NSA PRISM — Mass Surveillance of Internet Users

Overview

PRISM was a clandestine mass surveillance program operated by the United States National Security Agency (NSA) that collected internet communications and stored data from at least nine major American technology companies. The program, which began in 2007 under President George W. Bush, was authorized under Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act and was classified at the highest levels of the U.S. intelligence community.

The existence of PRISM was revealed to the public on June 6, 2013, when The Guardian and The Washington Post simultaneously published reports based on classified documents provided by Edward Snowden, a former NSA contractor. The leaked materials included an internal NSA presentation consisting of 41 slides that described PRISM as the agency’s most prolific source of raw intelligence, accounting for nearly one in seven intelligence reports. The presentation listed nine participating companies — Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, and Apple — and indicated dates on which each company had begun cooperating with the program.

PRISM is classified as confirmed — it is a documented government surveillance program whose existence was acknowledged by the U.S. government, verified by multiple independent journalistic investigations, and subsequently debated in Congress and the courts. However, significant disputes remain about the precise technical mechanisms of data collection, the degree of corporate complicity, and the scope of incidental collection of Americans’ communications.

Origins & History

The Post-9/11 Surveillance Expansion

The roots of PRISM lie in the dramatic expansion of U.S. government surveillance authority following the September 11, 2001 terrorist attacks. Within weeks of the attacks, President George W. Bush secretly authorized the NSA to conduct warrantless wiretapping of international communications passing through American telecommunications infrastructure — a program later known as the President’s Surveillance Program or the Terrorist Surveillance Program.

When the warrantless wiretapping program was exposed by The New York Times in December 2005, the Bush administration faced legal challenges and congressional scrutiny. Rather than curtailing the surveillance, Congress moved to retroactively legalize key components of the program. The Protect America Act of 2007 temporarily amended FISA to permit warrantless surveillance of foreign targets whose communications passed through U.S. infrastructure, and the FISA Amendments Act of 2008 made these authorities permanent through Section 702.

The Birth of PRISM

PRISM began operating in 2007 under the legal authority provided by this new legislative framework. According to the leaked NSA slides, Microsoft was the first company to participate, beginning on September 11, 2007 — a date that may have been chosen for its symbolic significance. Over the following five years, other major technology companies were added to the program in sequence:

• Microsoft — September 11, 2007
• Yahoo — March 12, 2008
• Google — January 14, 2009
• Facebook — June 3, 2009
• PalTalk — December 7, 2009
• YouTube — September 24, 2010
• Skype — February 6, 2011
• AOL — March 31, 2011
• Apple — October 2012

The program was administered under the supervision of the Foreign Intelligence Surveillance Court (FISC), a secret court established by the original 1978 FISA legislation. The FISC issued annual certifications authorizing the NSA to target non-U.S. persons reasonably believed to be located outside the United States for the purpose of collecting foreign intelligence information. Individual warrants for specific targets were not required.

Edward Snowden and the 2013 Disclosures

Edward Snowden, a 29-year-old systems administrator working for NSA contractor Booz Allen Hamilton at an NSA facility in Hawaii, began copying classified documents in early 2013. He contacted documentary filmmaker Laura Poitras and journalist Glenn Greenwald, providing them with a trove of classified materials that would eventually number in the tens of thousands of documents.

On June 5, 2013, The Guardian published the first major disclosure: a secret court order compelling Verizon Business Network Services to hand over the telephone metadata of all its customers to the NSA on a daily, ongoing basis. The following day, both The Guardian and The Washington Post published reports on PRISM based on the leaked NSA presentation slides. Within days, Snowden revealed his identity in a video interview from Hong Kong, setting off an international diplomatic crisis as he sought asylum from prosecution under the Espionage Act.

Snowden ultimately received temporary asylum in Russia, where he has remained. The U.S. government charged him with theft of government property and two counts of violating the Espionage Act.

Key Claims

As a confirmed surveillance program, the following are established facts based on leaked documents, government admissions, and independent verification:

• The NSA operated a program called PRISM that collected internet communications data from at least nine major American technology companies
• The program was authorized under Section 702 of the FISA Amendments Act and overseen by the secret FISA Court
• PRISM was described internally by the NSA as its most prolific source of raw intelligence used in NSA analytic reports
• The program collected emails, chat logs, voice and video calls, photos, file transfers, social networking details, and other stored data
• The NSA also operated a separate but related bulk metadata collection program under Section 215 of the USA PATRIOT Act, collecting telephone call records (numbers dialed, call duration, and timestamps) of virtually all Americans
• The NSA shared intelligence collected through PRISM with partner agencies in the Five Eyes alliance — the United Kingdom (GCHQ), Canada (CSE), Australia (ASD), and New Zealand (GCSB)

Disputed Claims

Several aspects of PRISM remain contested:

• “Direct access” to company servers: The leaked NSA slides stated that the agency collected data “directly from the servers” of the participating companies. All nine companies denied providing the NSA with direct access to their servers or systems, claiming they only responded to specific legal requests. Whether the NSA had some form of automated or facilitated access distinct from direct server access remains unresolved.

