive data centers on equivalent scale to that of telcos, social media firms, and other internet-mediated businesses like Amazon.

    If they have to ask for funds and then build something that large, they are taking and retaining consumers’ communications in violation of the Fourth Amendment.

    Perhaps we need to change our terminology from “collection” to “taking.”

  9. Rayne says:

    @scribe: I suppose if we were really good, we’d go through the 10-Ks and see if the numbers reveal some oddities.

    Like a bizarre amount for Goodwill, or figures far in excess of stated physical sales volume.

  10. Rayne says:

    Jeebus, I was looking soooo closely at wording I missed other details.

    Those first two slides have different PRISM logos.


    Were they really different slides from different presentations?

    Now I have to go back and look at the other slides all over again.

  11. bsbafflesbrains says:

    Stalin would have loved this security system. Suppose the head of NSA doesn’t like what Rand Paul is doing and he knows all Pauls personal info. Trust us just doesn’t cut it as a safeguard.

  12. orionATL says:

    Why were the slides prepared?

    Their detail and apparent complexity don’t suggest to me an executive summary for, say, nat security council or dod heads.

    Were they prepared as a sales pitch?

    Sales of what? To whom?

    Capabilities? Data? Reports?

    Might booze-a-h be doing the selling? In asia – hence hawaii?

    Is that why they were accessible to booze-a-h employee snowden?

  13. Rayne says:

    @P J Evans: They could have the same slides, perhaps different creation times within same packet. Not certain.

    I can’t explain the red rectangle logo vs. no rectangle logo with any other conclusion except that these slides are different between the two news outlets. WaPo’s are sans rectangle, Guardian’s slides have them.

    Makes me wonder what else might be different in the slides we cannot see.

  14. Rayne says:

    There were two Cybersecurity Framework workshops this year, per EO 13636 on cybersecurity. One of them was held in April.

    My current theory is that persons related to the development of this workshop and the subsequent execution of deliverables supporting EO 13636 may have been read into the PRISM (and/or US-984XN if distinctly separate) program. The slides we’ve seen could easily communicate to these persons the NSA’s capability augmenting the deliverables being pursued by private sector Cybersecurity Framework participants.

    Again, this is my current personal theory. There could be other explanations. I’m all ears.

    EDIT — 2:04 PM EDT —
    Should point out that the workshops had a strong bias toward anti-hacking/cyber attacks/cyber warfare, versus counterterrorism and anti-proliferation. If participants of these workshops were read in, they’d have gov’t security clearances and work at the intersection defined by Section 702.

  15. eh says:

    The red on the Guardian slide appears to be a transparency-designating color that may be explained by their using a different piece of software to display the slides, OpenOffice/Keynote vs. Powerpoint, or, generally, graphic display differences between the computers used to take the screenshots.

  16. FrankProbst says:

    @ P J

    On this narrow point, I think you need bmaz to chime in on “51%”. This looks like a non-lawyer version of “more likely than not”, which I think is the definition of “probable cause”.

  17. Rayne says:

    @eh: Thanks — with what degree of confidence do you think this to be the case, merely transparency in logo?

    Seems quite odd to me that WaPo wouldn’t ensure its slides look those we’ve already seen.

    @P J Evans: Possible, but why would a news outlet covering a story this big make any assessment as to appearance of a key logo on a slide? Wouldn’t they want to ensure that the slide appears EXACTLY as NSA intended? (As an editor I’d do everything to make sure the slides were as close to original as possible.)

  18. P J Evans says:

    ‘Preponderance of evidence’, as far as I can tell (checking Elizabeth Shown Mills, Evidence Explained, which is about evidence and proper sourcing and citation for genealogy.)
    I’d like something a bit more solid than that, really, because it doesn’t rise to ‘probable cause’, IMO.

  19. tjallen says:

    According to the article linked below, from the security analyst’s point of view, it appears that they are receiving data directly from the 9 companies’ servers, but according to the anonymous source, that is not how it actually works.

    Instead, the 9 companies push their data (my guess – detailed server logs) to govt servers located either on-site or at Quantico, where NSA and other govt agencies can send query terms and task the system for information. This prevents anyone at the 9 companies from knowing what is being queried.

    See page two of this article for the above explanations:


  20. Rayne says:

    @Clark Hilldale: so noted — but it begs the question why the slides weren’t rendered as produced by NSA (with red versus clear in logo) and why this wasn’t changed in WaPo’s publication slides since WaPo changed other content in their story (see ZDNet’s complaint about WaPo’s story).

