June 23, 2013

Is PRISM just a not-so-secret web tool?

(Updated with an infographic on June 30, 2013)

Since The Guardian first published about the PRISM data collection program on June 6, there have been new disclosures of top secret documents almost every day, resulting in some fierce protests against apparently illegal wiretapping by the NSA and GCHQ. However, it remains unclear what PRISM actually is or does, as The Guardian didn't provide any new details or disclosed more than 5 of the 41 presentation slides about the program.

This makes it hard to determine whether PRISM really is the illegal or at least embarrassing program which most people now think it is. Especially, because it could even be the hardly secret Planning tool for Resource Integration, Synchronization and Management (PRISM), which is a web-based tool to manage information requests widely used by the US military. Here we will take a closer look at this program and try to determine whether this could be the same as the PRISM revealed by The Guardian.

> The latest information: What is known about NSA's PRISM program

Planning tool for Resource Integration, Synchronization and Management

The earliest document which mentions the Planning tool for Resource Integration, Synchronization and Management (PRISM) is a paper (pdf) from July 2002, which was prepared by the MITRE Corporation Center for Integrated Intelligence Systems. The document describes the use of web browsers for military operations, the so-called "web-centric warfare", for which intelligence collection management programs were seen as the catalyst. These programs fuse battlefield intelligence information with the national data that they already possess, in order to provide a complete picture to their users.

PRISM was developed by SAIC (formerly Science Applications International Corporation, a company that was also involved in the 2002 TRAILBLAZER program for analyzing network data). The program was originally prototyped and fielded for the US European Command, but is also being used in other military operation areas such as Iraq. Involved in the establishment of PRISM was Ron Baham. His LinkedIn profile says that he currently is senior vice president and operations manager at SAIC and that he worked on CMMA PRISM at JDISS from 2000 - 2004, so PRISM might be developed somewhere between 2000 and early 2002.

On an older page of its website, SAIC says that the PRISM application allows theater users, in various functional roles and at different echelons, to synchronize Intelligence, Surveillance and Reconnaissance (ISR) requirements with current military operations and priorities. The application was first developed for use on JWICS, the highly secure intelligence community network, but is now also being used on SIPRNet, the secure internet used by the US military.

Screenshot of the PRISM Input Tool (EEI = Essential Elements of Intelligence)
source: GMTI Utility Analysis for Airborne Assets (pdf)

Other sources clarify that PRISM consists of a web-based interface which connects to PRISM servers, and that it's used by a variety of users, like intelligence collection managers at military headquarters, to request the intelligence information which is needed for operations. These requests are entered in the PRISM interface, which sends them to the PRISM server. From there the request goes to units which collect the raw data. These are processed into intelligence, which then becomes available through the PRISM server.

PRISM is able to manage and prioritize these intelligence collection requirements to ensure critical intelligence is timely available to the commander during crisis operations. The application integrates these requirements and, with other tools, generates the so called daily collection deck. PRISM also provides traceability throughout the so-called intelligence cycle, from planning through exploitation to production.

The PRISM application made by SAIC is still widely used. It's mentioned in joint operations manuals from 2012 and in quite a number of job descriptions, like this one from March 2013 for a systems administator in Doha, Qatar, which says that part of the job is providing on-site and off-site PRISM training and support. Also these US government spending data show that in 2011 a maintaince contract (worth $ 1.085.464,-) for PRISM support services was awarded to SAIC, with options for 2012 and 2013.

Are there two different PRISMs?

So now it looks like as if there are two different programs called PRISM: one is a web-based tool for requesting and managing intelligence information from a server that gets input from various intelligence sources. The other is the program from which The Guardian says it's a top secret electronic surveillance program that collects raw data from the servers of nine major US internet companies.

If the Guardian's claims are true, it's strange that two important intelligence programs apparently have the exact same name. For sure, this would not be very likely, if "PRISM" would be an acronym or a codeword in both cases. But if we assume one PRISM being an acronym and the other PRISM a codeword, it could be somewhat more likely.

As we know, the PRISM tool developed by SAIC is an acronym, just like the names of many other military and intelligence software tools are often lengthy acronyms. This leaves the PRISM which was unveiled by The Guardian likely to be a codeword, or more correctly said, a nickname. NSA data collection methods, officially designated by an alphanumerical SIGAD like US-984, can have nicknames which may or may not be classified.

These are different from codenames, which are always classified and often assigned to the intelligence products from the various data collection methods. This can cause some confusion, as "PRISM" perfectly fits in the NSA tradition of using 5-letter codewords for products of sensitive Signals Intelligence programs.