• Scope of domestic collection: The government maintained that PRISM targeted only non-U.S. persons outside the United States. However, the NSA’s own internal audits revealed thousands of instances of “incidental” collection of Americans’ communications, and critics argued that the architecture of the program made such collection inevitable and systematic rather than truly incidental.

• Upstream collection: Alongside PRISM, the Snowden documents revealed a program known as “Upstream” collection, in which the NSA tapped directly into the fiber-optic cables carrying internet traffic. The relationship between PRISM (which collected stored data from companies) and Upstream (which intercepted data in transit) suggested a surveillance apparatus far more comprehensive than either program alone.

Evidence & Verification

Primary Documentation

The evidence for PRISM’s existence is extensive and irrefutable:

• Leaked NSA presentation slides: The 41-slide internal briefing document described PRISM’s capabilities, participating companies, and collection methods. The slides were authenticated by the NSA through its implicit acknowledgment and the government’s subsequent legal actions against Snowden.
• FISA Court orders: Snowden leaked a top-secret FISA Court order dated April 25, 2013, compelling Verizon to provide the NSA with all call detail records on an “ongoing, daily basis.” The order was issued under Section 215 of the USA PATRIOT Act. The government confirmed the order’s authenticity.
• Government acknowledgment: Following the disclosures, Director of National Intelligence James Clapper confirmed the existence of Section 702 collection (PRISM) and Section 215 metadata collection. President Obama publicly defended the programs as legal and necessary counterterrorism tools.
• NSA Inspector General reports: Declassified IG reports revealed that the NSA had violated its own privacy rules thousands of times per year, including unauthorized searches of Americans’ communications.
• Privacy and Civil Liberties Oversight Board (PCLOB): This independent federal agency conducted an extensive review and published detailed reports on both the Section 215 and Section 702 programs in 2014, confirming their existence, scope, and operational details.

The James Clapper Testimony

A critical episode in the PRISM story occurred on March 12, 2013 — three months before Snowden’s disclosures — when Director of National Intelligence James Clapper testified before the Senate Intelligence Committee. Senator Ron Wyden asked Clapper directly: “Does the NSA collect any type of data at all on millions or hundreds of millions of Americans?” Clapper responded, “No, sir… not wittingly.”

This statement was later shown to be false. Clapper subsequently described his answer as the “least untruthful” response he could give in an unclassified setting. The episode became a landmark example of intelligence officials misleading congressional oversight, and it significantly eroded public trust in government assurances about surveillance.

XKeyscore and the Broader Surveillance Architecture

The Snowden disclosures revealed that PRISM was only one component of a vast surveillance infrastructure. XKeyscore, another program disclosed in the leaks, functioned as a search engine that allowed NSA analysts to query databases containing virtually all internet activity passing through designated collection points worldwide. According to leaked training materials, XKeyscore could search emails, online chats, browsing history, and other internet activity in real time and retrospectively.

The combination of PRISM (stored communications from tech companies), Upstream collection (data intercepted from fiber-optic cables), XKeyscore (the search and analysis interface), and the bulk metadata program created a surveillance apparatus of unprecedented scale and capability.

Cultural Impact

Immediate Political Fallout

The PRISM revelations triggered a global political crisis. European leaders expressed outrage upon learning that the NSA had monitored the communications of allied heads of state, including German Chancellor Angela Merkel. Brazil’s President Dilma Rousseff cancelled a state visit to Washington. The European Parliament launched investigations into NSA surveillance of European citizens.

Within the United States, the disclosures reignited the debate over the balance between national security and civil liberties that had simmered since the passage of the USA PATRIOT Act in 2001. President Obama appointed a Review Group on Intelligence and Communications Technologies, which issued 46 recommendations for surveillance reform in December 2013.

Legislative Reform

The most significant legislative response was the USA FREEDOM Act, signed into law on June 2, 2015. The act ended the NSA’s bulk collection of domestic telephone metadata under Section 215, requiring the agency instead to obtain records from telephone companies using specific selection terms approved by the FISA Court. However, critics noted that the act did not address Section 702 collection (PRISM itself), which was reauthorized by Congress in 2018.

Impact on the Technology Industry

The PRISM disclosures had a profound and lasting impact on the global technology industry. In the immediate aftermath, American technology companies faced a credibility crisis in international markets, with foreign customers and governments questioning whether their data was safe from U.S. government surveillance. Industry estimates suggested that the disclosures cost American cloud computing companies between $22 billion and $180 billion in lost overseas revenue.