  21. lysias says:

    The Hill: NSA leaker: US hacking computer systems in China, Hong Kong:

    The United States government has been hacking into computers in China and Hong Kong for years, former government contractor Edward Snowden told the South China Morning Post.
    In an interview with the Post in Hong Kong, Snowden said the National Security Agency has carried out hacking attacks against non-military targets since 2009, with the newspaper citing “unverified documents.” He said the targets of these attacks included Chinese university and public officials, businesses and students.

    Snowden believes there are “hundreds” of NSA hacking targets based in Hong Kong and mainland China, and there are more than 61,000 hacking operations worldwide, according to the Post’s report.

    And Obama had the gall to complain to the Chinese leader about Chinese hacking.

  22. 1970cs says:


    “The largest concentration of cyber power on the planet is the intersection of the Baltimore Parkway and Maryland Route 32,” says Michael V. Hayden, who oversaw the privatization effort as NSA director from 1999 to 2005. He was referring not to the NSA itself but to the business park about a mile down the road from the giant black edifice that houses NSA’s headquarters in Fort Meade, Md. There, all of NSA’s major contractors, from Booz to SAIC to Northrop Grumman, carry out their surveillance and intelligence work for the agency.


  23. Greg Bean (@GregLBean) says:

    BLARNEY — as tool which “gathers up ‘metadata’” and is “an ongoing collection program that leverages IC [intelligence community] and commercial partnerships to gain access and exploit foreign intelligence obtained from global networks.”

    Cablegate revealed that the so-called diplomacy was significantly about gaining commercial advantage. The diplomats were in many instances shown to be sales rep’s for US corporations.

    Why not consider the same of this NSA spying. Imagine the advantage available when one knows all the communications of every overseas competitor. It’s like being part of the ‘Survivor’ challenges and having a feed of every else’s conversations. How could you lose?

    So, is NSA spying used for commercial advantage? When the quote states, “commercial partnerships to gain access and exploit” does it mean exploit for commercial advantage?

    It easily could, and like with Cablegate, may very well do so.

    What would be the response from foreign competitors who can’t understand how they lost that last tender. It was in the bag, it was all settled, just needed a signature…. and then something happened, and the US competitor with a lesser offering was awarded the contract. How did it happen? They must have seen our communications….

  24. lefty665 says:

    @Rayne Slides could also be orientation/training for new users. What we got was the overview slides, and not all of them.

    One slide has a bullet directing operators “You Should Use Both” systems. One was UPSTREAM and the other was PRISM. That sounds like they missed something because an operator did not check all his/her sources and they did not want it to happen again. Comes under the heading of “pay attention bozos”. That sounds like (re)training.

    90% of the PPT show was not released. Reportedly that was because it contained specific system architecture or operating information that Snowden felt would compromise national security if it was released. 10 slides for every one we have seen would cover a lot of territory. I believe we can infer from that it was a very specific and targeted technical presentation. Hence operator training.

    PS – look at that S#, that’s gotta be way down in the organization.
    The slide numbers have gaps and are inconsistent between sources. Dunno which, or if all, were renamed, but each seems to be part of a sequential series. That makes it likely there were other classified systems or uses addressed even at the overview level.

  25. C says:

    @scribe: Yes. This is one of the reasons why the NSA budget has always been purely black. For many years the CIA listing in the public budget was a single byline while the NSA budget just did not exist in the public numbers meaning that our actual spending was always higher than even most of Congress knew.

  26. P J Evans says:

    That’s a good wquestion. And also why he switched from anti FISA bill to pro FISA bill that year, even with thousands of people in his campaign support group saying that it was illegal.

  27. M says:

    This may be pure speculation on my part but:

    In looking at these slides I think that they are internal advertising. In any large company groups exist to solve some sort of problem or perform some task and continue to exist only so long as they do so better than someone else or have political protection much like a very skewed marketplace. Indeed in a large enough organization such groups will be funded based upon how many end-users use their work thus making advertising all the more important. In this day and age of privatized spying the NSA is a big marketplace much like the DOD.

    For better or worse slides like these are used to “advertise” the group’s services to other parts of the organization such as the top brass, new analysts, etc. Thus they are used more to describe “what we can do for you” rather than to discuss detailed policy or practical implementations. And they are often widely available because when someone makes a presentation they tend to give them out to the recipients to be consulted later.

