PRISM (US-984XN)
BLUF
PRISM (classified designation US-984XN) is an NSA surveillance program established under Section 702 of the Foreign Intelligence Surveillance Act (FISA), operational since 2007, which collects internet communications directly from the servers of major US technology companies — including Microsoft, Google, Apple, Facebook, Yahoo, YouTube, Skype, AOL, and PalTalk. Exposed publicly in June 2013 by NSA contractor Edward Snowden via The Guardian and The Washington Post, PRISM represents the legal-institutional architecture for mass digital surveillance of foreign targets (with incidental collection of US person data) using American commercial platforms as the primary collection infrastructure. Its exposure triggered the most significant global renegotiation of digital privacy, data sovereignty, and internet governance since the web’s founding — producing cascading legal invalidations of transatlantic data transfer frameworks, legislative battles over Section 702 reauthorization, and a structural reconfiguration of how allied intelligence services engage with US-held signals data.
Technical Architecture
Legal Basis: Section 702 FISA
PRISM operates under Section 702 of the Foreign Intelligence Surveillance Act, enacted as part of the FISA Amendments Act of 2008 (FAA). Section 702 authorizes the Attorney General and the Director of National Intelligence to jointly certify annual targeting procedures permitting the collection of communications from non-US persons located outside the United States for foreign intelligence purposes. Collection targets do not require individual court orders — the FISA Court approves the targeting procedures and minimization standards annually, not individual selectors. This architecture distinguishes PRISM from traditional Title I FISA warrants, which require individualized judicial authorization.
The program formally initiated under the Protect America Act of 2007 — a temporary authorization later superseded by the FAA — making 2007 the operational start date visible in Snowden’s slide deck.
”Direct Access” vs. Compelled Disclosure
A persistent analytical dispute concerns the mechanism of data transfer. NSA slides released by Snowden stated that PRISM enables “collection directly from the servers” of participating companies. The companies uniformly rejected “direct access” characterization at time of disclosure, asserting instead that they respond to legally compelled requests via FBI intermediation — that NSA does not have unmediated server access.
Assessment: Both framings are partially accurate. The technical architecture involves FBI-issued legal process (FISA Court orders) delivered to companies, who then produce responsive data to NSA through a dedicated secure interface. From NSA’s operational perspective, data arrives from company infrastructure without NSA agents physically accessing servers — hence “collection from” rather than “direct access to.” The distinction matters legally and reputationally but not analytically for understanding scope: the volume and type of data available to NSA through this mechanism is functionally equivalent to broad server access for targeted accounts.
PRISM vs. UPSTREAM vs. MUSCULAR
PRISM is one component of a layered collection architecture:
| Program | Collection Point | Legal Basis | Data Type |
|---|---|---|---|
| PRISM | Company servers (stored content) | Section 702 FISA / FBI legal process | Email, files, chat, VoIP, video |
| UPSTREAM | Internet backbone (transit) | Section 702 FISA / telecom cooperation | Data in motion; “about” collection |
| MUSCULAR | Private undersea cables (RAF Menwith Hill / RAF Bude tap) | No disclosed legal process | Raw fiber traffic, incl. Google/Yahoo inter-datacenter traffic |
| MAINWAY | Telecom metadata records | Section 215 USA PATRIOT Act (Bulk) | Call detail records (CDRs) |
| XKeyscore | Search/analytic layer over all above | Internal NSA authorization | Cross-collection query interface |
MUSCULAR warrants specific note: operating in conjunction with GCHQ from RAF Bude, Cornwall, MUSCULAR tapped Google and Yahoo private fiber links connecting datacenters — traffic that transited outside the US and thus outside FAA jurisdiction. Unlike PRISM, MUSCULAR involved no legal process served on companies; both Google and Yahoo stated they were unaware of this collection. This distinction — legal collection inside US jurisdiction (PRISM) vs. clandestine cable tap on private infrastructure outside it (MUSCULAR) — is analytically significant for assessing the scope of intelligence community surveillance authority claimed in practice versus authorized by statute.
Participating Companies and Legal Framework
Named Participants and Onboarding Dates
Per the Snowden slide deck (confirmed by NSA in subsequent declassified documents):
| Company | PRISM Start Date |
|---|---|
| Microsoft | September 2007 |
| Yahoo | March 2008 |
| January 2009 | |
| June 2009 | |
| PalTalk | December 2009 |
| YouTube | September 2010 |
| Skype | February 2011 |
| AOL | March 2011 |
| Apple | October 2012 |
Dropbox was listed as “coming soon” in the 2013 slides but never confirmed as formally onboarded to PRISM proper.