If PRISM had been a classified codename, it should also have been part of the classification line, and the marking should have read TOP SECRET // SI-PRISM // [...] instead of the current TOP SECRET // SI // [...]. This indicates that if there are two PRISMs, and one is an acronym, the other PRISM isn't a codeword for intelligence from a specific source, but most likely the unclassified nickname of a collection method.

This still leaves the question of why in 2007 an apparently new collection program got a nickname which is exactly the same as the acronym of an already widely used computer application - which is even going to be one of its tasking systems.

A less spectacular PRISM?

Allthough The Guardian presented PRISM as a method of directly collecting raw data from major internet companies, other sources say that PRISM might well be a much less spectacular internal computer program.

Initially, The Washington Post came with the same story as The Guardian, but revised some of its claims by citing a classified report from the NSA Inspector General that describes PRISM as allowing "collection managers [to send] content tasking instructions directly to equipment installed at company-controlled locations." These words very much resemble the way the PRISM Planning Tool is described.

National security reporter Marc Ambinder describes PRISM as "a kick-ass GUI (Graphical User Interface) that allows an analyst to look at, collate, monitor, and cross-check different data types provided to the NSA from Internet companies located inside the United States" - which also sounds much more like the SAIC application, than like a data dragnet with free access to commercial company servers.

This view was also confirmed by a statement (pdf) of Director of National Intelligence (DNI) James Clapper, which says: "PRISM is not an undisclosed collection or data mining program. It is an internal government computer system used to facilitate the government’s [...] collection of foreign intelligence information from electronic communication service providers [...]".

With this statement, Clapper officially confirms the existance of a program called PRISM, and allthough his description could also fit that of the Planning tool for Resource Integration, Synchronization and Management, he didn't positively identified PRISM as such.

Finally, an anonymous former government official told CNet.com that The Guardian's reports are "incorrect and appear to be based on a misreading of a leaked Powerpoint document", making journalist Declan McCullagh go one step further by suggesting that PRISM might be actually the same as the web application named Planning Tool for Resource Integration, Synchronization, and Management.

PRISM as an all-source planning tool

Some sources, like a joint operations manual and a number of job descriptions, seem to indicate that the PRISM planning tool is primarily used for geospational intelligence (GEOINT), which is analysed imagery of the earth as collected by spy planes and satellites.

However, more extensive research has shown that the Planning tool for Resource Integration, Synchronization and Management (PRISM) is not only used for geospatial intelligence, but for fusing intelligence from all sources. Besides GEOINT, sources prove that PRISM is also used for SIGINT (Signals Intelligence), IMINT (Imagery Intelligence) and HUMINT (Human Intelligence), probably through additional modules for each of these sources.

Even the 2006 Geospatial Intelligence Basic Doctrine (pdf) says PRISM is a "web-based application that provides users, at the theater level and below, with the ability to conduct Integrated Collection Management (ICM). Integrates all intelligence discipline assets with all theater requirements."
More specifically, the 2012 Joint and National Intelligence Support to Military Operations manual describes that where applicable, requests for SIGINT support should be entered into approved systems such as PRISM, for approval by a military commander.

In a job description for an Intelligence Training Instructor from 2010 we see a distinction being made between PRISM-IMINT and PRISM-SIGINT, and a LinkedIn profile mentions the IMINT/SIGINT PRISM training in 2006 of someone who was administrator for PRISM, which is described as the system of record USCENTCOM uses for submitting, tracking, and researching theater ISR requirements. In a job description for a SIGINT Collection Management Analyst (by Snowden-employer Booz Allen Hamilton!) experience with PRISM is required too.

Also a module was added to PRISM for accessing information from HUMINT (Human Intelligence) sources. Testing of this module was done during the Empire Challenge 2008 exercise. In the daily reports of this exercise we can read that for example the Defense Intelligence Agency's HUMINT team loaded "additional data into PRISM HUMINT module for operations on Tuesday morning". From a French report about this exercise we learn that the PRISM HUMINT module was a new application, just like the Humint Online Tasking & Reporting (HOT-R) tool, which runs on SIPRNet. This indicates that modules for different -INTs were added gradually in time.

Are both PRISMs one and the same?

If The Guardian's PRISM really is just a computer system for sending tasking instructions to equipment that collects the raw data, it is hard to believe that it's different from the Planning tool for Resource Integration, Synchronization and Management (PRISM), which for many years is used to order and manage intelligence from all sources.

If this could be true, and there's only one PRISM program, what about the slides which were disclosed by The Guardian? First of all, as this newspaper is not willing to publish all PRISM-slides, we cannot be sure about what this presentation is really about, but it's possible that it's not about a PRISM which is the nickname of the US-984XN collection method, but about how to gather material from that source by using the PRISM web tool. This way around, the SIGAD US-984XN can still deliver for most NSA reporting, including the President's Daily Brief.