    This is consistent with your astute analysis about the project designation, and it suggests that the PRISM group is essentially a middleware collation project that sits between the raw collection (i.e. people who tap backbone fiber) and the end users (i.e. the analysts who track drug rings).

    That hypothesis would also explain why these slides omit a great deal of the detailed information such as how or under what regieme the data is collected. Confliciting reporting suggests either that there exist direct taps (perhaps at the backbone providers) or just some person at Google who responds to bulk FISA requests. And how the data is used legally (or not).

    In essence, from the perspective of the slides’ author(s), the exact collection of the data and its end use may be someone else’s problem and the sole purpose of our unknown presenter is to show how his/her middleware can be used by them.

    And, this might fit with the access level of someone like Snowden who would have been working on the development level with middleware such as this and Boundless Informant but not necessarily involved in cutting undersea cables or tracking drug rings.

    If that is in fact the case then it would explain things that have bugged me such as the relativly loose discussion of things like “collection” and the absence of crucial legal and technical details. Indeed the full set of slides might never have them but may go on to discuss some specific operations or successful uses of the tool that would be explosive which is why the Guardian and WaPo are being careful with them and why Snowden said what he said today about hacks in China.

    Again just pure speculation.

  28. TG says:

    @Wassup NSA?: In 2005, a modified nuclear-powered attack submarine put out to sea, its $923 million hull extension providing workspace for technicians and gear to tap undersea cables. Because irony knows no bounds, that submarine was the USS Jimmy Carter. It’s the second submarine thought to have performed that function and is still in service. More from CNN and Cryptome.

  29. Valley Girl says:

    Maybe I’ve missed something, but is there another source for the slides shown in the two articles? I mean a published one?

    First off, the WaPo article has a slide not in the Guardian article, and the images in the the WaPo article are much easier to read than those in Guardian. Hard to read some of the Guardian text. I am referencing the two pieces you posted at top of this piece.

    Am I missing something?

  30. john francis lee says:


    Massive spying on Americans is outrageous

    When the TIA idea was first proposed by the Bush administration after 9/11, along with a “Big Brother” all-seeing eye logo, it was widely considered a crazy notion, resulting in an outcry. That data collection plan, which involved indiscriminate spying on Americans, was quickly squelched — at least publicly.

    The truth, however, was that it was reborn under dozens of massive data collection and surveillance programs within each of our 16 highly secretive intelligence agencies, under a variety of cute acronyms.

    These programs falsely purport to get “novel intelligence from massive data.” (In fact, NIMD is the actual, self-explanatory name of one such program). Few within the national intelligence community complained about the wrongfulness, illegality or ineffectiveness — let alone the waste and fraud — of programs that create billions in profit for private surveillance contractors, technology experts and intelligence operatives and analysts.

    But there’s no evidence the NIMD theory has worked. Researchers long ago concluded that the NIMD-type promise of detecting and accurately stopping terrorists through massive data collection was simply not possible.

    Think the Googleplex and the others of the seven sisters are ‘private surveillance contractors’ ? Is the Pope a Catholic ?

  31. tjallen says:

    @1970cs: I’ve seen mentions of Ft. Meade and also a server farm in Utah, but I was limiting myself to interpreting the article I cited, where two sources gave different answers. One said the NSA servers were on company sites, while the other source said the servers were at Quantico. I suspect Quantico was mentioned because the FBI has a role as gatekeeper over the search terms (also mentioned in the cited article.)

  32. ryanwc says:

    You’d think with a $10 billion budget, they could afford to hire someone with a better eye for design. Those are among the most god-awful visuals intended for display among colleagues that I’ve ever seen.

  33. lefty665 says:

    @P J Evans: Webb flipped on FISA too. We were supporters from before he was a declared candidate (2006), and had several related discussions with him over the course of the campaign and after. He was always right straight up on the right side of the issues. After he rolled on FISA he wouldn’t look me in the eye on that issue. He was a Marine and tended not to take much shit. Our conclusion was that someone made him an offer he could not refuse.

    @ryanwc They communicate as intended, and like it or not, the underlying technical achievement is amazing. They ain’t paying those guys for their graphic design or social skills. A designer with no need to know is just one more potential for compromise.

  34. William Ockham says:

    Here is the likely source for the Prism ppt:

    For his first week or two with Booz Allen, Snowden attended training sessions near Fort Meade, the Maryland military installation where NSA headquarters is located and where numerous agency contractors have offices.