Legal Mechanisms
Companies receive collection orders through the FBI’s Data Intercept Technology Unit (DITU), which serves as the intermediary between NSA and providers. The operative legal instruments are:
- FISA Court (FISC) orders under Section 702: Annual certifications approved by the FISC authorizing the targeting procedures; specific account selectors submitted by NSA to FBI, who serve production orders on companies.
- National Security Letters (NSLs): Administrative subpoenas issued by FBI without judicial approval, used for metadata rather than content; accompanied by gag orders (under 18 U.S.C. § 2709) prohibiting recipient companies from disclosing the existence of the NSL. NSLs are distinct from PRISM’s Section 702 mechanism but constitute a parallel collection vector affecting the same companies.
Post-Snowden Transparency Changes
Following the June 2013 disclosures, major technology companies — Google, Microsoft, Apple, Facebook, Yahoo — negotiated with the Department of Justice for permission to publish transparency reports disclosing aggregate counts of national security requests. These reports remain aggregate and subject to classification-approved ranges; they cannot identify specific PRISM-related production. Nevertheless, their publication established a new norm of partial transparency in the relationship between US tech platforms and the intelligence community.
Scope of Collection
Authorized Foreign Intelligence Targeting
PRISM is legally authorized to collect communications of non-US persons located outside the United States for foreign intelligence purposes. Targeting procedures require a determination that the target is a non-US person abroad and that a “significant purpose” of collection is obtaining foreign intelligence information. NSA analysts submit individual selectors (email addresses, usernames, phone numbers) against this standard; the FISC does not review individual selectors.
Incidental Collection of US Persons
Because foreign intelligence targets routinely communicate with US persons, Section 702 collection inherently captures US person communications. This is termed incidental collection — not the purpose of collection, but an unavoidable byproduct of targeting foreign persons on US-operated platforms. The scale of incidental US person collection has never been publicly quantified; the Office of the Director of National Intelligence (ODNI) confirmed in 2017 that it could not provide an estimate of the number of US persons’ communications collected under Section 702.
Minimization procedures govern how NSA handles incidentally collected US person data: such communications must be purged unless they contain “foreign intelligence information,” evidence of a crime, or information necessary to understand the foreign intelligence. Critically, FBI and CIA — as secondary recipients of PRISM data — may conduct “back door searches” querying Section 702 collected data using US person identifiers, without obtaining a warrant. This practice became a major flashpoint in Section 702 reauthorization debates.
Documented Foreign Leader Surveillance
Parallel to PRISM (though not solely through PRISM’s technical architecture), NSA surveillance reached confirmed foreign government targets:
- Angela Merkel (Germany): Personal mobile phone monitored under SIGINT program; confirmed by Snowden documents published in Der Spiegel. Germany opened a criminal investigation against NSA officers; the case was ultimately dropped for jurisdictional reasons.
- Dilma Rousseff (Brazil): Communications and those of her advisors monitored; confirmed by Snowden documents published in O Globo (September 2013). Rousseff cancelled a planned state visit to Washington and addressed the UN General Assembly in September 2013 with a direct condemnation of NSA surveillance programs. Brazil subsequently accelerated efforts to develop independent internet infrastructure and route data traffic around US chokepoints.
The Snowden Disclosure — June 2013
Timeline of the Initial Disclosures
| Date | Event |
|---|---|
| June 5, 2013 | The Guardian (Glenn Greenwald) publishes secret FISC order to Verizon requiring bulk call metadata production under Section 215 — first Snowden disclosure |
| June 6, 2013 | The Guardian (Greenwald/MacAskill) and The Washington Post (Barton Gellman / Laura Poitras) simultaneously publish PRISM slide deck; NSA confirms program’s existence |
| June 9, 2013 | Snowden self-identifies in video interview published by The Guardian; reveals location as Hong Kong hotel |
| June 14, 2013 | US DOJ files criminal complaint against Snowden under Espionage Act (18 U.S.C. §§ 793, 798) |
| June 23, 2013 | Snowden departs Hong Kong for Moscow Sheremetyevo airport |
| August 1, 2013 | Russia grants Snowden temporary asylum; he exits airport transit zone |
| 2014 onward | Snowden receives successive Russian residency extensions; permanent residency granted 2020; Russian citizenship granted September 2022 |
BOUNDLESS INFORMANT — Parallel Disclosure
Concurrent with PRISM disclosures, Snowden released slides for BOUNDLESS INFORMANT, an NSA metadata analytics tool that counted and mapped signals intelligence collection volume by country. BOUNDLESS INFORMANT revealed that NSA collected approximately 97 billion internet records and 124 billion telephone records globally in a 30-day period in 2013 — figures that contradicted congressional testimony by DNI James Clapper that NSA did not “wantonly” collect data on millions of Americans. The Clapper testimony (March 2013, to Senate Intelligence Committee) became the reference point for subsequent perjury allegations that were never prosecuted.
