PRISM: The Difference between Orders and Directives

The AP has a story that lays out the architecture of how PRISM fits in with the rest of the government surveillance programs. The short version is, as much prior reporting supports, it uses PRISM to target communications it has collected, as packets, from the telecom backbone. Like the Section 215 dragnet (and consistent with James Clapper’s metaphor that the dragnet serves as the Dewey Decimal system to direct the government were to find the conversations it wants) it seems to serve to tell the government where to look to get more content.

The story is most valuable, in my opinion, for the distinction it describes between orders — which courts approve — and directives — which courts don’t.

Every year, the attorney general and the director of national intelligence spell out in a classified document how the government plans to gather intelligence on foreigners overseas.

By law, the certification can be broad. The government isn’t required to identify specific targets or places.

A federal judge, in a secret order, approves the plan.

With that, the government can issue “directives” to Internet companies to turn over information.

While the court provides the government with broad authority to seize records, the directives themselves typically are specific, said one former associate general counsel at a major Internet company. They identify a specific target or groups of targets. Other company officials recall similar experiences.

I’ve seen some apologist reporting that conflates these two, suggesting that the courts approve individual targets.

The entire point of FISA Amendments Act is to have the courts approve broader targeting.

As Russ Feingold warned four years ago, there is less oversight of how you get from orders to the procedures that make them compliant with the Constitution.

AP goes on to explain the danger to this scheme, though: there’s far less oversight over individual targets. Which can — and in 2009, at least — led the NSA to take US person data.

A few months after Obama took office in 2009, the surveillance debate reignited in Congress because the NSA had crossed the line. Eavesdroppers, it turned out, had been using their warrantless wiretap authority to intercept far more emails and phone calls of Americans than they were supposed to.

Remember, this overcollection was self-reported by the Obama Administration at the time, not discovered by the FISA Court. Good for the Obama Administration, though we’re trusting them at their word that the overcollection was unintentional.

As part of a periodic review of the agency’s activities, the department “detected issues that raised concerns,” it said. [snip]

The overcollection problems appear to have been uncovered as part of a twice-annual certification that the Justice Department and the director of national intelligence are required to give to the Foreign Intelligence Surveillance Court on the protocols that the N.S.A. is using in wiretapping. That review, officials said, began in the waning days of the Bush administration and was continued by the Obama administration. It led intelligence officials to realize that the N.S.A. was improperly capturing information involving significant amounts of American traffic.

But that raises one of the problems with the program. The court oversight is removed from the specificity of the collection, and the law, by design, prevents the court from double-checking whether the government does at the directive level what it says it will do at the order level.

Trust us.

Back in 2009, Obama assured us they had fixed the problem with overcollection.

Justice Department officials then “took comprehensive steps to correct the situation and bring the program into compliance” with the law and court orders, the statement said.

But then 3 years later, the FISA Court identified practices that did not comply with the Fourth Amendment.

It is also true that on at least one occasion the Foreign Intelligence Surveillance Court held that some collection carried out pursuant to the Section 702 minimization procedures used by the government was unreasonable under the Fourth Amendment.

And this time (perhaps because of Obama’s four year assault on leakers in the interim) we didn’t get any reporting in the press. Indeed, Ron Wyden had to force this statement’s declassification to prove claims Dianne Feinstein made to support renewal of the FISA Amendments Act were not entirely correct.

Trust us, they said again, as they were hiding the truth that the Court had found they had violated the Fourth Amendment.

It seems that every 3 years, we’re going to be told that this structure doesn’t provide for adequate oversight of the program. And then we’ll go on doing roughly the same thing.

19 replies
  1. Cujo359 says:

    One of the things that bother me about this is the likelihood of more false positives. The problem with false positives is that they can result in a lot of wasted investigative effort. If a computer decides that something looks like terrorist activity, say, it’s likely there’s at least some information that would persuade humans it looks the same. If the boss decides one of those false positives is the thing to look into, that’s where the effort goes, rather than in trying to figure out the correct answers to the more basic questions.

  2. Rayne says:

    For readers: Note these directives —

    National Security Presidential Directive #54, and Homeland Security Presidential Directive #23, as listed here:

    Both cover cyber security and were signed (12) days before Obama took office in 2008.

    See also Presidential Policy Directive #20, as listed here:

    All of the above are classified; only overviews of their contents are available for NSPD 54 and PPD 23.

    In contrast, Executive Order #13636, signed 12-OCT-2012 and listed here:

    and detailed here:

    is not classified, but much of it is intended to direct the action of private sector entities which are not national security primary contractors. This is not to say that NSPD 54 and PPD 23 do not contain directives under which private sector entities of all kinds must comply.

    Be sure to note in each of the lists of NSPDs, PPDs, and EOs just how many directives might also impact networked information technology and infrastructure, and how many directives are classified (the directive has been withheld).

