TOP SFCRF.T//SI//ORCON//NOFORX

Gr-iai! facebook msn Hotmail

a

G o « „ paltalk™n- Youff l

AOL b mail &

PRISM/US-984XN Overview

O R

The SIGAD Used Most in NSA Reporting Overview

PRISM Collection Manager, S35333

April 20L-3 Derived From: NSA/CSSM 1-52 Dated: 20070108

Declassify On: 20360901

TOP SECRET//SI// ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEÛEK

G M i! V Hotmail

facebook msn

ty GOOglC

Google ® ^ paltalk.com Youi

/ ^ AU • Ccnmj<K8t« Be>cnö Wxd6

AOL mail

( TS//SI//NF) Introduction ILS. as World's Telecommunications Backbone

Much of the world's communications flow through the U.S.

• A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path - you can't always predict the path.

• Your target's communications could easily be flowing into and through the U.S.

International Internet Regional Bandwidth Capacity in 2011 Source: Telegeographv Research

TOP SECRET//SI// ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEQBN

G m i ¡1 facebook msn Hotmail

fcyGooglc

Google ^iïftvgm paltalk™m YouSM) ^ ^ M V fc i v w*jr ComnuMcatiw Bemm mmtmm

AOL & mail Â

(TS//SI//NF) FAA702 Operations Two Types of Collection

T

You Should

Use Both

Upstream •Collection of

;ommujai£ations on fiber

x r ^ U « '«PRISM/

v v 7 - A

PRISM • Collection directly from the servers of these U.S.

Service Providers: Microsoft, Yahoo, Google Facebook, PalTalk, AOL, Skype, YouTube Apple.

TOP SECRET//SI//ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEÛEK

G M i! facebook msn Hotmail

ty Google

Google f^AVi • ® M M

paltalk.com YOUE r/irmiVAlff Rhnnl'MirS Ccmmjotal« Be>coo Wxd6

AOL & mail Jk

(TS//SI//NF) FAA702 Operations V Lfte 5o/7?: PRISM vs. Upstream

DNI Selectors

DNR Selectors

Access to Stored Communications (Search)

Real-Time Collection (Surveillance)

"Abouts" Collection

Voice Collection

Direct Relationship with Comms Providers

PRISM upstream

9 U.S. based service / providers

•

Worldwide sources

^ ^ Coming soon Worldwide sources

s/ 0 v '

0 ^Voice over IP

• v ' ^ ) O n l y through FBI V

TOP SECRET//SI// ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEÛRK

Gnail facebook msn Hotmail

•Google

Google Mg

paltalk.com YOUE CooinjnicaK«' Beycoo Vftxös & w

AOL mail <â

(TS//SI//NF) PRISM Collection Details '•PRISM,

Current Providers

• Microsoft (Hotmail, etc.) • Google • Yahoo! • Facebook • PalTalk • YouTube • Skype • AOL • Apple

What Will You Receive in Collection (Surveillance and Stored Comms)?

It varies by provider. In general:

E-mail Chat - video, voice Videos Photos Stored data VoIP File transfers Video Conferencing Notifications of target activity - logins, etc. Online Social Networking details

Special Requests

Complete list and details 011 PRISM web page: Go PRISMFAA TOP SECRET//SI// ORCON//NOFORN

TOP SECRET//SI//ORCON/7NOEÛEX

GH iil V Hotmail

facebook msn

tyCoogfc

G o file „ A paltalkiom Youd)

AOL %f> mail Â

(TS//SI//NF) Dates When PRISM Collection Began For Each Provider

2007 2008 2009 2010 2011 2012 2013 TOP SECRZT//SI//ORCON 7NOFORN

TOP SECRET//SI ORCON NOFORN

GM i! V Hotmail

facebook msn

lyCooglC

Google m QyrmsyKat«- BeyaWWyœ

Y o u ®

(TS//SI//NF)FAA702 Reporting Highlight PRISM ancl STORMBREW Combine

To Thwartx

paltalk / ^ " . v M y r

AOL mail ¿3

RISIVI

SAME-DAY NTOC/FBI COLLABORATION PREVENTS 150GB EXFIL EVENT FROM C LEARED DEFENSE CONTRACTOR (CDC)