    Those slides look a lot like the intro presentation for an onboarding process. Like most onboarding presentations, it is mostly misinformation.

  35. ryanwc says:


    Huh? Most organizations pay trainers to communicate effectively, and the better your slides are designed, the more effective. That stuff is shite.It looks to me like they take seriously that we’re ‘building a color-blind society.’ Whoever pulled together those slides was color-blind.

  36. lefty665 says:

    @ryanwc: I absolutely agree on the slides, they suck. We may find that color blindness correlates with the condition formerly known as asperger’s, or other common autism spectrum diagnoses associated with really, really bright folks.

    Bad as they are, the slides clearly convey that we’ve been massively had in several ways. I’d wager good money that there’s more and bigger ways in the slides that haven’t been released. Is there any doubt in your mind that we’ve been fucked? If not, the presentation worked.

    Slide quality reinforces my inference that this was for orientation/training. Click here, fill in this box, don’t forget to use all the resources. It is not selling anything, it is practical instruction on how to get results out of the system. It accomplishes that mission.

    Bitching about the graphics quality of the presentation seems a lot like complaining that the quality of the music on the Titanic went down at the end.

  37. orionATL says:


    The history of technology change recounted in this article you cite is very important to understand if one wants to understand, in turn, why dod/nsa has put us – both individual citizens and our nation – in the unacceptable position we are in now.

    As an aside, i note that if a congress&executive create an organization, like nsa, and empower it with both money and legal protection, that organization will act in the manner and direction it was empowered to act, without any regard, save lipservice lipservicewhen challenged, to either the current common good or the long-term common good.

  38. KellyCDenver says:

    Hi Rayne!

    So I’ve been cooking on this Prism thing for a while, what with the different companies responses to these slides. They’ve been so uniform and so earnest, and I’ve been scratching my head as to how they could deny “direct server access” indicating limited data returns to the NSA, and then NSA’s claims about direct server access.

    I’m concluding the answer is in semantics and web services known as WSDLs – Web Service Design Language.

    Web services are a common and newfangled way for servers/clients to request and respond to data requests.

    Inside every WSDL is an XSD – a common/exetensible design schema so that each requesting and responding system understands what data element is what; what it’s supposed to be, alpha, numeric and such, and if it’s a required element. This includes authorized users, and other such security ino.

    This is how Credit Card transactions work over the web. You have an account, and then it gets authorized to commit monies out of your account to complete your purchase.

    So I’m saying I think that some of these companies, Google, etc, have exposed WSDLs to Prism. I think that how Prism gets to a ~20M price tag is that it only asks those host companies on an ad-hoc basis, for which each request needs an authorization code, much like a Credit Card type WSDL, and that that auth code is produced by the authoritative FISA type grantor. IOW, something happening on a legal action basis.

    Then the web service – without human intervention, so it stays secret, goes and grabs the Host company (Google, etc) info with an authority token/password.

    So there is a “direct access” from the Prism asking point of view, but a “limited access” from the Host company point of view, but without an intervening human.

    Have I described this schema well enough?

  39. TomVet says:

    @P J Evans:
    Former boss Hayden said this exact thing on NPR last Sunday morning.

    MARTIN: It’s my understanding, though, that analysts who are making these determinations only have to be 51 percent sure that this person is a foreigner. That seems mushy.

    HAYDEN: Yeah, well, actually, in some ways, you know, that’s actually the literal definition of probable, in probable cause. And I understand. It makes Americans nervous. Fifty-one percent; you’re going to get some of these wrong. But, Rachel, the way this works is you get to do the first step, based on a belief that this is probably a foreign conversation. All right? But as you go through it, you are under a constant requirement to try to shred out whether you’re still sure it’s foreign or American. And if it’s American, you’re done.

  40. lefty665 says:

    Plausible source for the PRISM poweroint: “For his first week or two with Booz Allen, Snowden attended training sessions near Fort Meade, the Maryland military installation where NSA headquarters is located and where numerous agency contractors have offices.” The date stamp on the first slide is about right for that.

    @Kelly, trust you’ve seen this:

    Especially items under the headings of Communications & Networking and Information Management.

    Also, I’d wondered about NSAs public domain release of Accumulo. But with PRISM, now we know. Access did not do NSA much good if there was no efficient way to search the data once they were “in”. Viola, open source Accumulo so Google, et al can incorporate that tool into their internal data search structures. They all jump on it because it adds value to their commercial data sales. It’s a “twofer”, problem solved. Plus, it puts context to the argument that commercial providers already rape our data…


    You’ve described a plausible IO mechanism, and Accumulo is how their I gets the desired O. Thanks for the insight.

