Threat Intelligence

PRISM – Facts, Doubts, Laws and Loopholes

Pierluigi Paganini
June 24, 2013 by
Pierluigi Paganini


Edward Snowden is the name of a 29-year-old technical assistant for the Central Intelligence Agency who disclosed the largest surveillance program implemented by the US known as the PRISM program. For better or for worse, his name is destined to enter into history. The Guardian identified Edward Snowden as a technical assistant who worked for US Intelligence at the National Security Agency for the last four years for various defense contractors. Currently he is an employee of security defense contractors Booz Allen Hamilton.

Snowden decided to reveal his identity because like other whistleblowers, such as Bradley Manning, the US Army soldier who was arrested in May 2010 in Iraq on suspicion of having passed classified material to the website WikiLeaks, he decided to make public an uncomfortable truth.

The disclosure started with the publication of the secret court order to Verizon Communications, but it was just the tip of the iceberg. All of the principal US IT companies support the surveillance program PRISM despite their high managements denying it. The surveillance architecture monitors every activity on the Internet, and it has been ongoing for many years. Through it the US Government has obtained access to user's data, and private companies like Microsoft, Google, Facebook and Apple are all involved.

Edward Snowden feared that the government will persecute him for disclosing Top Secret documentation on the extensive massive surveillance program PRISM. While I'm writing this, he is in a hotel in Hong Kong, where he flew after the publication of the presentation he prepared during his work in the NSA Office in Hawaii, around three weeks ago. Snowden decided to publish the history and proof of a program that every US citizen imagined but that authorities and private companies always denied. He left the US citing health reasons and flew to Hong Kong, the Chinese territory known also for its "strong tradition of free speech."

According to the interview released to The Guardian, Edward Snowden is concerned, as he knows very well the power of intelligence agencies and the ramifications of his actions. He has thus barricaded himself in a hotel.

"I've left the room maybe a total of three times during my entire stay." "I have no intention of hiding who I am, because I know I have done nothing wrong." "I could be rendered by the C.I.A., I could have people come after me." "We've got a C.I.A. station just up the road in the consulate here in Hong Kong, and I'm sure," "that they're going to be very busy for the next week, and that's a fear I'll live under for the rest of my life," Snowden said.

The confirmation of the existence of a PRISM program has shocked public opinion. Associations for the defense of freedom of expression and human rights are concerned about the violation of the citizens' privacy, even if it is for homeland security reasons.

The Obama administration is defending the surveillance program, saying it is necessary to prevent terrorist plots, and that the debated data collection has already allowed the prevention of terrorist acts.

"Nobody is listening to your telephone calls. That's not what this program is about." "In the abstract you can complain about Big Brother and how this is a potential program run amok, but when you actually look at the details, I think we've struck the right balance."

"You can't have 100 percent security and also then have 100 percent privacy and zero inconvenience." "We're going to have to make some choices as a society. ... There are trade-offs involved." These are what the President told journalists during a visit to California's Silicon Valley.

Figure 1 - Edward Snowden Interview - Guardian

Edward Snowden considers himself as a patriot, having served his country as a soldier in Iraq and recently working as a contractor for the CIA overseas. He declared that he has carefully considered his actions and its possible consequences to the population, but nothing could be worse than what he witnessed. He carefully evaluated the documents he disclosed to ensure no people would be harmed and that the public interest would be served.

"Anybody in positions of access with the technical capabilities that I had could, you know, suck out secrets to pass them on the open market to Russia." "I had access to the full rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world — the locations of every station we have, what their missions are." "If I had just wanted to harm the U.S., you could shut down the surveillance system in an afternoon."

President Obama is in the eye of the storm. He was syndicated by some members of Congress despite the revelation announced by The White House that the administration has played at least 13 briefings to Congress to show the surveillance program operated by the NSA.

The Fact – The PRISM Program

The Washington Post and the Guardian were the first newspapers to publish the news of the US machine for surveillance works. The NSA and FBI systematically access user information from central servers of the leading IT. The list revealed , despite the beliefs of many security experts, that the extension of the monitoring network is larger:

  • AOL
  • Apple
  • Dropbox
  • Facebook
  • Google
  • PalTalk
  • Skype
  • Yahoo
  • You Tube

The surveillance project began in 2007 and was supported by the Bush administration. It was known as PRISM and is capable of acquiring sensitive information from IT majors and then operating complex analysis activities.