In response, major technology companies implemented end-to-end encryption, expanded the use of HTTPS, and began publishing transparency reports detailing government data requests. Apple, Google, and others introduced encryption by default on mobile devices, explicitly citing the need to protect users from government surveillance. These moves led to the so-called “going dark” debate, in which law enforcement and intelligence officials argued that strong encryption was making it impossible to access criminal communications even with lawful authority.

Broader Surveillance Discourse

PRISM fundamentally shifted public discourse about government surveillance. Before the Snowden disclosures, allegations of mass surveillance by Western democracies were often dismissed as paranoid conspiracy theories. After June 2013, the existence of comprehensive government monitoring of digital communications became an accepted fact of modern life.

The disclosures also elevated privacy as a mainstream political and consumer concern. The European Union’s General Data Protection Regulation (GDPR), enacted in 2016 and enforced from 2018, was developed in part as a response to the Snowden revelations, and it fundamentally reshaped how technology companies handle personal data worldwide.

Timeline

• September 11, 2001 — Terrorist attacks on the United States lead to massive expansion of surveillance authority
• October 2001 — USA PATRIOT Act signed into law, expanding government surveillance powers
• 2001-2005 — President Bush secretly authorizes warrantless wiretapping by the NSA (President’s Surveillance Program)
• December 2005 — The New York Times exposes the warrantless wiretapping program
• August 2007 — Protect America Act temporarily legalizes warrantless surveillance of foreign targets on U.S. infrastructure
• September 11, 2007 — Microsoft becomes the first company to participate in PRISM
• July 2008 — FISA Amendments Act permanently establishes Section 702 authority; grants retroactive immunity to cooperating telecoms
• 2008-2012 — Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, and Apple added to PRISM
• March 12, 2013 — DNI James Clapper tells Congress the NSA does not collect data on millions of Americans — later proven false
• May 2013 — Edward Snowden leaves his NSA post in Hawaii and flies to Hong Kong with classified documents
• June 5, 2013 — The Guardian publishes the secret FISA Court order for Verizon bulk metadata collection
• June 6, 2013 — The Guardian and The Washington Post simultaneously publish reports revealing PRISM
• June 9, 2013 — Snowden identifies himself as the source in a video interview from Hong Kong
• June 14, 2013 — U.S. government files espionage charges against Snowden
• June 23, 2013 — Snowden departs Hong Kong for Moscow; his U.S. passport is revoked
• August 1, 2013 — Russia grants Snowden one-year temporary asylum
• August 2013 — The Guardian publishes details of XKeyscore, the NSA’s internet search tool
• October 2013 — Reports reveal NSA monitored the mobile phone of German Chancellor Angela Merkel
• December 2013 — Federal judge Richard Leon rules the NSA metadata program “almost Orwellian” and likely unconstitutional
• December 2013 — Obama’s Review Group issues 46 recommendations for surveillance reform
• January 2014 — Privacy and Civil Liberties Oversight Board finds Section 215 bulk metadata program illegal
• June 2015 — USA FREEDOM Act signed, ending bulk metadata collection under Section 215
• January 2018 — Section 702 (the legal basis for PRISM) reauthorized by Congress for six years
• September 2020 — U.S. Court of Appeals rules the NSA’s bulk metadata collection was illegal
• April 2024 — Section 702 reauthorized again amid ongoing debate over surveillance reform

Sources & Further Reading

• Greenwald, Glenn. “NSA collecting phone records of millions of Verizon customers daily.” The Guardian, June 5, 2013
• Gellman, Barton, and Laura Poitras. “U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program.” The Washington Post, June 6, 2013
• Greenwald, Glenn, and Ewen MacAskill. “NSA Prism program taps in to user data of Apple, Google and others.” The Guardian, June 6, 2013
• Privacy and Civil Liberties Oversight Board. Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act. July 2, 2014
• Privacy and Civil Liberties Oversight Board. Report on the Telephone Records Program Conducted under Section 215 of the USA PATRIOT Act. January 23, 2014
• Greenwald, Glenn. No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books, 2014
• Harding, Luke. The Snowden Files: The Inside Story of the World’s Most Wanted Man. Vintage Books, 2014
• Citizenfour. Directed by Laura Poitras. Praxis Films, 2014 (Academy Award-winning documentary)
• Bamford, James. “The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say).” Wired, March 15, 2012
• Risen, James, and Eric Lichtblau. “Bush Lets U.S. Spy on Callers Without Courts.” The New York Times, December 16, 2005
• Savage, Charlie. Power Wars: Inside Obama’s Post-9/11 Presidency. Little, Brown, 2015
• ACLU v. Clapper, 785 F.3d 787 (2d Cir. 2015) — ruling on the legality of bulk metadata collection