More specific, we can think of a machine-to-machine interface between the PRISM system and dedicated data collection devices at remote locations, like a secure FTP server or an encrypted dropbox at sites of the internet companies. At the PRISM desktop interface this tasking may be done through a separate SIGINT module. As one of the slides says: "Complete list and details on PRISM web page: Go PRISMFAA" we can even imagine a module called "PRISM FAA" for requesting intelligence from intercepts of foreign communications under the conditions of the FISA Amendment Act (FAA) from 2008.

Infographic of the PRISM Planning Tool as part of the Intelligence Cycle,
with a possible way of how it could be the same as the
PRISM internet data collection program
(click for a bigger picture)

By publishing the PRISM slides, The Guardian for the first time revealed evidence about the NSA collecting data from major internet companies. But as this apparently surprised the general public, the practice is hardly new. Spies and later intelligence agencies of all countries have always tried to intercept foreign communications and of course tried to do this with every new way of communication: first letters, later phonecalls and radio communications, and nowadays internet based social media. Therefore, it may hardly come as a surprise that NSA found ways to intercept those new means of communications too.

What looks more of a problem, is the fact that in the past, enemies were nation states, which could be targeted by focussing on diplomatic and military communications, leaving most people's privacy untouched. Nowadays, with terrorism considered as the main enemy, almost every (foreign) citizen could be a potential adversary. This made intelligence agencies try to search everyone's communications, which are also more internationally intertwined than ever before.

Next time we will discuss more specific details of the Planning tool for Resource Integration, Synchronization and Management (PRISM), as this gives an interesting look at internal intelligence procedures.


- TheWeek.com: Is the NSA PRISM leak much less than it seems?
- CNet.com: What is the NSA's PRISM program? (FAQ)
- CNet.com: No evidence of NSA's 'direct access' to tech companies
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal”
- ExtremeTech.com: Making sense of the NSA Prism leak as the real details emerge
- Medium.com: The PRISM Details Matter
- Reflets.info: #PRISM: let’s have a look at the big picture
- VanityFair.com: PRISM Isn’t Data Mining and Other Falsehoods in the N.S.A. “Scandal” - Mashable.com: See How PRISM May Work — in This Infographic
- ZDNet.com: How did mainstream media get the NSA PRISM story so hopelessly wrong?


Dr. Strangelove said...


Anonymous said...

You should watch this YouTube video that clearly shows the information on PRISM had already been leaked before Snowden. Listen to the creator of the software himself.


Laura Poitras: Surveillance Teach-In
Published on Sep 11, 2012
In this Surveillance Teach-In, award-winning filmmaker Laura Poitras is joined by computer security expert and privacy advocate Jacob Appelbaum and National Security Agency whistle-blower Bill Binney to present an artistic and practical commentary on living in the contemporary Panopticon.

Anonymous said...

Prism is "Center Spike" on Steroids.

P/K said...

Thank you for the interesting video, but is seems Bill Binney is not talking about PRISM, but about the earlier data collection program called Stellar Wind, which is also mentioned in the video.

Anonymous said...

Classic Skeptics in philosophy often ask "can the opposite ALSO be true"?
What is the motive here for having 2 blogspot blogs with identical material appear by different authors?
And, if PRISM isn't all we are led to believe, then why does the US want Snowden so badly?
Or is that too a myth, and that he ISN'T being hunted?
We know that we carry our own tools for surveillance (GPS, RFID, etc) on everything from store purchases (the same electronic scanner by the door searches for RFID tags to prevent theft can, with a slight modification, scan your RFID equipped ID card as well) to cell phones; why would we think it impossible that Big Brother not only want this data, but our internet habits as well?
Here in Canada former Prime Minister, the late Elliott Trudeau once said that "what happens in the privacy of one's home is NOT the government's business."
He joins the ranks of Libertarian thinkers Ben Franklin "those who would sacrifice their Liberty for the sake of Security, deserve neither.", Walt Whitman "to the States; safeguard your Freedom, lest you forever be Enslaved"; and " Examine everything that you are told, and dismiss what insults the Soul", and Adams "every Law is a Restriction upon Liberty", to say nought of this Cold War ditty from a Soviet whistleblower Alexandr Solzhenitsyn" "one word of truth can outweigh the whole World."
Our Government which claims to exist merely to REPRESENT the People, act now as if it exists in SPITE of us!

P/K said...

Please note that without proper permission, some articles of this weblog are also entirely copied, including pictures, on one or two other weblogs. Only the postings on this weblog are the original ones.

Anonymous said...

It is different - Ron

Unknown said...

Hi,Creative and attractive infographics allow delivering complex knowledge in Web Design Cochin or boring numbers in the clear and fun way. Infographics require professional design skills and become more and more popular on the modern web.Thanks...........

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties