PRISM and Upstream

Audio readout of this entry.

Background and context

The institutional context within which PRISM and Upstream emerged was the post-September-2001 expansion of NSA collection authorities and the recognition that the Foreign Intelligence Surveillance Act framework of 1978 — designed for telephone-network electronic surveillance against specifically targeted individuals — was inadequate for the post-2001 internet-based-communications collection environment.

The principal documented antecedent was the post-September-2001 warrantless-surveillance programme, disclosed in the 16 December 2005 New York Times reporting by James Risen and Eric Lichtblau under the headline Bush Lets U.S. Spy on Callers Without Courts. Under that programme, the Bush administration's executive branch authorised NSA collection from US-domestic communications infrastructure without the FISA Court warrant-issuance process. Subsequent civil litigation included American Civil Liberties Union v. NSA (Eastern District of Michigan, decided August 2006 against the government, reversed by the Sixth Circuit in 2007 on standing grounds) and Hepting v. AT&T (Northern District of California, 2006), the latter of which produced public documentation of the AT&T cooperation pattern under what would later be designated BLARNEY and FAIRVIEW. The March 2004 confrontation at then-Attorney-General John Ashcroft's hospital bedside between Acting Attorney General James Comey and senior White House officials over the renewal of the warrantless programme — disclosed in Comey's May 2007 Senate Judiciary Committee testimony — marked the institutional point at which the Department of Justice's Office of Legal Counsel refused to certify the prior authorisation, producing pressure for a statutory framework.

The statutory response was the PROTECT America Act of 2007 (Public Law 110-55), passed in August 2007, which legalised much of the collection the post-2001 programme had been conducting. The PAA authorities were temporary and subject to constitutional challenge. The subsequent and durable response was the FISA Amendments Act of 2008 (Public Law 110-261), passed in July 2008, which codified the Section 702 authority within Title VII of the FISA framework. PRISM was initiated in September 2007 under the PAA and transitioned to Section 702 in July 2008.⁵

PRISM operational architecture

The PRISM operational pattern is the service of directives on US-based electronic-communications-service providers under the Section 702 framework, compelling the providers to deliver to NSA the targeted communications. The directives are issued by the Attorney General and the Director of National Intelligence and reviewed by the Foreign Intelligence Surveillance Court for consistency with the Section 702 framework — but they are not subject to the individual-warrant requirement that Title I FISA collection requires.

The operational substance is that NSA, through the directives, obtains from the participating providers both stored communications (the contents of targeted user accounts that the providers have retained) and real-time interception product (the contents of targeted communications as they transit the provider's infrastructure). The targeting selectors comprise email addresses, telephone numbers, and other communications identifiers that NSA has determined are used by non-US persons reasonably believed to be located outside the United States.

The participating-provider chronology disclosed in the 2013 PRISM briefing slides is: Microsoft (added September 2007), Yahoo (March 2008), Google (January 2009), Facebook (June 2009), PalTalk (December 2009), YouTube (September 2010), Skype (February 2011), AOL (March 2011), and Apple (October 2012). The participating cohort across the post-2013 period has expanded to include nearly every major US-based electronic-communications-service provider.¹²

Upstream operational architecture

The Upstream operational pattern is the cooperation between NSA and US-domestic telecommunications carriers to access the internet and telephone traffic flowing through the carriers' US-territory infrastructure. The operational substance is that NSA, through the cooperation arrangements, obtains the technical capability to filter the passing traffic for targeted communications and to retain the matched communications for subsequent analysis.

The operational codenames documented in the disclosure record comprise four principal programmes.

BLARNEY is the 1978 FISA-authorised collection partnership with AT&T at US telecommunications facilities. BLARNEY has been the institutional foundation on which the subsequent Upstream programmes were built.

FAIRVIEW is the AT&T partnership begun in 1985 and significantly expanded post-2001, operating at approximately seventeen US-domestic facilities. FAIRVIEW is the operational core of the Upstream programme. The most documented facility is Room 641A at the AT&T 611 Folsom Street site in San Francisco, disclosed in 2006 by AT&T technician Mark Klein in the Hepting v. AT&T litigation and in his subsequent 2009 book Wiring Up the Big Brother Machine... and Fighting It.

OAKSTAR is the partnership with seven additional corporate partners, less documented in the public record than BLARNEY or FAIRVIEW.

STORMBREW is the Verizon partnership operating at seven choke points, documented as similar in pattern to FAIRVIEW but at smaller institutional scale.

The operational consequence is that NSA has access to the substantial portion of internet traffic that traverses US-territory cable and switching infrastructure. Because of the global internet's disproportionate routing through US infrastructure across the post-2000 period, non-US-person internet communications transiting the United States fall within the Upstream collection scope.⁶⁷

Disclosure

The institutional disclosure of PRISM and Upstream proceeded principally through the Snowden-document disclosures of June 2013 and the subsequent reporting across 2013–14.

