PRISM and Upstream

Background / Context

The institutional context within which PRISM and Upstream emerged was the post-September-2001 expansion of NSA collection authorities and the substantive subsequent recognition that the institutional Foreign Intelligence Surveillance Act framework of 1978 — substantively designed for telephone-network electronic surveillance against specifically-targeted individuals — was substantively inadequate for the post-2001 internet-based-communications collection institutional environment.

The substantively documented operational antecedent was the post-September-2001 institutional warrantless-surveillance programme — substantively documented in the December 2005 New York Times disclosure by James Risen and Eric Lichtblau under the title Bush Lets U.S. Spy on Callers Without Courts — under which the Bush administration's executive-branch had substantively authorised NSA collection from US-domestic communications infrastructure without the substantive FISA Court warrant-issuance institutional process. The substantive subsequent institutional litigation (substantially the American Civil Liberties Union v. NSA case in the Eastern District of Michigan, decided August 2006 against the government and substantively reversed by the Sixth Circuit in 2007 on standing grounds), the substantive 2007 institutional disclosure of the Hepting v. AT&T civil litigation that substantively documented the substantive AT&T institutional cooperation under the BLARNEY and FAIRVIEW institutional pattern, and the substantive 2007 institutional confrontation between the Department of Justice and the substantive then-Acting-Attorney-General James Comey at the bedside of substantive then-Attorney-General John Ashcroft (substantively the institutional refusal of the substantive then-DOJ Office of Legal Counsel to substantively renew the substantive institutional authorisation of the warrantless surveillance programme) substantively produced the institutional pressure for the substantive subsequent statutory framework.

The substantive statutory response was the substantive PROTECT America Act of 2007 (Public Law 110-55), substantively passed in August 2007, which substantively legalised much of the warrantless collection that the post-2001 institutional programme had substantively been conducting. The substantive PAA authorities were substantively temporary and substantively subject to substantive constitutional challenge; the substantive subsequent institutional response was the substantive FISA Amendments Act of 2008 (Public Law 110-261), substantively passed in July 2008, which substantively codified the substantive Section 702 institutional authority within Title VII of the substantive FISA framework. The substantive operational PRISM programme was substantively initiated in September 2007 under the PAA authority and substantively transitioned to the substantive Section 702 institutional authority in July 2008.

The Operation

The substantive operational architecture of the two programmes has been substantively documented through the substantive Snowden-document disclosures, the substantive subsequent FISA Court declassified opinions, the substantive Privacy and Civil Liberties Oversight Board reports, and the substantive subsequent academic literature.

PRISM operational architecture

The substantive PRISM operational pattern is substantively the institutional service of substantive directives on US-based electronic-communications-service providers under the substantive Section 702 institutional framework, substantively compelling the substantive providers to substantively deliver to the substantive NSA the substantively-targeted communications. The substantive directives are substantively issued by the substantive Attorney General and the substantive Director of National Intelligence and substantively reviewed by the substantive Foreign Intelligence Surveillance Court for substantive consistency with the substantive Section 702 institutional framework but are substantively not subject to the substantive individual-warrant institutional requirement that substantive Title I FISA collection substantively requires.

The substantive operational substance of the programme is that the substantive NSA, through the substantive directives, substantively obtains from the substantive participating providers both the substantive stored-communications institutional product (the substantive contents of the substantively-targeted user accounts that the substantive providers have substantively retained) and the substantive real-time interception institutional product (the substantive contents of the substantively-targeted communications as they substantively transit the substantive provider's infrastructure). The substantive operational targeting selectors substantively comprise email addresses, telephone numbers, and substantively other communications-identifiers that the substantive NSA has substantively determined are substantively used by non-US persons reasonably believed to be located outside the United States.

The substantively-documented participating-provider chronology is: Microsoft (added September 2007); Yahoo (March 2008); Google (January 2009); Facebook (June 2009); PalTalk (December 2009); YouTube (September 2010); Skype (February 2011); AOL (March 2011); Apple (October 2012). The substantive subsequent institutional record across the post-2013 period has substantially expanded the participating-provider cohort to include substantially every major US-based electronic-communications-service provider.