The Washington Post published an article on the PRISM program reporting the top secret documents disclosed in Snowden's presentation. They revealed that PRISM has been referred at least 1,477 times during government briefings on Homeland Security. The document states that PRISM became popular during the Arab Spring when it was used to profile individuals considered dangerous for the US.

The 41 slides composing the presentation, classified as Top Secret, claim that the "collection directly from the servers" of major US IT service providers remarks the need for the information for security purpose. The Guardian has verified the authenticity of the PowerPoint presentation that is circulating on the Internet. It is classified as top secret, with no distribution to foreign allies, and was apparently used to train operatives.

"Information collected under this program is among the most important and valuable foreign intelligence information we collect, and is used to protect our nation from a wide variety of threats. The unauthorized disclosure of information about this important and entirely legal program is reprehensible and risks important protections for the security of Americans," Director of National Intelligence James R. Clapper said.

All the companies reported in the Top Secret document denied any knowledge of the secret program, following principal comments on the disclosure:

"Google cares deeply about the security of our users' data. We disclose user data to government in accordance with the law, and we review all such requests carefully. From time to time, people allege that we have created a government 'back door' into our systems, but Google does not have a back door for the government to access private user data," stated Google.

"We do not provide any government organization with direct access to Facebook servers," "When Facebook is asked for data or information about specific individuals, we carefully scrutinize any such request for compliance with all applicable laws, and provide information only to the extent required by law," declared Joe Sullivan, Chief Security Officer for Facebook.

"We have never heard of PRISM," "We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order," said Steve Dowling, a spokesman for Apple.

Is the PRISM Program Legal? Law and Regulations

The digital exposure of Internet users has reached a level unthinkable until a few years ago. This aspect has had mainly positive effects but it has also increased the surface of attack for each individual. We are all exposed to serious privacy risks, especially as legislation has struggled to keep up.

The number of laws that are trying to regulate our digital existence is increasing. There is a need to reduce the gaps in legislation and enforcement that open you up to online data breaches, stalking, identity theft and disclosure of user's personal information. It must be considered that these laws can have a major impact on our life; every ordinary operation could be started with something simple such as a phone call.

Analyzing the US legal model, we can recognize the different areas in which such laws are trying to regulate technology introduction, following a short list:

Digital Life

Laws and proposals are designed to protect user's privacy in the online and mobile spheres.

  • The Protecting Children from Internet Pornographers Act of 2011 was designed to increase the enforcement of laws related to child pornography and child sexual exploitation.
  • The Electronic Communications Privacy Act is almost 30 years old, so it is likely going to see some major revisions to reflect the increased variety and prevalence of electronic communications. The original act was designed to help expand federal wiretapping and electronic eavesdropping provisions, as well as to protect communications that occur via wire, oral, and electronic means and to balance the right to privacy of citizens with the needs of law enforcement.
  • The Children's Online Privacy Protection Act or COPPA protects children under 13 from the online collection of personal information.
  • The GPS Act is a proposal to give government agencies, commercial entities, and private citizens specific guidelines for the use of geolocation information.

Digital Commerce

The massive introduction of technology in commerce has requested the definition of strict laws to avoid the abuse of information on consumer habits and activities. Following is a list of laws that seek to address a number of major issues related to consumer privacy rights:

Work and Employment

Laws and regulation that affect users in the workplace during their ordinary activity:

Personal Information

No doubt, the most important set of laws and regulations are those that address issues of personal information, including medical data, private phone conversations, and video watching history.

