TOP SFCRF.T//SI//ORCON//NOFORX a msn Hotmail Go« „ paltalk™n- Youffl facebook Gr-iai! AOL b mail & PRISM/US-984XN Overview OR The SIGAD Used Most in NSA Reporting Overview PRISM Collection Manager, S35333 Derived From: NSA/CSSM 1-52 April 20L-3 Dated: 20070108 Declassify On: 20360901 TOP SECRET//SI// ORCON//NOFORN TOP SECRET//SI//ORCON//NOEÛEK ® msnV Hotmail ^ paltalk.com Youi Google Ccnmj<K8t« Be>cnö Wxd6 facebook / ^ AU • GM i! AOL mail ty GOOglC ( TS//SI//NF) Introduction ILS. as World's Telecommunications Backbone Much of the world's communications flow through the U.S. • A target's phone call, e-mail or chat will take the cheapest path, not the physically most direct path - you can't always predict the path. • Your target's communications could easily be flowing into and through the U.S. International Internet Regional Bandwidth Capacity in 2011 Source: Telegeographv Research TOP SECRET//SI// ORCON//NOFORN TOP SECRET//SI//ORCON//NOEQBN Hotmail msn Google ^iïftvgm paltalk™m YouSM) facebook Gm i ¡1 ^ ^ M V^fc i v w*jr ComnuMcatiw Bemm ^mmtmm fcyGooglc AOL & mail  xr^ (TS//SI//NF) FAA702 Operations U « '«PRISM/ -A Two Types of Collection 7 T vv Upstream •Collection of ;ommujai£ations on fiber You Should Use Both PRISM • Collection directly from the servers of these U.S. Service Providers: Microsoft, Yahoo, Google Facebook, PalTalk, AOL, Skype, YouTube Apple. TOP SECRET//SI//ORCON//NOFORN TOP SECRET//SI//ORCON//NOEÛEK Hotmail ® MM msn Google paltalk.com YOUE f^AVi r/irmiVAlfCcmmjotal«f Rhnnl'MirBe>coo WxdS6 GM i! facebook • ty Google AOL & mail Jk (TS//SI//NF) FAA702 Operations V Lfte 5o/7?: PRISM vs. Upstream PRISM upstream 9 U.S. based service Worldwide DNI Selectors / providers sources • Worldwide DNR Selectors ^^ Coming soon sources Access to Stored Communications s/ (Search) 0 Real-Time Collection (Surveillance) v' "Abouts" Collection 0 • Voice Collection ^Voice over IP v' Direct Relationship with ^)Only through FBI Comms Providers V TOP SECRET//SI// ORCON//NOFORN Mg TOP SECRET//SI//ORCON//NOEÛRK Hotmail msn Google paltalk.com YOUE facebook CooinjnicaK«' Beycoo Vftxös & w Gnai^•Google l AOL mail <â '•PRISM, (TS//SI//NF) PRISM Collection Details What Will You Receive in Collection Current Providers (Surveillance and Stored Comms)? It varies by provider. In general: E-mail • Microsoft (Hotmail, etc.) Chat - video, voice • Google Videos Photos • Yahoo! Stored data • Facebook VoIP • PalTalk File transfers • YouTube Video Conferencing • Skype Notifications of target activity - logins, etc. • AOL Online Social Networking details • Apple Special Requests Complete list and details 011 PRISM web page: Go PRISMFAA TOP SECRET//SI// ORCON//NOFORN TOP SECRET//SI//ORCON/7NOEÛEX V Hotmail msn Go file „ A paltalkiom Youd) facebook GtyCoogfcH iil AOL %f> mail  (TS//SI//NF) Dates When PRISM Collection Began For Each Provider 2007 2008 2009 2010 2011 2012 2013 TOP SECRZT//SI//ORCON 7NOFORN TOP SECRET//SI ORCON NOFORN V Hotmail m msn Google paltalk You® GM