The PRISM disclosure was conducted on 6 June 2013 in parallel publications by Barton Gellman and Laura Poitras in The Washington Post (U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program) and by Glenn Greenwald and Ewen MacAskill in The Guardian (NSA Prism program taps in to user data of Apple, Google and others). The disclosure included the 41-slide internal NSA briefing presentation describing the programme's operational architecture, participating providers, and operational scope.

The institutional response by the participating providers was uniform: denial of the "direct access" pattern that the briefing slides suggested, combined with acknowledgement that the providers complied with valid Section 702 directives. The institutional substance of the asserted distinction was operational: the providers did not give NSA arbitrary access to their infrastructure, but delivered the specifically requested communications under the Section 702 directive framework.

The Upstream disclosure followed across the post-June-2013 period. The 5 June 2013 disclosure of the Verizon Section 215 telephony-metadata order preceded the broader Upstream disclosures. Subsequent reporting across 2013–14 — including Der Spiegel coverage of specific Upstream operational details, parallel Washington Post and Guardian disclosures of the FAIRVIEW and BLARNEY partnerships, and the Privacy and Civil Liberties Oversight Board's 2 July 2014 institutional report on Section 702 — produced the comprehensive public-record reconstruction of the Upstream architecture.¹²³⁸

Institutional reform record

The institutional reform record across the post-2013 period has included three principal threads.

The Privacy and Civil Liberties Oversight Board's 2014 report on Section 702 recommended specific reforms while endorsing the constitutionality of the programme. The PCLOB's January 2023 follow-up review re-examined the programme in light of the post-2014 record.

The 2015 USA Freedom Act reformed the Section 215 bulk-telephony-metadata programme — a programme distinct from PRISM and Upstream but disclosed alongside them — ending the bulk-collection pattern in favour of provider-controlled query-on-demand.

The Section 702 framework itself has been reauthorised across the 2012, 2018 (the FISA Amendments Reauthorization Act of 2017), and 2024 periods, each time with successive institutional adjustments — including the development of a Foreign Intelligence Surveillance Court amicus-curiae mechanism, the declassification of significant FISA Court opinions, and adjacent procedural reform — but with continuing operational reach.³⁴

European institutional response

The European institutional response to PRISM and Upstream has shaped the post-2013 transatlantic data-protection landscape.

In Schrems I (Case C-362/14, 6 October 2015), the Court of Justice of the European Union invalidated the 2000 EU-US Safe Harbour framework. The judgment grounded its invalidation in part on PRISM-related concerns about US-government access to EU-citizen data transferred to US-based providers.

In Schrems II (Case C-311/18, 16 July 2020), the same court invalidated the replacement EU-US Privacy Shield framework on similar grounds.

The 2022 EU-US Data Privacy Framework is the institutional successor to the prior frameworks, designed to address the Schrems concerns through reform of the US-side oversight framework — including the establishment of a Data Protection Review Court and additional procedural protections for EU-person data.¹⁰

Continuing institutional question

The continuing institutional question PRISM and Upstream raise — whether the Section 702 framework complies with the Fourth Amendment as applied to US-person communications incidentally collected through the non-US-person targeting pattern — has been the subject of sustained academic, journalistic, and policy commentary across the post-2013 period.

The settled position is that the question remains unsettled. The Section 702 framework remains the operational core of post-2008 US foreign-intelligence internet collection; the incidental-collection question continues to be contested in litigation, in successive PCLOB reviews, and in each Section 702 reauthorisation cycle.

Related agencies

• National Security Agency — the principal institutional operator of both PRISM and Upstream
• Federal Bureau of Investigation — the documented post-2008 institutional consumer of Section 702-collected material for domestic-investigation purposes

Sources and further reading

1. Barton Gellman and Laura Poitras, U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program, The Washington Post, 6 June 2013 — the principal initial PRISM disclosure.
2. Glenn Greenwald and Ewen MacAskill, NSA Prism program taps in to user data of Apple, Google and others, The Guardian, 6 June 2013 — the parallel initial PRISM disclosure.
3. Privacy and Civil Liberties Oversight Board, Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act, 2 July 2014 — the principal post-disclosure institutional review.
4. Privacy and Civil Liberties Oversight Board, Report on the Section 702 of the Foreign Intelligence Surveillance Act, January 2023 — the post-2014 institutional re-review.
5. FISA Amendments Act of 2008 (Public Law 110-261) — the statutory authority for both programmes.
6. Hepting v. AT&T, US District Court for the Northern District of California, 2006 — the principal civil litigation that documented the FAIRVIEW partnership.
7. Mark Klein, Wiring Up the Big Brother Machine... and Fighting It, BookSurge Publishing, 2009 — the AT&T technician's account of Room 641A and the FAIRVIEW pattern.
8. Glenn Greenwald, No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State, Metropolitan Books, 2014 — the post-disclosure book-length reconstruction.
9. National Security Archive Snowden Documents Collection, George Washington University.
10. Schrems I (Case C-362/14), Court of Justice of the European Union, 6 October 2015; Schrems II (Case C-311/18), Court of Justice of the European Union, 16 July 2020 — the principal European judicial response.