  • The Foreign Intelligence Surveillance Act (FISA)Amendments Act of 2008/FISA Amendments Act Reauthorization Act of 2012 passed in 1978 but has undergone some major restructuring in recent years. It proscribed basic procedures for physical and electronic surveillance and the collection of foreign intelligence information. It also provides strict judicial and congressional oversight of any covert surveillance activities. It has been modified several times; the first time under the Patriot Act expired in 2008. The U.S. Senate voted in December 2012 to extend the FISA Amendments Act through the end of 2017.Under this act, the US Government is authorized to conduct surveillance of Americans' international communications, including phone calls, emails, and Internet records, exactly what is addressed by the PRISM program. These orders do not need to specify who is being spied on or the reasons for doing so. It is now possible for government agencies to collect information on any foreign communications, which many individuals and privacy protection groups have consistently argued is a gross violation of privacy and civil liberties.
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that major security breaches be reported to Health and Human Services as well as the media. It increases enforcement of HIPAA and the resulting penalties and ensures that any individual can request a copy of his or her public health record. Most importantly, it expands HIPAA regulations to include any business associates or providers to medical facilities, requiring vendors of any kind to keep private records private.
  • The Video Privacy Protection Act was designed to prevent the disclosure of audio/video materials, with respect to the original proposal it has been integrated with social media sites.
  • The Protect Our Health Privacy Act of 2012 requires health providers to encrypt any mobile device containing health information, restrict business associates' use of protected health information, improve congressional oversight of HIPAA, and provide additional measures that would protect patient privacy and safety when using health information technology.

Back to the PRISM Case

After the analysis of principal laws and proposals, users can have a clearer idea on what governments are allowed to do to ensure homeland security. The US PRISM program seems to be allowed by "Section 215 of the Patriot Act, which authorizes the existence of special procedures, authorized by the FISA court to force U.S. companies to deliver assets and records of their customers, from the metadata to confidential communications, including e-email, chat, voice and video, videos and photos".

It expands the law enforcement power to spy on every US citizen, including permanent residents, without providing explanation, starting the investigation on the exercise of First Amendment rights. Those who are the subjects of the surveillance are never notified of ongoing activities. Law enforcement could keep track of every activity made by a suspect, including communication and Internet activities.

Many citizens and lawyers can consider Section 215 un-constitutional, claiming that it violates the Fourth Amendment by allowing the government to effect Fourth Amendment searches without a warrant and without showing probable cause. Section 215 might be used to obtain information that affect privacy interests other than those protected by the First Amendment, but let's think to medical records.

Also the Fourth and Fifth Amendments are violated by provision of such data by failing to require that those who are the subject of Section 215 orders be told that their privacy has been compromised.

The Outsourcing of Intelligence: Risks and Benefits

The recent data leak on US Top Secret program PRISM by an intelligence contractor raised a debated discussion on the introduction of outsourcing for personnel to hire for top-secret programs. It was an inevitable consequence of the growth of the security sector and of the increased number of tasks needed by governments to ensure homeland security and the security of principal productive sectors.

Edward Snowden has worked at Booz Allen Hamilton and other intelligence contractors. His career started at the Central Intelligence Agency with various technical assignments.

In an official statement, the company Booz Allen declared, "Booz Allen can confirm that Edward Snowden, 29, was an employee of our firm for less than 3 months, assigned to a team in Hawaii. Snowden, who had a salary at the rate of $122,000, was terminated June 10, 2013 for violations of the firm's code of ethics and firm policy. News reports that this individual has claimed to have leaked classified information are shocking, and if accurate, this action represents a grave violation of the code of conduct and core values of our firm. We will work closely with our clients and authorities in their investigation of this matter."

Snowden is one of the thousands of private intelligence contractors hired by the US Government to respond to the increased necessity of security to prevent terrorist attacks. The majority of these professionals play critical roles within the principal security agencies in the country. They access confidential information, gather sensitive data on intelligence missions, and work side by side with civil government analysts in accessing a huge quantity of secret and top-secret documents.

According to the official reveal of the Office of the Director of National Intelligence, almost one in four intelligence workers were employed by contractors, and around 70% of the intelligence community's secret budget is spent for outsourcing.

The outsourcing of intelligence activities allows better rationalization of the funds designated to ensure homeland security but it also represents a serious risk for the possibility of infiltration of spies and whistleblowers.

The AP reported that nearly 500,000 contractors have access to the government's top secret programs.