    I do hope conservatives are rethinking their position on unilateral executive power.

  3. par4 says:

    If this is the tip of the iceberg I think the next revelations will have to be about banking. Domestic and more importantly international. I remember a few years back when Europe was tossing around the idea of a separate internet because of control of domain names. Obama waas against the idea IIRC.

  4. earlofhuntingdon says:

    Many thanks for this and your stellar work the past two weeks. Enjoy your party.

    A further comment about this and about Clapper’s take on overcollection of data. Clapper seems to assume its utility and effectiveness. He ignores its costs, both financially via its utter dependence on expensive private contractors such as Booz Allen, SAIC and Boeing. He ignores cost-benefit analyses of any kind.

    His claim that the governments’ current hoovering of telecoms traffic could or would have prevented 9/11, however laughable, is really a claim that current practices will prevent the next 9/11. “So leave me and my successor and the president alone,” he might say. “We have our jobs because we can make the tough decisions others can’t.” Right.

    Clapper’s implied claim about preventing any future 9/11, like creation “science”, is entirely unprovable. We’ll never know about program failures, nor successes, assuming there are any. State secrets, don’t you know. We can know this. These programs and the US’s insistence that military force be its first and sometimes only foreign policy (and domestic?) tool will make us less secure. They will multiply the number of people who think that their own violence will be all that can deflect the US juggernaut. Surely, there’s a better way.

  5. The Opium Wars says:

    had not made this connection but sounds plausible (then again, i really do not need any more reasons to protest / bring down the usa power structure LOL)

    Pentagon bracing for public dissent over climate and energy shocks

    NSA Prism is motivated in part by fears that environmentally-linked disasters could spur anti-government activism

    Why have Western security agencies developed such an unprecedented capacity to spy on their own domestic populations? Since the 2008 economic crash, security agencies have increasingly spied on political activists, especially environmental groups, on behalf of corporate interests. This activity is linked to the last decade of usa defence planning, which has been increasingly concerned by the risk of civil unrest at home triggered by catastrophic events linked to climate change, energy shocks or economic crisis – or all three.

    more at >>>>>>>>>

  6. C says:

    This makes sense. Note the slide on FAA702 surveillance which comments that “you should use both” this fits with the APs comments about targeting.

  7. earlofhuntingdon says:

    @The Opium Wars: The low odds of finding a potential criminal – be they a “terrorist”, a street hood or a bankster – before they commit a crime are quite low. The odds of finding false positives amid the clutter of countless bits of information is high.

    Two things seem dead certainties. One. Outsourcing 70% of routine and exceptional intel activities, with no oversight or accountability, would be enormously profitable. Politically, it would be Hoover’s files on digital steroids. Financially, it would be a blank check.

    Two. The massive collection of data on all US citizens with a phone or internet access, and their foreign counterparts, would be a great way to predict social unrest, to quash it, and to wreak havoc on the lives of those who would lead their neighbors to demand more accountable governments and corporate “citizens”. Evolution always finds new uses for existing features. Flaps and carapaces that keep a creature warm can turn into wings. That leads to locusts and vultures as well as mockingbirds.

    As we legitimately fight violent criminals of all stripes, those in a Savile Row suits and turbans, it would be useful remember Lord Acton’s homily: Absolute power corrupts; absolute power corrupts absolutely. Government agencies with endless budgets and no oversight are absolute powers in the making.

  8. GKJames says:

    Still flummoxed by “secret court order.” It renders hollow Obama’s assertion that everything was “approved by the court.”

    By the by, any idea whether (i) mainstream news orgs — especially NYT and Wash. Post — previously knew about PRISM etc.; and (ii) credit card companies have been feeding cardholder data to the government?

  9. cregan says:


    Good as the original post by EW was, and your reply, I think both miss a much bigger point.

    What is happening is very similar to the government saying, “Hey, we are going to put a camera in everybody’s house, but, don’t worry, we won’t turn it on unless we get a court order.”

    The knowledge that a camera was in your house, whether turned on or not, would be chilling. The knowledge your phone records are in government hands as well as internet data, capable of being looked over at some future date, is also chilling in a way that should not exist in the US. Doesn’t matter court order, specific, general, what-have-you, or directive or “we informed Congress.”

    The fact the capability and records are in place is chilling to privacy and freedom–even if nothing is ever done with it.

  10. Rayne says:

    @The Opium Wars: Any blame for negative sentiment about climate change aimed at DOD can be laid squarely upon the White House, Congress, and the DOD.

    White House, for failing to make the case to the public for growth based on green alternative energy AND conservation products.

    Congress, for being the paid whores of Koch Bros. time and again, the spineless bastards.