2012 14 DEC

U.S. CDC :!ijj y

The victim performed comj EXFILTRATION on the

NTOC T IPS FBI TO M M I N E N T THREAT

2 NTOC tips the FBI to the activity

ions on the infecte NTOC DISCO

K K FB^HËLPS CDC REMOVE I M P L A N T

CD The FBI contacts the CDC ancl works with thennp clean t h e ^ ^ ^ ^

fc^NTING RSARY INTENT

TOP SECRET//SI//ORCON//NOFORN

GRAAIL facebook msn Hotmail Gougle ~ r X V 0 5 paltalk You E S

AOL & mai OrrrnjfKalO' ftyav Ww*

HÂ

(Ts//si//NF) Some Higher Volume Domains Collected from FAA Passive

In addition to Hotmail, Yahoo, Google, Paltalk, Facebook, Skype, AOL: Select IP Addresses

wanadoo.fr

alcatel-lucent.com

TOP SECRET//SI// ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEÛEK

GMHI facebook msn Hotmail

(-/Google

Google paltalk'cöm. YoulfflS a—njmeaMo« Be>cflOW3fös

AOL ^ mail Â

(TS//SI//NF) PRISM Tasking Process Target Analyst inputs selectors into

Unified Targeting Tool (UTT) Surveillance

S2 FAA Adjudicators in Each Product Line Targeting Review/Validation

J ^ ^ endin tore Comm^ Special FISA Oversight and Processing

(SV4) Stored Comms Review /Validation

Surveillance Ü Pending Stored Comms

Targeting and Mission Management (S343) Final Targeting Review and Release

y- £ Unified Targeting Tool (UTT)

¿ i PRINTAURA; Site Selector

Distribution Manager

Surveillance >• Pending Stored Comms

Surveillance >•

FBI Electronic Communicat ions Surveillance Unit (ECSU)

Research & Validate NO USPERs

Providers (Google,

Yahoo, etc.)

Targe t ing Se lec to rs ^

Stored Comms Release Providers (Google,

Yahoo, etc.)

FBI Data Intercept Technology Unit (DITU) >

Providers (Google,

Yahoo, etc.) >

Tnllprtinn

FBI Data Intercept Technology Unit (DITU) Col lec t ion

Providers (Google,

Yahoo, etc.)

PINWALE, NUCLEON,

etc.

TOP SECRET//SI// ORCON//NOFORN

TOP SECRETASI ORC ON//NOFORN

G í ^ a i ! facebook ms/i Hotmail G o u Q i e ^ paltalk'roir Y o u ®

Nf / «A'i • . Z f e—«o»«*»« AOL mail Â

(TS//SI//NF) PRISM Collection Dataflow

FBI DITU PRINTAURA, S3 53 2 TRAFFICTHIEF

SCISSORS. T132

£

MARINA &

MAINWAY Protocol

Exploitation, S3132

Metadata

SCISSORS, T132

FALLOUT

CONVEYANCE

DNI Content. Videos.

¡Partitions PINWALE NUCLEON

TOP SECRET//SI//ORCON//NOFORN

TOP SECRET//SI//ORCON//NOEQRN

C M ¡1 y * Hotmail

facebook msn

fcyGOOglC

Google

PRISM Provider P1: Microsoft P2: Yahoo P3: Google P4: Facebook P5: PalTalk P6: YouTube P7: Skype P8: AOL PA: Apple

an ^ paltalk.com YOUB

Rpuwl WÏII<. Commjn<al<«' Beyeofl Wxds

-nil AOL^ > m a i

(TS//SI//NF) PRISM Case Notations

P 2 E S Q C 1 2 0 0 0 1 2 3 4 V

Fixed trigraph, denotes PRISM source collection

Year CASN established for selector

Serial #

Content Type A: Stored Comms (Search) B: IM (chat) C: RTN-EDC (real-time notification of an e-mail event such as a login

or sent message) D: RTN-IM (real-time notification of a chat login or logout event) E: E-Mail F: VoIP G: Full (WebForum) H: OSN Messaging (photos, wallposts, activity, etc.) I: OSN Basic Subscriber Info J: Videos . (dot): Indicates multiple types

TOP SECRET//SI// ORCON//NOFORN