Journalistic and Legal Context
The PRISM story involved coordinated action across multiple journalists with separated document handling: Greenwald for written analysis, Poitras for document authentication and video journalism, and Gellman at the Post working from a parallel document set. This division of labor was partly security-motivated. The Guardian’s UK offices were subsequently subject to GCHQ pressure; British authorities compelled destruction of hard drives containing Snowden documents at the Guardian’s London offices in July 2013 — a highly unusual act of direct state pressure on a news organization in a liberal democracy.
Geopolitical and Legal Aftermath
Schrems I — EU-US Safe Harbor Invalidated (2015)
Austrian privacy activist Maximilian Schrems filed a complaint with the Irish Data Protection Commissioner arguing that Facebook Ireland’s transfers of EU citizen data to the United States could not be “adequate” under EU data protection law given what PRISM revelations demonstrated about US surveillance capabilities. The case reached the Court of Justice of the European Union (CJEU), which in Schrems v. Data Protection Commissioner (Case C-362/14, October 2015) invalidated the EU-US Safe Harbor framework — the mechanism underpinning over 4,000 companies’ transatlantic data flows since 2000. The CJEU found that US law did not ensure an “adequate level of protection” equivalent to EU standards. This ruling caused immediate disruption to transatlantic digital commerce.
Schrems II — Privacy Shield Invalidated (2020)
The Safe Harbor replacement, the EU-US Privacy Shield (negotiated 2016), faced a second Schrems challenge. In Data Protection Commissioner v. Facebook Ireland (Case C-311/18, July 2020), the CJEU invalidated Privacy Shield on substantively identical grounds — US surveillance programs (Section 702 / PRISM specifically cited in the opinion) prevent adequate protection of EU persons’ data. The ruling also placed significant restrictions on Standard Contractual Clauses as transfer mechanisms.
Trans-Atlantic Data Privacy Framework (2023 — Current)
Following Schrems II, the US and EU negotiated the Trans-Atlantic Data Privacy Framework (TADPF), adopted by the European Commission in July 2023. The TADPF is supported by a US executive order (EO 14086, signed October 2022) establishing a new redress mechanism — a Data Protection Review Court (DPRC) within the DOJ — for EU persons to challenge US surveillance. Schrems has filed a new challenge; as of 2026, the TADPF remains in force but under legal contestation. The structural tension — US foreign intelligence law (Section 702) operating on US-based platforms hosting EU person data — has not been resolved by the TADPF; the framework manages rather than eliminates it.
Five Eyes and PRISM Data
PRISM-derived intelligence flows through the Five Eyes alliance’s second-party sharing arrangements. GCHQ (UK), CSE (Canada), ASD (Australia), and GCSB (New Zealand) receive NSA-produced intelligence derived in part from PRISM collection. The existence of MUSCULAR as a joint NSA-GCHQ operation underscores that GCHQ is not merely a passive recipient but an active co-collector. Snowden documents revealed GCHQ conducted its own large-scale internet collection programs (TEMPORA — tapping fiber cables landing in the UK) which intersect with and complement PRISM-derived NSA data.
