A Taxonomy of PRISM Possibilities

I have been fielding a decent number of calls and emails from reporters on the NSA PRISM scandal. A lot of people are trying to synthesize reasonable technical explanations for how the NSA could implement the program described in the leaked PowerPoint deck and keep it secret for so long. In an effort to improve the quality of the public discussion, I have decided to create a taxonomy of the theories that I have seen floated and supply my own commentary in italics.

To be clear, I have no special knowledge or insight into this program. Everything listed below is based upon data contained in the news articles I have seen. I also recognize that many of these theories sound far-fetched, although I have to admit that my personal Overton Window for crazy conspiracy theories has shifted in the last 24 hours.

My goal is to keep this list up to date as more information is published, so please let me know if you have any corrections or additions by leaving a comment or via email. My GPG key is available here.

The list is below the fold…

The Taxonomy of PRISM Possibilities

1. The PRISM program does not exist. – I think we can safely eliminate this possibility due to official confirmations.
2. The PRISM program exists…
   1. …and gathers data only after an individual is targeted. – This would make PRISM a more advanced version of the standard “Law and Order” wiretap, where a target needs to be identified before data collection begins. This seems to be contradicted by the available slides and reporting.
      1. Individuals are targeted with the cooperation of the listed companies. – This runs contrary to the very loud denials by these companies, although some options might fit between the weasel words utilized.
         1. The NSA requests data to be collected using existing facilities. – This would be equivalent to the standard lawful intercept and subpoena process at these companies, although under a different legal basis.
         2. The NSA collects data using dedicated facilities. – An example would be an NSA-operated sniffer in corporate datacenters. This would be a complicated system to implement at the scale of a Facebook or Google, and would be difficult to hide from employees.
      2. Individuals are targeted without the cooperation of the listed companies.
         1. The NSA captures traffic using backbone/POP sniffing that is activated only after targeting. 
            1. The NSA performs active middle-person attacks against targeted individuals. – Technically feasible. Would require a mechanism to defeat TLS, such as:
               1. The NSA is using a US Government Certificate Authority or Intermediate CA to terminate TLS. – This would be easy for technically sophisticated targets to detect, and wouldn’t work on recent Chome and Firefox thanks to HPKP.
               2. The NSA has obtained private keys from the listed companies.
               3. The NSA is using a new cryptography breakthrough to impersonate the server. – Being able to factor public keys would work, for example.
            2. The NSA passively sniffs the traffic of targeted individuals.
               1. Only unencrypted traffic is captured.
               2. Encrypted traffic is captured and decrypted. – This is discussed more below.
         2. The NSA captures traffic with the cooperation of last-mile ISPs. – This seems to be incompatible with the claim that this program is mostly/totally used on foreign nationals.
         3. The NSA has surreptitiously installed hardware or software backdoors at the affected companies. – This is the “Aurora Attack” option, and reflects how the PRC and other non-US governments obtain cloud data from US providers. This is both legally dangerous and technically unstable, and does not seem likely from the slides.
   2. …and gathers large amounts of information indiscriminately. – This is how most observers are reading the slide deck, and is even compatible with the official statements mentioning “minimization” of data after it is collected. Kurt Opsahl of the EFF pointed out to me that how the intelligence community uses the word “collect” is not the same as the common understanding.
      1. Broad data sets are gathered with the cooperation of the listed companies.
         1. The NSA can login to backend databases and “pull” the data they want. – This would be a classic idea of a backdoor.
         2. The companies regularly batch up the data sets and send them to the NSA using existing lawful intercept systems.
         3. The NSA installs hardware on-site that receives data copied to it intentionally by the companies.
      2. Broad data sets are gathered without the knowledge of the end-providers. – The general idea of the NSA collecting this data in-flight on the network is strongly supported by the PRISM slide discussing the fact that a great deal of international traffic is routed through the US. This would be irrelevant if US companies with overseas datacenters were providing the data directly.
         1. The NSA is passively sniffing huge amounts of traffic on backbones and at interchange points. – We know that the NSA has hardware in place at major ISPs thanks to the EFF’s lawsuit against AT&T. While it would be impossible to copy all of this traffic to NSA datacenters and then store it, it would be feasible to build a multi-tier architecture where data was screened and discarded at multiple levels (although not for $20M). For example, the local sniffing equipment would use ASICs or FPGAs to quickly inspect every packet and filter out useless information, such as YouTube and Netflix streams or unencrypted connections to popular websites. It would keep interesting streams, such as an HTTPS connection to Gmail, and forward that to NSA facilities for storage and further analysis. But what about encryption?
            1. The NSA is only gathering unencrypted traffic. – While a lot of interesting data is still not encrypted in transit, the list of services in the PRISM slides include several that have been encrypted since availability.
            2. The NSA is decrypting traffic using a non-public breakthrough in cryptanalysis. – This is, coincidentally, the topic of a talk I will be giving (with Tom Ritter, Tom Ptacek, and Javed Samuel) at Black Hat USA this summer. We are not saying that such a breakthrough exists, but that recent advances in solving discrete logarithms should make us wary of using RSA and other asymmetric algorithms based upon “multiplication is easy, division is hard” problems. A fast factoring algorithm would allow the NSA to unwrap TLS connections using an RSA handshake anytime after they were collected, although this should not work against connections negotiated with Perfect Forward Secrecy. Google implemented PFS in 2011, although most other companies have not.
            3. The NSA is decrypting traffic using the private keys of these companies.
               1. The NSA stole private keys from all of these companies.
               2. The NSA convinced these companies to turn over their private keys. – This is a way that these companies could cooperate with the NSA without large numbers of employees being involved.
         2. The NSA is doing active middle-person attacks against large amounts of traffic on backbones and at interchange points. – This seem infeasible to me technically and politically, and is not compatible with the passive splitter configuration the EFF uncovered at AT&T. 
         3. The NSA is intercepting traffic in the datacenters of the listed companies without telling them. – This is not impossible. Perhaps the NSA has installed sniffers at these facilities with the promise of providing collective defense against APT and other attackers and lied about the real purpose. This would mean that these companies were more naive than malicious. This option could avoid cryptography problems if the hardware was installed in the correct place. Again, this would be difficult to implement at the scale of a Google or Facebook without their fully-informed cooperation.
   3. The PRISM Program is mostly run by private contractors, who turn over data meeting certain standards to the Government. – This would allow the companies involved to make narrow claims about not turning over data directly to the government. 
   4. The PRISM Program is just the last analysis and correlation step performed on data gathered through many different means. – This is one way to accommodate all of the different leaks and denials. Maybe PRISM gives a single view into diverse data sets, such as Skype traffic turned over intentionally and Google data from sniffing. It would also explain the shockingly low price tag of $20M advertised in the slides if that data was gathered by other NSA projects with much larger budgets.
      

This isn’t exactly Kids Playing Chicken On Freeways Get Smashed, but I think it’s a reasonable way to organize the options.

So, what are your thoughts? What possibilities did I miss?

Written at Hobee’s Family Restaurant, Belmont, CA.