June 7, 2013

Are the NSA's PRISM slides photoshopped?

(Updated: June 10, 2013)

Yesterday, Thursday June 6, The Washington Post and The Guardian came with a breaking news story about a Top Secret NSA program called PRISM, which reportedly collects data directly from the servers of nine major internet companies like Microsoft, Google, Facebook, Skype and Apple.

Many of these firms have already denied that the government has access to their networks. Today both president Obama and director of National Intelligence James Clapper said there is no gathering of information about US citizens or of any person located within the United States.

> The latest information: What is known about NSA's PRISM program

The Guardian claimed to have obtained 41 slides of an NSA presentation about the PRISM collection program, and showed some of them on its website. But some strange looking details caused a number of people, especially on Twitter, think the slides might be fake.

Here we take a more close look at these slides, which, if genuine, give a very rare look at a recent Top Secret document from the US National Security Agency.

The strangest thing about the slides is probably the PRISM program logo, which is shown at the top right side of each slide. On the Guardian website this logo is also shown separately with an orange background box - the same way it appears on their slides. But as we look at the same slides on the website of The Washington Post, we see that the orange background has been cropped away.

This can only mean that the logo was added somewhere afterwards, and therefore wasn't part of the original slide deck. On Twitter, it was also noticed, that the PRISM logo was made by using a standard clipart image.

One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).

Details and explanation of the first PRISM slide

This does not automatically mean the whole slide deck is fake, so let's take a closer look at the rest of the slide contents:

- At the top left and the bottom right corner of each slide we see the standardized classification marking line, showing the classification level and the dissemination control markings. In this case the slides are marked: TOP SECRET // SI // ORCON // NOFORN, which combines:

TOP SECRET - the classification level, meaning that public disclosure of the document would cause 'exceptionally grave damage' to national security.

SI - Special Intelligence, formerly known as COMINT or COMmunications INTelligence, which means this document is part of a control system for Sensitive Compartmented Information (SCI).

ORCON - ORiginator CONtrolled, meaning the originator controls dissemination and/or release of the document. Therefore these are always viewed in secured areas that are cleared for top-secret data and one cannot view or copy such a document without leaving an audit trail.

NOFORN - NO FOReign Nationals, meaning distribution to non-US citizens is prohibited, regardless of their clearance or access permissions.

- At the top of each slide we also see the logos of the internet companies involved in the PRISM program. The way these logos are grouped at the top of each slide looks not very professional, it distracts from the content and there's also no good reason for showing them on every slide. Therefore this part is also seen as a typical photoshop work.

- Top left we also see a seal with the words Special Source Operations, which is a department of the NSA responsible for important intelligence collection programs. This seal cannot be easily found elsewhere on the internet and looks well designed, so is most likely real.

- The title of the presentation is: PRISM/US-984XN Overview or The SIGAD Used Most in NSA Reporting Overview. SIGAD is the abbreviation of SIGINT Activity Designator, which is a unique addresss for every signals intelligence collection station, ship, or method and consists of a country code followed by alphanumeric characters. Thus the second part of the title (The SIGAD Used Most in NSA Reporting) refers to the first part, where US-984XN is the SIGAD of the PRISM program.

- Underneath the title there's a line which is partly (Guardian) or fully (Washington Post) blacked out. From what we can read, this line most likely started with the name of the person being the PRISM collection manager, followed by a kind of service/department number. Understandably the name has been blacked out because of privacy and security reasons, and the American paper even blacked out the rest.

- Finally, at the bottom right we see a red bordered box with three lines:
Derived from: NSA/CSSM 1-52 - meaning this was derived from the NSA/CSS Manual 1-52 about Classified National Security Information, which describes additional responsabilities of holders of NSA/CSS protected information.
Dated: 20070108 - meaning the presentation was derivative of work dated January 8, 2007, which appears to be the date of the NSA/CSS Manual 1-52.
Declassify On: 20360901 - meaning the slide deck was meant to be declassified on September 1, 2036. In general, this has to be 25 years from the date of the document’s origin, which seems to indicate that this presentation was classified on September 1, 2011, allthough the first slide itself is dated April 2013.

After this close look at the first slide of the PRISM presentation we have seen that there are a few strange elements, but also that most of the content looks realistic.

Another difference between the slides

Not only there's a difference between the PRISM logo on the slides at the Guardian and the Washtington Post websites, but, as noticed at this website, also on the slide showing in which years the various internet companies were "added" to the program:

As we can see in the picture, the slide on the Guardian website shows a different green arrow underneath the yellow circles than the Washington Post slide does. Both papers each seem to have some slightly different slides, which is quite strange if they really obtained a copy of such a higly classified slide deck.