    And DOD, for failing to strongly advocate for their own Quadrennial Defense Review, the last two of which have warned strongly about the risks of climate change and an existential need to change to alternative energy since energy is DOD’s biggest ticket line item expense.

    In the mean time all three entities have pissed away beaucoup opportunities and capital on cyber security that doesn’t actually work to make us more secure.

  11. P J Evans says:

    The PR pushback is ON!

    Note that this ‘story’ is so free of details and actual sources that it’s useless as anything but a PR release.

  12. Rayne says:

    @P J Evans: And they need to play hard because it’s coming down in buckets now.

    NSA admits listening to U.S. phone calls without warrants
    by Declan McCullagh June 15, 2013 4:39 PM PDT

    “The National Security Agency has acknowledged in a new classified briefing that it does not need court authorization to listen to domestic phone calls.

    Rep. Jerrold Nadler, a New York Democrat, disclosed this week that during a secret briefing to members of Congress, he was told that the contents of a phone call could be accessed “simply based on an analyst deciding that.”

    If the NSA wants “to listen to the phone,” an analyst’s decision is sufficient, without any other legal authorization required, Nadler said he learned. “I was rather startled,” said Nadler, an attorney and congressman who serves on the House Judiciary committee.

    Not only does this disclosure shed more light on how the NSA’s formidable eavesdropping apparatus works domestically it also suggests the Justice Department has secretly interpreted federal surveillance law to permit thousands of low-ranking analysts to eavesdrop on phone calls.

    Because the same legal standards that apply to phone calls also apply to e-mail messages, text messages, and instant messages, Nadler’s disclosure indicates the NSA analysts could also access the contents of Internet communications without going before a court and seeking approval. …”

  13. Citizen92 says:

    Remember when Dick Cheney had White House e-mail hardwired so everyone’s e-mails were bcc’d to the Veep’s staff? Good times.

    On another note, let’s hope they’ve got this stuff locked down, especially if Snowden is telling others where to look for it.

  14. lefty665 says:

    @Rayne: So why the subpoenas for Rosen and AP? They had the data, they had the authority to listen, they had the prosecution under the Espionage Act? Why not just show up in court with it? Cover?

    Makes Holder’s blather about wanting to change the law so they don’t have to claim a journalist is a criminal to access phones another case of too cute by !@#$%^&*()_ half.

    I half remember a report of a Fed telling Risen approximately “This is the last time we’ll have to do this” or “We won’t have to do this in the future”, “We’ve got it all now”.

  15. Jessica says:

    A bit off topic, but there was a Wired article from last year about Gadhafi’s Internet surveillance program ( and all of the revelations from the last week or so brought it to mind. It specifically mentioned capturing all Internet traffic and filtering it through a database – being an avid follower of EW and Greenwald, among others, I already knew such things were “rumored” to exist here, so I remembering thinking, at the time, that Gadhafi’s program sure sounded like ours, except that ours wasn’t (yet) linked to a database. Seems that was an incorrect assumption on my part. Anyhow, I thought y’all might find it an interesting read. Here’s a snippet:

    “…a secret deal Gadhafi had made with a company called Amesys—a subsidiary of the French defense firm Bull SA—for technology that would allow his spy services to access all the data flowing through Libya’s Internet system. In a proposal to the regime dated November 11, 2006, Amesys (then called i2e Technologies) laid out the specifications for its comprehensive Homeland Security Program. It included encrypted communications systems, bugged cell phones (with sample phones included), and, at the plan’s heart, a proprietary system called Eagle for monitoring the country’s Internet traffic.

    A related Amesys presentation explained the significance of Eagle to a government seeking to control activities inside its borders. Warning of an “increasing need of high-level intelligence in the constant struggle against criminals and terrorism,” the document touted Eagle’s ability to capture bulk Internet traffic passing through conventional, satellite, and mobile phone networks, and then to store that data in a filterable and searchable database. This database, in turn, could be integrated with other sources of intelligence, such as phone recordings, allowing security personnel to pick through audio and data from a given person all at once, in real time or by historical time stamp. In other words, instead of choosing targets and monitoring them, officials could simply sweep up everything, sort it by time and target, and then browse through it later at their leisure. The title of the presentation—”From Lawful to Massive Interception”—gestured at the vast difference between so-called lawful intercept (traditional law enforcement surveillance based on warrants for specific phone numbers or IP addresses) and what Amesys was offering.”

  16. Rayne says:

    @lefty665: My guess is that they not only effed with the Fourth but the First Amendment, putting CYA at a premium.

    @Jessica: This is another reason (besides the example set a few years ago with Violet Blue’s why I refuse to use any URL shortener with an .ly ending (like Libya can actively monitor everything on its .ly domain.

  17. P J Evans says:

    It’s wonderful what can be done when the government controls all the communication in and out of a country. (Or not wonderful.)

Comments are closed.