"Of the 4.9 million people with clearance to access "confidential and secret" government information, 1.1 million, or 21 percent, work for outside contractors, according to a report from Clapper's office. Of the 1.4 million who have the higher "top secret" access, 483,000, or 34 percent, work for contractors."

In 2007, the former director of Naval Intelligence, retired Rear Adm. Thomas A. Brooks, wrote in a report that contractors assumed a crucial role within the nation's intelligence infrastructure.

"The extensive use of contractor personnel to augment military intelligence operations is now an established fact of life .... It is apparent that contractors are a permanent part of the intelligence landscape," he said.

To give an idea of the number of private contractors that worked for US intelligence agencies, The Post reported that 1,931 private companies worked on reserved counterterrorism operations and many other campaigns to empower homeland.

The operations were conducted all over the country in around 10,000 locations. During the last year, the principal emergency was related to the increased number of cyber attacks, both sabotage and cyber espionage campaigns, against National networks.

The massive introduction of technology has made necessary the recruitment of a large number of technicians who have been entrusted with the delicate task of protecting the country's infrastructure such as communication networks, grids, and satellite systems.

A recent trend that emerged to respond to continuous cyber attacks is the involvement in offensive operations of skilled professionals and hackers hired to instruct cyber units. These same hackers have been used to perform vulnerability assessments and penetration testing on critical infrastructures.

The Risk of Cyber Attacks on the US Massive Surveillance System

One of the most alarming risks related to a Top Secret program such as PRISM is represented by the possible disclosure of the information gathered. Unauthorized access to the information could give a foreign government a meaningful advantage in terms of intelligence. Foreign hackers could have access to a huge quantity of sensitive information centralized and concentrated in a single vulnerable architecture.

It must be considered that a possible attack could be taken advantage of by insiders and cyber spies. The case of Bradley Manning proved to the public opinion the devastating effect that the revelation of the government's secret documents could have on homeland security. Starting with the consideration that nearly 854,000 people ordinarily manage top-secret security clearances, it is to understand the surface of attacks for the "machine" of Intelligence. Each of these individuals could be a target for state-sponsored hackers and could itself represent an insider threat.

The disclosure of the PRISM program is a demonstration that principal US intelligence agencies and law enforcement weren't able to protect Top Secret information from disclosure. The information has been acquired by a journalist thanks to a spontaneous revelation, but it must be considered that many other Top Secret programs could be affected by cyber espionage operations by foreign governments.

"The access to PRISM information could enable blackmail on a massive scale, widespread manipulation of U.S. politics, and industrial espionage against American businesses."

If persistent collectors such as the Chinese government or a hostile country like Iran or North Korea could have access to a surveillance system, it could be a tragedy for the country. Suddenly the country will have no secret for the adversary, and every sector will be deeply impacted.

Foreign governments aren't unique in their interest in access to the surveillance system. Terrorists belonging to groups like Al Qaeda and also cyber criminals could breach the defense of Intelligence archives. The development and deployment of a massive surveillance system is a critical choice. The government in fact must be sure to be able to prevent foreign intrusions and to avoid the creation of maybe a single point of failure for the overall security of the country.


There are various ways to limit the exposure of our digital experience to surveillance and monitoring activities. The US Government and law enforcement could have access to email accounts such as Gmail messages, spy on user communication and discover their habits. Following are a few simple suggestions to avoid monitoring:

How to anonymize the user's Internet experience?

Tor Network

On the Internet, every machine is identified by its IP address that could be hidden by using anonymizing services and networks such as I2P and Tor network. Usually, the anonymizing process is based on the concept of distribution of routing information. Tor software and the Tor open network help users to avoid surveillance during web browsing, hiding IP address and other identifying information if properly configured. The anonymity is granted through the bouncing of traffic among randomly routedproxy computers before sending it on to its real destination and through the message encryption. Every node of the network manages minimal information to route the packets to the next hop without conserving history on the path.

Tor is easy to use. You can download the Tor Browser Bundle, a version of the Firefox browser that automatically connects to the Tor network for anonymous web browsing.