Upstream operational architecture

The substantive Upstream operational pattern is substantively the institutional cooperation between the NSA and US-domestic telecommunications carriers to substantively access the substantive internet-and-telephone-traffic flowing through the carriers' US-territory infrastructure. The substantive operational substance is that the substantive NSA, through the substantive cooperation arrangements, substantively obtains the substantive technical capability to substantively filter the substantively passing-through traffic for substantively-targeted communications and to substantively retain the substantively matched communications for subsequent operational analysis.

The substantively-documented operational codenames substantially comprise four principal programmes:

• BLARNEY — the substantively-original 1978 institutional partnership with AT&T at the substantive Mae East and Mae West internet exchange points (the substantively-original public-internet exchange institutional infrastructure on the US East Coast and West Coast respectively). The substantive BLARNEY institutional arrangement has substantively been the substantive institutional foundation on which the subsequent Upstream programmes have substantively been built.

• FAIRVIEW — the substantive expanded post-2003 institutional partnership with AT&T at substantively approximately seventeen US-domestic facilities. The substantive FAIRVIEW institutional pattern is substantively the substantive operational core of the substantive Upstream institutional programme; the substantive substantively-documented institutional substance has substantially included the substantive Room 641A facility at the AT&T 611 Folsom Street institutional facility in San Francisco — substantively documented in the substantive 2006 institutional disclosure by Mark Klein, an AT&T technician, in the substantive Hepting v. AT&T civil litigation.

• OAKSTAR — the substantively-documented institutional partnership with substantively seven additional US-domestic carriers, substantively the institutional pattern of which has substantively been substantially-less-documented in the substantive public record.

• STORMBREW — the substantively-documented institutional partnership with Verizon at substantively four additional US-domestic facilities, substantively the institutional pattern of which has substantively been substantively-similar to the FAIRVIEW institutional pattern but at substantively-smaller institutional scale.

The substantive operational substance of the Upstream institutional pattern is that the substantive NSA substantively has the substantive operational capability to substantively access the substantial portion of internet traffic that substantively traverses US-territory cable and switching infrastructure — the substantive consequence being that substantive non-US-person internet communications substantively transiting the United States (the substantively-documented institutional pattern of which has substantively been the substantive global-internet substantively-disproportionate routing through US-territory infrastructure across the post-2000 period) substantively fall within the substantive Upstream institutional collection scope.

Disclosure / Aftermath

The substantive institutional disclosure of PRISM and Upstream proceeded across the post-2013 published institutional record principally through the substantive Snowden-document disclosures.

The substantive June 2013 institutional disclosure of PRISM was substantively conducted through the substantive 6 June 2013 Washington Post and Guardian parallel publications by Barton Gellman and Glenn Greenwald respectively. The substantive disclosure substantively published the substantive PRISM-programme institutional briefing slides — the substantive 41-slide internal NSA institutional presentation describing the programme's operational architecture, participating providers, and operational scope. The substantive institutional response by the substantive participating providers was substantially uniform: substantive denial of the substantively-asserted "direct access" institutional pattern that the substantive briefing slides substantively suggested, combined with substantive acknowledgement that the substantive providers substantively complied with substantive valid Section 702 directives. The substantive institutional substance of the substantively-asserted distinction was the substantive operational architecture: the substantive providers substantively did not provide the substantive NSA with substantive arbitrary access to the substantive provider infrastructure, but substantively delivered the substantively-specifically-requested communications under the substantive Section 702 directive institutional framework.

The substantive subsequent institutional disclosure of the Upstream programme proceeded across the substantive post-June-2013 period through substantively-multiple substantive Snowden-document disclosures. The substantive 6 June 2013 disclosure of the Verizon Section 215 telephony-metadata order substantially preceded the subsequent substantive disclosures of the Upstream institutional pattern; the subsequent substantive disclosures across the substantive 2013–14 period — substantively including the substantive Der Spiegel disclosures of substantively-specific Upstream operational details, the substantive Washington Post and Guardian disclosures of the substantively-specific FAIRVIEW and BLARNEY institutional partnerships, and the substantive Privacy and Civil Liberties Oversight Board's substantive 2 July 2014 institutional report on the substantive Section 702 programme — substantively produced the substantive comprehensive public-record reconstruction of the substantive Upstream institutional architecture.