Section 702 Reauthorization Battles
Legislative History
Section 702 carries a sunset clause requiring periodic congressional reauthorization:
| Year | Action |
|---|---|
| 2012 | First reauthorization; minimal debate; Snowden disclosures not yet public |
| 2017 | Reauthorized through 2023; reform amendments (requiring warrant for US person queries) defeated in House; “about collection” under UPSTREAM suspended voluntarily by NSA following FISC compliance findings |
| April 2024 | Reauthorized through April 2026 (two-year extension) via the Reforming Intelligence and Securing America Act (RISAA); bill passed after contentious debate; included expanded definition of “electronic communications service providers” — potentially extending compelled production to a broader set of businesses (data centers, hotels, parking garages) able to access fiber; Senate passed on tie-breaking VP vote |
Core Contested Issues
Back door searches: FBI and CIA ability to query Section 702 data using US person identifiers without a warrant. Civil liberties community (ACLU, EFF) and some members of Congress argued this creates a de facto warrantless surveillance mechanism for US persons. Intelligence community argued warrants would impede operational tempo and were not constitutionally required for data already lawfully collected.
“About” collection: UPSTREAM collected communications “about” a target — i.e., messages that mention a target’s identifier even if the target is not a sender or recipient. NSA suspended this practice in 2017 following FISC compliance findings of over-collection of US person communications; RISAA 2024 did not formally reinstate it but did not prohibit its future resumption.
Provider scope expansion: RISAA’s broadened “electronic communications service provider” definition created significant concern that almost any business with network infrastructure could be compelled to assist NSA collection — potentially the most significant expansion of Section 702 scope since 2008.
PRISM in Context: The US Surveillance Architecture
PRISM is analytically misunderstood when treated as a standalone system. It is one collection layer within a broader architecture designed to achieve comprehensive coverage of global digital communications:
COLLECTION LAYER
├── PRISM → Stored content from US tech platforms (Section 702)
├── UPSTREAM → Data in transit on internet backbone (Section 702)
└── MUSCULAR → Private fiber cable taps (no disclosed legal basis)
METADATA LAYER
├── MAINWAY → Call detail records (CDRs) — Section 215 bulk (suspended post-2015)
├── MARINA → Internet metadata (connection logs, browser history)
└── DISHFIRE → SMS metadata (global, partnered collection)
ANALYTIC LAYER
└── XKeyscore → Query interface across all collected data; enables retroactive
full-take searches by selector, keyword, behavior pattern
SECOND-PARTY LAYER
└── Five Eyes SIGINT sharing — PRISM-derived intelligence flows to GCHQ, CSE, ASD, GCSB
XKeyscore deserves particular note: described in Snowden documents as the “widest-reaching” NSA collection system, XKeyscore is not itself a collection program but a search and analysis front-end that queries data from PRISM, UPSTREAM, MUSCULAR, and other collection streams. An analyst with XKeyscore access can search the “full take” of internet activity — including content of communications — from targeted selectors or behavior patterns, with minimal supervisory authorization at the point of query.
Key Connections
- United States
- NSA
- Five Eyes
- United States Intelligence Community
- Apple
- Pegasus Spyware
- Tor
- Mass Surveillance
- Signals Intelligence
- Digital Sovereignty
Sources
- Greenwald, Glenn. “NSA collecting phone records of millions of Verizon customers daily.” The Guardian, June 5, 2013.
- Greenwald, Glenn, Ewen MacAskill, and Laura Poitras. “NSA Prism program taps in to user data of Apple, Google and others.” The Guardian, June 6, 2013.
- Gellman, Barton and Laura Poitras. “U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program.” The Washington Post, June 6, 2013.
- NSA, “PRISM/US-984XN Overview” [leaked slide deck, authenticated]. June 2013.
- CJEU, Schrems v. Data Protection Commissioner, Case C-362/14, October 6, 2015.
- CJEU, Data Protection Commissioner v. Facebook Ireland, Case C-311/18, July 16, 2020.
- Office of the Director of National Intelligence, “Statistical Transparency Report Regarding Use of National Security Authorities.” Annual editions, 2014–2025.
- US Senate, Reforming Intelligence and Securing America Act (RISAA), Pub. L. No. 118-49, April 2024.
- Gellman, Barton, Julie Tate, and Ashkan Soltani. “In NSA-intercepted data, those not targeted far outnumber the foreigners who are.” The Washington Post, July 5, 2014.
- Ball, James, Julian Borger, and Glenn Greenwald. “Revealed: how US and UK spy agencies defeat internet privacy and security.” The Guardian, September 5, 2013. [MUSCULAR / TEMPORA]
- Privacy and Civil Liberties Oversight Board (PCLOB), “Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act.” July 2, 2014.
- Executive Order 14086, “Enhancing Safeguards for United States Signals Intelligence Activities.” October 7, 2022.