Web Proxy

To anonymize a user's identity and its IP address, it is possible to use anonymizing services. The simplest way to do it is through Web-based proxies like Proxify or Hide My Ass. Web proxies are easy to use; just typing a website URL the user could visit it anonymously. Many of them also implement advanced features to encrypt connections or block cookies and JavaScript.Principal drawback is related to data speed and difficulty to access some contents like videos. Of course be aware of the proxy you use, as you could come across honeypots set up to spy on you.


Virtual Private Networks represent a valid solution to anonymously surf on internet. Premium VPNs' paid services dedicate proxy servers for their customers. All client traffic is tunneled to the VPN server via this encrypted connection and from there to the web. This results in actually using the server's IP to browse the web, instead of the client's. The principal question is related to the attitude of some VPN providers to maintain server logs that could reveal user's habits. Of course principal service providers deny it but it is a concrete risk.

All the above solutions slow down surfing speed due to the application of tunneling processes and the implementation of cryptographic algorithms.

Keep private your chat conversations

For every communication channel, there is a more or less secure solution. The events demonstrated that most popular conventional instant messaging services like those offered by Google, Yahoo or Microsoft keep track of your conversations. A typical solution to protect the content of chat communications is to encrypt end to end the messages, an operation that could be done using a self made chat client that enciphers the content to transmit or choosing a chat extension available on the Internet.

A very popular cryptographic protocol that provides strong encryption for instant messaging conversations is OTR ("off the record"). It uses a combination of the AES symmetric-key algorithm, the Diffie–Hellman key exchange, and the SHA-1 hash function to protect user privacy. Using the protocol, the server only sees the encrypted conversations, thwarting eavesdropping.

Of course, to use OTR, both interlocutors must install an instant messaging software that supports it, such as Pidgin for Windows and Linux systems.

Keep private your calls

Telephone conversations are exposed to government monitoring, and PRISM is just the last demonstration of the control exercised by authorities for security reasons. Since a few years ago, users were convinced that Internet-based telephony applications represented the most secure way to make calls that avoid wiretapping. Skype was considered the most secure channel since its acquisition by Microsoft.

Of course, I'm speaking of a commercial product, avoiding express reference to the various crypto-mobile and applications commercialized at high cost by many security firms.

Today one of the most interesting solutions provided on the market is silent Circle. It implements an "end-to-end" encryption, making it impossible for telephone companies to access the user's call. As reported by the Washington Post:

"The client software is open source, and Chris Soghoian, the chief technologist of the American Civil Liberties Union, says it has been independently audited to ensure that it doesn't contain any "back doors.""

Another interesting software having similar functionalities and that has been independently audited to make sure there are no back doors is Redphone, an application that protects phone calls with end-to-end encryption. It has been developed with financial support from U.S. Taxpayers courtesy of the Open Technology Fund.

Protecting emails

Another critical aspect is the protection of user's mail. Commercial PGP or free GPG are considered the standard for email security, and both can be used to both encrypt and decrypt messages avoiding surveillance.

GNU Privacy Guard (GnuPG or GPG) is a GPL Licensed alternative to the PGP suite of cryptographic software. GnuPG is compliant with RFC 4880, which is the current IETF standards track specification of OpenPGP. Current versions of PGP (and Veridis' Filecrypt) are interoperable with GnuPG and other OpenPGP-compliant systems.

The main problem for GPG is that novice users could find it complicated to use and not portable. I can promise that in the next few weeks, a product designed by me and my staff that makes the use of GPG on multiple platforms very easy will become available. The solution I designed is very strong and impossible to hack, and it also hides many other surprising features.


The existence of the PRISM program doesn't surprise security experts or the common people. From a recent survey, the majority is willing to sacrifice his privacy for homeland security.

In the PRISM story, I found personally concerning the approach of the principal IT company that professed totally different privacy respect. My last thought is for surveillance operations elsewhere in the planet that is often synonymous to censorship and persecutions. The laws and regulations of many countries accept these practices to protect the interest of the oligarchy that governs the state.

What will happen now that we know that the machines spying on us are also equipped with artificial intelligence and can take action against human beings?



Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.