One of the journalists of The Guardian explained on twitter, that these differences between the slides are caused by using different powerpoint readers (The Guardian using OpenOffice).

As the presentation concerns signals intelligence, it has to be handled either trough the highly secured JWICS network used by the US intelligence community, or through NSAnet, which is the classified intranet of the NSA. It looks like PRISM is related to NSAnet, as one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA". Using a command like this appears to be common practice for NSAnet.

As it is very difficult and risky to get the slides themselves out of NSA's control, it is of course far more easy for someone who has seen the presentation, to tell a journalist what was in it. Then some graphic artist at the newspaper could have made these slides according to what was told to him. In this way, the differences between the slides of both newspapers can easily be explained by an internal messing up of some different versions.

The story revised?

Meanwhile, the Washington Post (because they had rushed the publication?) had to walk back a bit from its initial claims by citing a second classified report that identified PRISM as a program to "allow ‘collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations,’ rather than directly to company servers."

Also the New York Times came with a story which says that each of the large internet companies negotiated with the government about handing out information. As far as this concerns non-US citizens, they are legally required to share the data under the Foreign Intelligence Surveillance Act (FISA) and in this way these companies are providing intelligence agencies like NSA with specific data in response to individual court orders.

These FISA orders can range from inquiries about specific people to a broad sweep for intelligence, like logs of certain search terms. Last year there were 1856 of such FISA requests. In order to make this more easy, some companies agreed with NSA to transmit these data electronically, using company’s servers or even government equipment at a company location. This however is different from giving the NSA wholesale bulk access to user data.

This version of the PRISM story was more or less confirmed by Director of National Intelligence (DNI) James Clapper, who released a statement with a fact sheet (PDF), which says "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s statutorily authorized collection of foreign intelligence information from electronic communication service providers under court supervision".

More about classification markings

Earlier on the evening of June 8, The Guardian published another slide, to clarify that PRISM, which involves data collection from servers, is distinct from four different programs involving data collection from "fiber cables and infrastructure as data flows past".

This newest slide (shown left in the picture above) seems to have an omission, which can also be seen in some of the earlier slides: allthough they have the obligatory classification line (as described above), and the slide title is marked with the so called portion marking (the (TS//SI//NF) which is an abbreviation of the full classification line), this portion marking is missing in the content.

As the DoD and intelligence community Classification Markings Manuals prescribe, all content of briefing slides, including bullets, captions, titles, and embedded graphs, charts and figures, have to be marked with portion markings at the beginning of each portion (except when a waiver for the portion marking has been obtained). This because parts of a document classified as Top Secret can have a lower classification level or can even be unclassified, which also clearly applies to some of the paragraphs of the slides.

Again, this omission alone does not mean these slides are fake, it's also possible that the author of the presentation was simply somewhat lazy. At least in case of the slide titled "Introduction. U.S. as World's Telecommunications Backbone" the content is public information, for which the overall Top Secret classification would clearly not be justified.

A correct implementation of the portion marking can be seen in some slides about the NSA's BOUNDLESSINFORMANT data mining tool, which were disclosed by The Guardian on June 8. Here we see the slides are marked as TOP SECRET // SI // NOFORN within an orange bar, which is the color code for Top Secret, but with the separate text portions marked as (U//FOUO) as they are Unclassified // For Official Use Only:

With correct markings and a more professional look, these new slides look more credible than those of the PRISM presentation. As government agencies apparently often produce bad looking presentations, this alone doesn't make the PRISM slides fake, but we always should be aware of things like hoaxes, sensationalism and disinformation from whatever source, and at the same time don't get trapped into conspiracy theories.

Other PRISM programs

As there are still questions about what exactly NSA's PRISM program does, it became clear that there are also a number of other intelligence and security related programs called PRISM, which may cause some confusion:

The journalist Matthew Keys discovered that in 2007 a classified Defense Intelligence Agency (DIA) intelligence job listing mentions "national intelligence community collection management systems" like PRISM, COLISEUM and HOT-R. A DIA job listing from earlier this year requires "Experience working in collection requirements management systems and procedures, to include PRISM, HOT-R, GIMS, NSRP, TORS, OSCR, COLISEUM, and CMST"

As this are DIA jobs, it seems however that this PRISM system is different from the one of the NSA. At the website of defense contractor IIT, PRISM is explained as an abbreviation of the "Planning tool for Resource Integration, Synchronization and Management", which just like COLISEUM, seems to be used in the field of Geospatial Intelligence, which analyses satellite imagery of the earth. In this way, PRISM is also mentioned in a number of documents on the Cryptome website. These are dating back to 2003, which is four years before the alledged start of the NSA PRISM internet program in 2007.

