What does Prism tell us about privacy protection?

President Obama has defended US surveillance tactics, but whistleblower Ed Snowden said he was "horrified" by the activities

Both international governments and the world's biggest tech companies are in crisis following the leaking of documents that suggest the US government was able to access detailed records of individual smartphone and internet activity, via a scheme called Prism.

Last night Ed Snowden, a 29-year-old former technical worker for the CIA, revealed himself to be the source of the leaks in an interview with the Guardian news website.

US director of national intelligence James Clapper described the leaks as "extremely damaging" to national security, but Mr Snowden said he had acted because he found the extent of US surveillance "horrifying".

What could the US government see?

According to the documents revealed by Ed Snowden, the US National Security Agency (NSA) has access on a massive scale to individual chat logs, stored data, voice traffic, file transfers and social networking data of individuals.

The US government confirmed it did request millions of phone records from US company Verizon, which included call duration, location and the phone numbers of both parties on individual calls.

Continue reading the main story

How surveillance came to light

• 5 June: The Guardian reports that the National Security Agency (NSA) is collecting the telephone records of millions of US customers of Verizon, under a top-secret court order
• 6 June: The Guardian and the Washington Post report the NSA and the FBI are tapping into US internet companies to track online communication, in a scheme known as Prism
• 7 June: The Guardian reports President Obama has asked intelligence agencies to draw up a list of potential overseas targets for US cyber-attacks
• 7 June: President Obama defends the programmes, saying they are closely overseen by Congress and the courts
• 8 June: US director of national intelligence James Clapper calls the leaks "literally gut-wrenching"
• 9 June: The Guardian names former CIA technical worker Edward Snowden as the source of the leaks

• How much do the spooks know?
• Why every call matters
• What can you learn from phone records?

According to the documents, Prism also enabled "backdoor" access to the servers of nine major technology companies including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube and Apple.

These servers would process and store a vast amount of information, including private posts on social media, web chats and internet searches.

All the companies named have denied their involvement, and it is unknown how Prism actually works.

Some experts question its true powers, with digital forensics professor Peter Sommer telling the BBC the access may be more akin to a "catflap" than a "backdoor".

"The spooks may be allowed to use these firms' servers but only in respect of a named target," he said.

"Or they may get a court order and the firm will provide them with material on a hard-drive or similar."

What about data-protection laws?

Different countries have different laws regarding data protection, but these tend to aim to regulate what data companies can hold about their customers, what they can do with it and how long they can keep it for - rather than government activity.

Most individual company privacy policies will include a clause suggesting they will share information if legally obliged - and include careful wording about other monitoring.

Facebook's privacy policy, for example, states: " We use the information [uploaded by users] to prevent potentially illegal activities".

Are we all being watched?

UK Foreign Secretary William Hague said "law abiding citizens" had nothing to fear

The ways in which individual governments monitor citizen activity is notoriously secretive in the interests of national security, and officials generally argue that preventing terrorism over-rides protecting privacy.

"You can't have 100% security and also then have 100% privacy and zero inconvenience," said US President Barack Obama, defending US surveillance tactics on Sunday.

Speaking to the BBC UK Foreign Secretary William Hague said that "law abiding citizens" in Britain would "never be aware of all the things... agencies are doing to stop your identity being stolen or to stop a terrorist blowing you up".

Does it make a difference which country you live in?

User data (such as emails and social media activity) is often not stored in the same country as the users themselves - Facebook for example has a clause in its privacy policy saying that all users must consent to their data being "transferred to and stored in" the US.

The US Patriot Act of 2001 gave American authorities new powers over European data stored in this way.

This method of storage is part of cloud computing, in which both storage and processing is carried out away from the individual's own PC.

"Most cloud providers, and certainly the market leaders, fall within the US jurisdiction either because they are US companies or conduct systematic business in the US," Axel Arnbak, a researcher at the University of Amsterdam's Institute for Information Law, told CBS News last year after conducting a study into cloud computing, higher education and the act.

"In particular, the Foreign Intelligence Surveillance Amendments (FISA) Act makes it easy for US authorities to circumvent local government institutions and mandate direct and easy access to cloud data belonging to non-Americans living outside the US, with little or no transparency obligations for such practices - not even the number of actual requests."

Are other governments involved?

UK Foreign Secretary William Hague has so far refused to confirm or deny whether British government surveillance department GCHQ has had access to Prism but is expected to give a statement to Parliament today.

It is not known whether other governments around the world have been either aware of or involved in the use of Prism, which is reported to have been established in 2007.

In a statement, the EU Justice Commission said it was "concerned" about the consequences of Prism for EU citizens and was "seeking more details" from the US authorities.

"Where the rights of an EU citizen in a Member State are concerned, it is for a national judge to determine whether data can be lawfully transmitted in accordance with legal requirements (be they national, EU or international)," said a spokesperson for Justice Commissioner Vivane Reding.

What does this mean for internet use?

Edward Snowden (picture courtesy of the Guardian) said he "did not want to live in a society that does these sorts of things"

William Hague insists that law-abiding citizens have nothing to worry about, and there is no legal way of "opting out" of monitoring activity carried out in the name of national or global security.

However privacy concerns about information uploaded to the internet have been around for almost as long as the internet itself, and campaign group Privacy International says the reported existence of Prism confirms its "worst fears and suspicions".

"Since many of the world's leading technology companies are based in the US, essentially anyone who participates in our interconnected world and uses popular services like Google or Skype can have their privacy violated through the Prism programme," says Privacy International on its website.

"The US government can have access to much of the world's data, by default, with no recourse."

Edward Snowden, the source of the leaked documents, said he had acted over concerns about privacy.

"I don't want to live in a society that does these sort of things… I do not want to live in a world where everything I do and say is recorded," he told the Guardian.

PRISM-Lite: India also uses US-type cyber monitoring

A malware attack was launched against the closing ceremony of the Commonwealth Games in October 2010. Indian cyber security snoops traced it to a computer in an Ashoka Hotel VIP suite, and switched off the machine. “This was one of the 8,000 such attacks made against the Commonwealth Games infrastructure,” said informed sources.

India has largely finished rolling out a revamped cyber security structure for the country, covering not only surveillance but also duller aspects like laws and administration.

India’s cyber security programmes also use metadata-based systems like the recently exposed US National Security Agency’s PRISM system. “We are into metadata usage,” said a source. Such programmes do not snoop into the contents of electronic communication. They search for patterns in the manner emails, phone calls and SMSes are sent and delivered. “We don’t get into individual emails.”

related story

US intel leak sparks fierce Internet freedom debate
Snowden a free man, for now
India’s metadata system’s name and technical specifics are unknown.  But it is much simpler than the US one.

It does not store and analyse communications in anything as detailed a fashion as PRISM. It is run by the telecom department and the Computer Emergency Response Team, not the intelligence agencies.

“Our system does not collect specific data, not even names,” said a source. “If we go into individual emails, we have to seek legal permission.” The limits to such surveillance are laid out in the amended Information Technology Act.

The plan is to let the present cyber security framework function for 2-5 years, allowing the government to “learn lessons” on how to improve it. With 15 states and many government bodies having set up cyber security panels, much of the administrative backbone is in place. The main concern is the poor cyber security awareness in the broader population. There are hopeful signs: secureyourpc.in gets 100,000 hits a day.

“It is not possible to ensure 100% security,” say sources. “But no cyber intrusion has been able to compromise the country’s national security yet.”

“Other governments regularly check us out with cyber attacks, check out our systems, attempt intelligence acquisition…they test to see how good we are.” Why else attack the infrastructure of the Commonwealth Games, sources noted, something of no practical use.

Will India develop a cyber offensive capacity? Notably, the new structure does not include regulations limiting what India can do in the cyber realm outside its borders.

PRISM snitch claims NSA hacked Chinese targets since 2009

PRISM snitch Edward Snowden now claims to have data which proves the NSA has been hacking hundreds of civilian targets in China and Hong Kong since 2009.

Public officials, businesses and students as well as the Chinese University of Hong Kong were among the targets in the former British colony, Snowden told the South China Morning Post.



The former information security engineer at defence contractor Booz Allen Hamilton (the firm just fired him) showed the paper unverified documents purporting to reveal attacks on Hong Kong and mainland targets.

“We hack network backbones – like huge internet routers, basically – that give us access to the communications of hundreds of thousands of computers without having to hack every single one,” he told the paper.

However, Chinese military targets apparently weren’t among those shown in the data and there’s no additional info in the story about exactly what level of access these attacks gave the NSA.

Snowden claimed his new revelations were designed to expose “the hypocrisy of the US government when it claims that it does not target civilian infrastructure, unlike its adversaries”.

However, it should come as no great surprise that US security forces are actively monitoring and gathering intelligence on targets in China and around the world, although it comes at an awkward moment for the Obama administration as it tries to persuade the PRC to tone down its prolific government-sponsored IP theft.

Snowden's allegations should play well locally inasmuch as he wants to resist extradition to the US, despite a long-standing bilateral agreement between Washington and Hong Kong meaning barriers to his deportation are low.

Whether he is now an attractive enough asset for Beijing to want to keep hold of remains to be seen, but there is growing support for him on both sides of the Pacific.

Over 65,000 Americans have signed a White House petition calling for Snowden to be pardoned, while in Hong Kong a rally will be held in support of him in Chater Garden this Saturday.