Thanks for the response. See my reply to tptacek above. I probably should have said 'appear to compete' or similar, as reading them together does not lead to an easy answer - and there are a number of possibilities as to how you could interpret them.
Certainly true that there are a number of possibilities. The one that seems to make sense per Occam's Razor and the mass of evidence we now have is that Prism is an NSA-side "facade pattern" against a set of company-specific FISA/NSL-compliance APIs.
In NSA-speak this is "collection directly from the servers of $FOO" because there is no wiretap or other SIGINT or ELINT shenanigans. They ask, or the FISA Court compels by warrant, for a company to turn over information they have, the company sends it over electronically.
Prism, on the NSA end, takes care to feed that information that is sent over to whichever analyst is working the case, patches up company-specific details so the analyst doesn't have to worry about it, etc. But they don't have feelers onto every datacenter owned by those 9 companies so there is no "direct access to data", as has been errorneously and loosely parroted around.
The two are not really competing claims; the argument over whether they are is the argument that NSA could in fact have direct access to the servers operating Google Mail.
Are you saying that the "collection directly from the servers" claim of the NSA document is simply the systems we already know about (FISA warrants or otherwise) until proven otherwise?
To me the terminology of the document probably (though not necessarily) indicates something more serious, but I'm not sure its necessarily 'cables into gmail' (which you seem to indicate as the only alternate). For instance, potentially someone working for Google may transfer selected records out manually without the knowledge of Google.
Thanks but I'm not so concerned to be 'singled out' as 'lumped in'. I want to get to understand your views more than simply disagree. I hope my previous posts haven't seemed too argumentative either.
Marc Ambinder, a reporter who has covered the national security beat for many years (before that he was a political reporter for The Atlantic, and before that the White House reporter for --- I think? --- CBS), reported that PRISM is a system of dropbox servers and a user interface that allows seamless access to all of those servers, presumably so that analysts don't have to keep track of which data is affiliated with Google and which data is affiliated with Yahoo.
Other reports have corroborated this.
Declan McCullagh, who has covered this beat for CNet for something like 10 years and is most notable on HN for jumping into threads and arguing the EFF's side of any given story against me (in other words: not a guy prone to support of the establishment), ran a story last week with sources that also denied that NSA had unilateral access to Google Mail.
The NYT just a few days ago ran a story with a linked FISA court order that documented Yahoo's attempt to push back on a FISA directive, a process that would not have been necessary (for the government) had NSA had direct access to Yahoo's servers; the court order demanded that Yahoo turn over data.
And, of course, Google categorically denies that NSA has direct unilateral access to their servers and, for that matter, that they've been able to obtain records for large fractions of their user base. Those denials have come from multiple levels of the company, from the CEO to the General Counsel to their tech leaders to people on their security team.
I'm not simply supposing that NSA doesn't have this access. Based on the evidence available, I am drawing the obvious conclusion that they do not.
The slides claim NSA has access to company servers. It does not claim they have free access to whatever they want. A system of "dropboxes" coupled with a system to get specific sets of data onto them - whether reviewed by humans or not - could fit with that.
That would not contradict the Guardian reporting, or even what the NSA's slides claim.
The rest of what you state also does not contradict Guardians reporting: They make specific claims about specific subsets of these companies data.
You keep arguing about an expansive interpretation of the reporting even when faced with much more restricted alternative interpretations.
When comes to relying on press releases with denials, I'm clearly more cynical than you - I assign them pretty much zero value as evidence. I'd expect these companies to issue denials whether the claims are true or not, so I don't see the press releases as containing any useful information to draw inferences from.
Hey! That's me! (I've covered this beat at CNET for 11 years and at Wired and Time and Wired a second time before that for about 5 years. It's not the EFF's side I'd argue, but I'm flattered that you think so.)
Anyway, I've disagreed politely with <tptacek> before, but he is 100% correct here.
If you look at the source of the "collection directly from the servers" terminology, the You Should Use Both slide http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server... , it's fairly clear that PRISM collection is being contrasted to "upstream" collection. In the context, it would be natural to describe getting someone's GMail account state (plus a live feed of account updates) through a FISA directive (and an API) as "collection directly from the servers": the stated alternative is recording the packets of someone's IP connections as they cross into and out of the US, a much more indirect and not-from-the-server(s) option. Then there's the fact that the slide heading is "FAA702 Operations". Using FAA 702 on Google requires the US Government to serve a FAA 702 directive to Google; getting a Google employee to hand over information without Google's knowledge would not be using FAA 702 at all.
(Further, the fact that Greenwald couldn't figure this out from looking at the You Should Use Both slide by himself - instead, actually producing the slide in the belief that it was evidence which undermines the FISA-API theory - and still can't or won't get it after having it explained to him, undermines the thesis that he's both able and willing to interpret the PRISM presentation carefully and accurately. Though he wasn't the only journalist to (apparently) misinterpret the "direct access" claim at first.)
Thanks for that. Best response I've seen on these issues - I hope others read it.
I'm not sure on the requirement for a FAA702 directive to be issued to Google however. Surely the upstream operations (which come under the same heading of FAA702 in the slide) don't require a FAA702 directive? I'm no expert but the directives seem to serve as a means to access the information, not as a necessity for disclosure of information should it be available by other means....
I appreciate that it seems you are responding to a lot of comments but I really find this comment lazy and borderline offensive.