> More about this confusion: Is PRISM just a not-so-secret web tool?

The existence of what looks like a third PRISM system was unveiled by this PDF document at the Cryptome website. This document, dated March 21, 2004, describes PRISM (Protect, Respond, Inform, Secure, and Monitor) as a Homeland security Command and Control (C2) decision support system, providing a single end-user application for messaging, alerting, geo-referenced mapping, and asset tracking.

A program called PRISM is also used by the US Secret Service, where this is an acronym which stands for Protective Research Information System Management (PRISM-ID). This system is used to record information that required to assist the agency in meeting its protective mission that includes the protection of the President, and other top level officials. More about this program can be found in this PDF document from 2010 at the Cryptome website.

Links and Sources
- The Washington Post: U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program
- The Guardian: NSA Prism program taps in to user data of Apple, Google and others
- Business Insider: Is The Claim That The Government Has A Direction Connection To Tech Companies A Lie?
- Forbes: Startup Palantir Denies Its 'Prism' Software Is The NSA's 'PRISM' Surveillance System
- New York Times: Tech Companies, Bristling, Concede to Federal Surveillance Program
- ABC News: 4 Unanswered Questions About NSA Leaks
- The 2011 Intelligence Community Classification and Control Markings Implementation Manual (PDF)
- The 2012 DoD Marking of Classified Information Manual (PDF)
- ZDNet: The real story in the NSA scandal is the collapse of journalism
- The Week: Solving the mystery of PRISM


mrkoot said...

"This can only mean that the logo was added somewhere afterwards, and therefore wasn't part of the original slide deck."
IMHO, a different explanation should be tested first: could the difference be explained by differences in the process between obtaining the slides and the publication of the images? Various image formats (PNG, GIF, ...) allow transparency via alpha channels, and JPG is not one of them. When a PNG/GIF/etc. image is exported to JPG format, the transparent parts become opaque, which might cause that red background. Possibly, WashPost deemed noticed & corrected it, and Guardian did not.

FWIW: The green arrow on the slide "PRISM Collection Details" is also different between both versions: when superimposing both versions, there is no way to get a match using any linear transformation. For this, as well as the difference in the green arrow you mention, it should be tested whether it can be explained by Guardian & WashPost using different software to read the slides. I.e., is it possible to create a slide containing an arrow-like shape that is displayed differently when opened using whatever software Guardian used than when it's opened using whatever software WashPost used?

Anonymous said...

The differences between the Washington Post and Guardian versions of the sides are easily explained by different software opening the same Powerpoint file. As for the critiques of the design being sloppy, distracting, or unprofessional, it seems as if the author has not spent a lot of time reading US government Powerpoint presentations. The poor design and use of clip-art actually speak in favor of the document's authenticity, although this is of course easy to fake.

Anonymous said...

is CLEAR that both were readed using different reader, the differences makes it legit
ie. one can see transparency, the other not (logo)
same thing for the next differences

Anonymous said...

One of the Guardian journos has responded on Twitter:

James Ball ‏@jamesrbuk
To those noting discrepancies between our slides and the WaPo's (http://bit.ly/199svS5 ) - note we use OpenOffice and it renders differently

PCMcGee said...

The slides are dated April. Greenwald has stated publicly on twitter that he has been working with his source since February. JS

Anonymous said...

Sorry, the idea that 'more professional looking' means more likely to be genuine is an argument that would only be used by people who are not familiar with military / intelligence presentation style. One of the things I remarked on in passing in my thesis 12 years ago was how amateurish (or perhaps no-nonsense) the style of military strategic and program documents and slides. It's completely normal in the context. This is information provision not marketing and they aren't really that interested in making things smooth and 'convincing'.

Anonymous said...

We are going to reveal the more important part: The programming for *using* the impossibly voluminous data collected. There are programs that utilize theories at the fringes of mathematics to associate individuals of interest and allow their neutralization.

Ironically the NSA and CIA utilization programs are related to network theory used by AT&T for many years. AT&T has long been a quasi-governmental institution and Verizon is a spinoff of AT&T.