Legacy / Implications

The institutional consequences of PRISM and Upstream across the post-2013 period have been substantial and substantially permanent.

Institutional reform record

The substantive subsequent institutional reform record across the post-2013 period has substantially included: the substantive 2014 Privacy and Civil Liberties Oversight Board's institutional report on the substantive Section 702 programme — substantively recommending substantive reforms but substantively endorsing the substantive constitutionality of the programme; the substantive 2015 USA Freedom Act's substantive institutional reform of the substantive Section 215 bulk-telephony-metadata programme (the substantively-distinct programme from PRISM and Upstream but the substantively-paired institutional disclosure) — substantively ending the bulk-collection institutional pattern in favour of the substantive provider-controlled query-on-demand institutional pattern; the substantive successive Section 702 reauthorisations across the 2012, 2017, 2018, and 2024 institutional periods, with substantive successive institutional reforms but substantive continuing substantive operational reach; and the substantive subsequent institutional development of the substantive Foreign Intelligence Surveillance Court substantive amicus-curiae institutional mechanism, the substantive declassification of substantive significant FISA Court opinions, and adjacent substantive institutional adjustments.

European institutional response

The substantive European institutional response to PRISM and Upstream has substantially included: the substantive 2015 European Court of Justice judgment in Schrems I (Case C-362/14) — substantively invalidating the substantive 2000 EU-US Safe Harbour institutional framework on substantive grounds that included the substantive PRISM disclosure-related concern about substantive US-government access to substantive EU-citizen-data substantively transferred to substantive US-based providers; the substantive 2020 European Court of Justice judgment in Schrems II (Case C-311/18) — substantively invalidating the substantive substantively-replacement EU-US Privacy Shield institutional framework on substantively-similar grounds; and the substantive 2022 substantive subsequent EU-US Data Privacy Framework — substantively the institutional successor to the substantive prior frameworks, substantively designed to substantively address the substantive Schrems-judgments concerns through substantive subsequent institutional reform of the substantive US-side oversight framework.

Continuing institutional question

The substantive continuing institutional question that the substantive PRISM and Upstream programmes raise — the substantive question of whether the substantive Section 702 institutional framework substantively complies with the substantive Fourth Amendment institutional framework as applied to substantive US-person communications that are substantively incidentally collected through the substantive non-US-person targeting institutional pattern — has been the substantive subject of sustained subsequent academic, journalistic, and policy commentary. The substantively-settled subsequent institutional position is substantively unsettled; the substantive Section 702 institutional framework remains substantively the substantive operational core of post-2008 US foreign-intelligence internet collection.

Related agencies

• National Security Agency — the principal institutional operator of both PRISM and Upstream
• Federal Bureau of Investigation — the substantively documented post-2008 institutional consumer of substantive Section 702-collected material for substantive domestic-investigation purposes

Sources & Further Reading

1. Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program, The Washington Post, 6 June 2013 — the principal initial PRISM disclosure.
2. Glenn Greenwald and Ewen MacAskill, NSA Prism program taps in to user data of Apple, Google and others, The Guardian, 6 June 2013 — the parallel initial PRISM disclosure.
3. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014 — the principal post-disclosure institutional review.
4. Privacy and Civil Liberties Oversight Board, Report on the Section 702 of the Foreign Intelligence Surveillance Act, January 2023 — the substantive post-2014 institutional re-review.
5. FISA Amendments Act of 2008 (Public Law 110-261) — the substantive statutory authority for both programmes.
6. Hepting v. AT&T, US District Court for the Northern District of California, 2006 — the principal civil litigation that substantively documented the FAIRVIEW institutional partnership.
7. Mark Klein, Wiring Up the Big Brother Machine... and Fighting It, BookSurge Publishing, 2009 — the AT&T technician's account of Room 641A and the FAIRVIEW institutional pattern.
8. Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, Metropolitan Books, 2014 — the substantial post-disclosure book-length reconstruction.
9. National Security Archive Snowden Documents Collection, George Washington University.
10. Schrems I (Case C-362/14), Court of Justice of the European Union, 6 October 2015; Schrems II (Case C-311/18), Court of Justice of the European Union, 16 July 2020 — the principal European institutional judicial response.