  41. KellyCDenver says:

    Here’s something everyone can try:

    Let’s examine an open API, not a secure one, against which ANYBODY can make a web service/WSDL

    Here’s one the FCC has made open –


    Returns the facility details (BTW this is why I think “facility” is an importnat word in the discussion these days):


    So what you do, and PLEASE, try this at home:

    Make a URL string that has this stuff first –


    Then to the end of that add your state and then .xml

    so like this:


    Copy that into your browser URL field, and you get a list of results for the state of Colorado

    That’s the sort of response that’s coded into a WSDL/API that a requesting system can consume

    So if you made an XSD/Definition sheet? Alla sudden WHAM that call you just made to that FCC open API server is now in your database.

    So did you just have direct access to a server? Yes, you did. :)

  42. KellyCDenver says:


    I just left an open API example, but it has a couple too many hyperlinks in it, so it’s in auto-spam moderation; but it indeed illustrates what we’re talking about here.

  43. P J Evans says:

    Some people, while not colorblind, have no sense of colors and what happens when you put together a bunch of them.
    I worked with a guy who liked to do maps and spreadsheets in colors like that. We finally got him to turn it down, about the time he went to a different department.

  44. @pmcall says:

    Sorry this is off topic but I didn’t know where else to pose this question. I just saw a thread on HuffPo that links to a story that appears in Foreign Policy.

    Inside the NSA’s Ultra-Secret China Hacking Group


    The publication Foreign Policy is owned by the Washington Post Company. My question is why would this story or something similar not appear in the Washington Post too? Are these publications totally separate even though the Post owns both? Do they not share information? It’s probably nothing but I just thought it was odd considering this is such a huge part of the NSA story. Was it already in the Post and I just missed it? Am I just looking too hard or is this weird?

  45. C says:

    @lefty665: It’s worth noting that the NSA, like the FED, was founded with a dual mandate to both hoover up others’ communications and to protect our own so their technology transfer may also be driven by that at least nominally.

  46. lefty665 says:

    @C:You’re right. Sec as important as Int. Both sides in the report I linked. Often crossover between them.

  47. Rayne says:

    @KellyCDenver: I think we are looking at a much more complex array of tools, including the egress through networked firewall appliances. Remember that networking equipment in the US is required to have backdoors, and that encryption is also not permitted unless NSA can crack it. While it’s quite likely WDSL is used by one or more of NSA tools, I will bet good money they are tapping existing databases directly, bypassing the WDSL layer.

    As for the price tag on PRISM: there are many ways to slice the price on this application’s development, implementation, and operation. A contractor can bury costs out of sight of government auditors.

    Let me point out we don’t know if this tool was developed by BAH or other contractor, to meet NSA specs, but possibly for use in other, wider applications by the originating contractor. What if this contractor has ways to monetize the tools use, reducing the price to the NSA?

    Yeah. That.

  48. Rayne says:

    @M & @William Ockham: Thanks, both of you; both of you make good points in your reasoning.

    I wonder if these slides fit an audience between these two groups?

    See @JohnT‘s comment above–the link he provided is particularly juicy. Based on the content at that link, the slides may be warmed over content from a previous presentation. If this is the case, it may explain why it appears to be both an internal promotion and a training tool.

    If the author of the content at that link is correct, we should also assume this content was prepared about the same time collection of Microsoft’s servers began under PRISM.

    So perhaps the slides were originally an explainer for management or then-SSCI/HCI members, tweaked much later to fit use for onboarding contractor n00bies.

    Suggests PRISM has been highly institutionalized within NSA as well.


  49. Rayne says:

    @lysias: Meant to come back to your comment and point out that in 2009, Operation Aurora began mid-year; Google didn’t disclose it until early 2010.

    In April 2009, the government revealed that a fighter jet project had been hacked and the origin appeared to be China.

    These are merely the biggest publicly-known hacks with Chinese origins for 2009, and would have merited some form of intense cyber response.

    But Chinese cyber attacks began years earlier, preceding even the first years of the Bush administration. Look up Moonlight Maze, Titan Rain, Shady Rat, all of which were followed by Operation Aurora and other unnamed skirmishes.

  50. SIGAD US-7 says:

    SIGAD US-984 is PRISM.

    The ‘X’ and ‘N’ in US-984XN, are meant to denote a wildcard for components of the sub designator or sub address. X repesents a placeholder for an alphabetic character, while N respresents a placeholder for a numeric character. For example, Microsoft would be US-984A and Yahoo would be US-984B. The first collection device at a Microsoft facility would be US-984A1 and the second US-984A2. The first collection device at a Yahoo facility would be US-984B1 and the second US-984B2.

  51. JKAbrams says:

    Re. the different logos, it could be the artifact of a broken conversion between formats where the alpha channel (the part of the logo that obviously should be transparent) is replaced by red. It is a
    common problem, I’ve seen it many times.

  52. Rayne says:

    @lb*/: Thanks for the link. In case you missed it, Marcy took note of Clapper’s semantic circus in a post a day earlier than EFF’s.

    @SIGAD US-7: That is extremely helpful, thank you. The taxonomy as you’ve laid out continues to support my theory as to why at least one of the social media companies claim they didn’t hear of PRISM before, and if asked about US-984XN they might similarly claim no knowledge any such program.

    The questions journalists and members of Congress should put to the social media companies identified as part of PRISM:

    — Has the company participated, voluntarily or involuntarily, in a government-sponsored program with a numeric taxonomic identifier?
    — If so, how was participation explained in terms of operation and scope?

  53. emptywheel says:

    @SIGAD US-7: Is that taxonomy true across servers? That is, if they’re collecting off a US-law MSFT server in the US but also one not subject to US law in Ireland, does the same system apply? Or only for stuff that has to go through US legal system?

  54. Greg Bean (@GregLBean) says:

    @jawbone: And it has always puzzled me why a country would spend so much on reducing the chance that a citizen would die from a terrorist attack, from the 1 in 40 million it currently is, to an even more miniscule level.

    What justifies such expenditure? Remeber, we are talking trillion$.

    But, if the expenditure was actually to monitor all communications of competitors, hidden behind a terrorist threat, now that makes perfect sense. Money well spent. Just don’t whatever you do let the rest of the world know you’re not competing, but cheating.

    So, now all of a sudden the absolute secrecy is also explained.

    Imagine the backlash if every country in the world realises that all commercial ‘competition’ that the US engages in is based on monitoring all competitor’s communications.

    Wow, don’t ever let that get out.

  55. Casual Observer says:

    The graphic discrepancy of the logos bothers me. I’m gathering that Greenwald received his copy of the .ppt significantly later than Gellman did, suggesting possibility that the .ppt had been changed (the logo, specifically) by its author in the intervening period. But this would mean that Snowden downloaded it twice from NSA, which seems prohibitively unlikely.

    I don’t think the discrepancy is at all trivial and deserves an answer.

  56. Rayne says:

    @Greg Bean (@GregLBean): Ding-ding!!

    I’ve been thinking about a brief post on this very subject: where’s the real return on this investment?

    Look at Carlyle Group’s stock price (majority stakeholder in Booz Allen Hamilton). The value isn’t reflected there. So where is it?

  57. Greg Bean (@GregLBean) says:

    @Rayne: Yes, where is the value. Exposing that would be Pulitzer Prize winning reporting, and I’m not a reporter so only suggest it as a very worthwhile effort.

    I am not sure how one would even start pursuing this, but on another blog, where I’ve made a similar comment, (my bad), I got this response.

    “This whole ‘war on terror’ is nothing but a Wall ST, bankster, and MIC/CIA money machine.
    Since WWll, we have never been threatened by war—we have instigated it.
    ‘Grand Theft Pentagon :Tales of Corruption and Profiteering in the War on Terror’ by Jeffrey St. Clair is a good read. And ‘Confessions of an Economic Hit Man’ by Perkins. ”

    I have not yet read these yet, but from their titles they appear to relate.

    The question that they would not have been able to raise/answer, as it was not known of when these where written, is, “is NSA spying a key component of this economic effort”.

    Linking back to the revelation that Cablegate exposed diplomacy as significantly for commercial advantage, another question is appropriate, “where do the US diplomats, who act as salesmen, get their information?”. Is it sourced from NSA spying?

    This whole idea, NSA spying for economic advantage, gets more logical with each previously unanswered question.

    – Why such vast expenditure for miniscule reduction in ‘terrorist’ risk
    – Why such astonishing secrecy
    – Where do US diplomats get commercial information they use when ‘selling’
    – where is the benefit

    If a single example can be found that ties these together, yup, ding-ding!

Comments are closed.