i! facebook / ^".vM yr QyrmsyKat«- BeyaWWyœ lyCooglC AOL mail ¿3 (TS//SI//NF)FAA702 Reporting Highlight PRISM ancl STORMBREW Combine RISIVI To Thwartx SAME-DAY NTOC/FBI COLLABORATION PREVENTS 150GB EXFIL EVENT FROM C LEARED DEFENSE CONTRACTOR (CDC) 2012 14 DEC U.S. CDC :!ijj y NTOC TIPS FBI TO MMINENT THREAT KK FB^HËLPS CDC REMOVE 2 NTOC tips the IMPLANT FBI to the activity CD The FBI contacts the CDC ancl works with thennp clean the^^^^ The victim performed comj ions on the infecte fc^NTING EXFILTRATION on the NTOC DISCO RSARY INTENT TOP SECRET//SI//ORCON//NOFORN Hotmail msn Gougle ~ rXV05 paltalk You ES facebook OrrrnjfKalO' ftyav Ww* GRAAIL AOL & maiH  (Ts//si//NF) Some Higher Volume Domains Collected from FAA Passive In addition to Hotmail, Yahoo, Google, Paltalk, Facebook, Skype, AOL: Select IP Addresses wanadoo.fr alcatel-lucent.com TOP SECRET//SI// ORCON//NOFORN TOP SECRET//SI//ORCON//NOEÛEK Hotmail msn Google paltalk'cöm. YoulfflS GMHI facebook a—njmeaMo« Be>cflOW3fös (-/Google AOL ^ mail  (TS//SI//NF) PRISM Tasking Process Target Analyst inputs selectors into Unified Targeting Tool (UTT) Surveillance J^^^^^endin^^tore^Comm^ Special FISA Oversight and Processing S2 FAA Adjudicators in Each Product Line Targeting Review/Validation (SV4) Stored Comms Review /Validation Surveillance Ü Pending Stored Comms Targeting and Mission Management (S343) Final Targeting Review and Release y- £ Unified Targeting Tool (UTT) ¿ i PRINTAURA; Site Selector Distribution Manager Pending Stored Comms Surveillance >• FBI Electronic Communications Surveillance Unit (ECSU) Research & Validate NO USPERs Targeting Stored Comms Release Providers Selectors ^ FBI PINWALE, (Google, > > Data Intercept Technology Unit (DITU) NUCLEON, Tnllprtinn Collection Yahoo, etc.) etc. TOP SECRET//SI// ORCON//NOFORN TOP SECRETASI ORC ON//NOFORN ms/i Hotmail GouQie ^ paltalk'roir You® facebook Nf / «A'i •. Zf e—«o»«*»« Gí^ai! AOL mail  (TS//SI//NF) PRISM Collection Dataflow PRINTAURA, FBI DITU TRAFFICTHIEF S3 53 2 SCISSORS. MARINA T132 & £ MAINWAY Protocol Metadata Exploitation, FALLOUT S3132 SCISSORS, CONVEYANCE T132 DNI Content. Videos. NUCLEON PINWALE ¡Partitions TOP SECRET//SI//ORCON//NOFORN an TOP SECRET//SI//ORCON//NOEQRN y* Hotmail msn ^ paltalk.com YOUB Google Commjn<al<«' Beyeofl Wxds facebook Rpuwl WÏII<. CM AOL^>mai fcyGOOglC ¡1 -nil (TS//SI//NF) PRISM Case Notations P2ESQC120001234 V PRISM Provider Fixed trigraph, denotes Year CASN established P1: Microsoft Serial # PRISM source collection for selector P2: Yahoo P3: Google Content Type P4: Facebook A: Stored Comms (Search) P5: PalTalk B: IM (chat) P6: YouTube C: RTN-EDC (real-time notification of an e-mail event such as a login P7: Skype or sent message) P8: AOL D: RTN-IM (real-time notification of a chat login or logout event) PA: Apple E: E-Mail F: VoIP G: Full (WebForum) H: OSN Messaging (photos, wallposts, activity, etc.) I: OSN Basic Subscriber Info J: Videos . (dot): Indicates multiple types TOP SECRET//SI// ORCON//NOFORN .