You can modify your behavior to avoid detection.

Anonymous said...

FYI, the IIT, DIA and NSA PRISMs are actually to the same thing. SAIC is the actual dev. The other two you found (DHS and Secret Service) are old software names, nothing to do with this; neither does Palantir's Prism, or Compusearch's Prism, for that matter.

The original stories treated PRISM as an NSA codeword: it's not. It's just the name of the application, which doesn't do any fancy data mining or drop boxing or analysis, just request/task tracking for the national intelligence offices, including the NSA's OSS office, for process-tracking its FISA 702 requests to private companies. Clapper's statement is literally accurate: that's also why the companies would have no knowledge of the name.

Anonymous said...

Greenwald is doing the public a disservice by keeping the slides secret. What a coward.

Anonymous said...

FWJ-CapeTown-you have a very interesting article here ,intelligence,what is its purpose?is for the collection of data by a country to determine if there is a (Internal-External Threat)to its national security infrastructure,its worldwide intelligence,you spy on me,i spy on you,in essence it means any country can monitor who they like in co-operation agreements,today's threats are not restricted to physical threats,they are cyber threats and they are real,a cyber warfare attack on any system can render that system useless in under 10secs, and will keep it useless infrastructure,for that reason,if what is shown here,is not new at all,every time any person globally connects to the internet,that person is under surveillance,it falls under (National Covert Surveillance)includes the interception of the following
(Emails)(Internet Phone Calls)(social Media Platforms)(Cellular and Landline And Radio Communications Services and systems)(physical Covert Activities)(postal Articles)your threats to any countries national security aren't restricted anymore,its that simple to understand,your firewall,antivirus,anti spyware is worth absolutely nothing on your PC,with covert stealth ware,its possible to literally walk through any protected system via the internet,because its designed for only 1 purpose,the collection of internet data,cyber criminals ,hackers,crackers use it,to gain access,governments monitor any person any country,whether its legal?illegal?known?unknown?-that is how (International intelligence Collection of data)operates,what is shown here inst new its old news,that is part of how the whole intelligence operates,its sole purpose is for the collection and analysis of potential threats to any countries national security.
stealth-ware is not public ally known,its disguised to sit on a users hard-drive hidden in the operating system,every time a user connects to the internet it collects,monitors,the movements,keystrokes,every movement in cyberspace is monitored 24-7,

Anonymous said...

FWJ-the slides shown here have been produced externally,from a possible inside source who had access to confidential information,it is physically impossible to remove any such information from such a highly classified operational infrastructure,because of electronic,digital protection measures in forced,all internal,external IT data is protected,every activity on any pc,workstation in that NSA center is monitored,incoming,outgoing,all solid waste outgoing,all cyber activities,all physical movements of staff,you looking at an internal protection system that there to protect all data,these slides are merely a presentation of what the perceived operations are of the PRISM system,they show how data is collected,that is normal standard procedures,so the internal source produced these slides externally as to what he,she observed on the inside,the relevant details listed here indicate precisely that,its impossible to physically remove that type of information,doors will have xray scanners,that scan every persons movements in that building,and will show exactly what going on,the electronics involved there falls under protection of highly sensitive data

Anonymous said...

It would have been simpler to point out that this statement, "This can only mean that the logo was added somewhere afterwards, and therefore wasn't part of the original slide deck." was incorrect, therefore any speculation built upon this statement is probably also incorrect.

It would seem a lot more honest to simply point out that this is just an exercise in extended speculation.

P/K said...

This article was written only one day after the slides were released and a number of people also noticed these oddities. We examined them, and as you can read, it stated out that some of them can be explained by the use of different PowerPoint readers. See it as a trial-and-error proces, which provided some clarification about things which initially looked strange.

carlene123 said...

I am impressed by the quality of information on this website. There are a lot of good resources here. I am sure I will visit this blog again soon.Wholesale Military Catalog

Anonymous said...

Where can we see the slides rendered as they are supposed to be?

It is very difficult to find good versions of the slides (as opposed to the newsprint resolution formats).

Could someone persuade The Guardian and Washington Post (etc) to put better rendered slides and better resolution slides somewhere (like Crypome for instance which has some terribly rendered slides)?

The ideal would be to make the slides available in Powerpoint format, but I suppose that would be hard with the redactions (I am not objecting to the redactions per se).

Anonymous said...

This web site definitely has all of the information I wanted
concerning this subject and didn't know who to ask.

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties