PRISM as part of the BLARNEY program

Last June, the still on-going Snowden-leaks started with the unveiling of PRISM, an NSA program which collects information about foreign targets from American internet companies like Facebook, Google, Yahoo and Microsoft.

Since then, no new information about PRISM was published, but recently some new details could be found. These show that PRISM is part of another NSA program, codenamed BLARNEY, and that US-984XN is not a single designator for PRISM, but stands for multiple designators, one for each of the internet companies.


New slides

On September 8, the Brazilian television news magazine Fantástico aired a report about the NSA trying to access the network of the Brazilian oil company Petrobras. In the background of this report, a number of hitherto unseen NSA slides were shown.

One of the slides shows details about the BLARNEY program, which has the SIGAD, or SIGINT Activity Designator US-984 and the PDDG, or Producer Designator Digraph AX. The slide says that BLARNEY collects DNR (telephony) and DNI (internet) communications under authority of the FISA court. Main targets of the program are diplomatic establishments, terrorists, foreign governments and economic targets:


Top left the slide shows the NSA seal and top right we see a green leprechaun hat with a clover leaf, symbolizing Blarney, as this is also the name of a small town in Ireland.

However, the most intesting fact is that the BLARNEY SIGAD US-984 is almost the same as US-984XN, which is prominently shown on the first slide of the PRISM presentation that was published in June:




This similarity indicates that PRISM is part of BLARNEY, which is also suggested in the Wikipedia article about the latter program.


SIGADs

Wikipedia also has a good article about the SIGAD or SIGINT Activity Designator itself, which teaches us that a SIGAD with two letters followed by three or four numbers, like US-984, is for identifying signals intelligence collection programs and activities.

An additional alphabetic character is added to denote a sub-designator for a subset of the primary collection unit, like a detachment. Lastly, a numeric character can be added after the aforementioned alphabetic to provide for a sub-sub-designator. This already confirms that with the designation US-984XN, PRISM is a sub-program of BLARNEY.

But there's more. In the Wikipedia-article the SIGADs are represented like XX-NNNxn, where an X represents an alphabetic character and an N represents a numeric character. Here we see the same XN-suffix as in the alleged PRISM designator US-984XN, so it seems that XN is only meant as a placeholder for the actual designations of PRISM subsets.

This is confirmed by another slide from Brazilian television, which says that the SIGAD US-984X stands for multiple programs and partners collecting under FAA authority:



PRISM SIGADs

In one of the PRISM slides published in June, there's an explanation of the PRISM case notations. These start with a designation for each PRISM provider, like P1 for Microsoft, P2 for Yahoo, etc. (the first position in the slide below). These designators fit the XN-scheme of one alphabetic character followed by one numeric character.




If we combine this, it seems likely that instead of US-984XN as a single PRISM SIGAD, there are multiple SIGADs, one for each of the internet companies:

- Microsoft: US-984P1
- Yahoo: US-984P2
- Google: US-984P3
- Facebook: US-984P4
- PalTalk: US-984P5
- YouTube: US-984P6
- Skype: US-984P7
- AOL: US-984P8
- Apple: US-984PA

After P8 for AOL, the final number becomes the letter A for Apple. Maybe this is because more than nine companies became involved, and so NSA chose to go on with hexadecimal numbers, so PA can be followed by PB, PC, etc.

Having separate SIGADs for each internet company makes sense, because a SIGAD identifies a specific facility where collection takes place, like a ship or a listening post. PRISM as a program is not such a facility, but comprises a number of them.

The notation of the multiple PRISM SIGADs is also more like that of other collection facilities, for example AFP-827F2 for a CANYON-class satellite and US-987LA and US-987LB for the Bavarian and Afghanistan listening posts of NSA's German partner-agency BND.


BLARNEY

Under BLARNEY, information is collected from both telephone and internet communications. The program was started in 1978 under the authority of the Foreign Intelligence Surveillance Act (FISA), which was enacted in the same year for regulating foreign intelligence collection in which communications of Americans could be involved. The SIGAD for BLARNEY collection under this initial FISA authority is US-984.

According to a report of the Wall Street Journal, BLARNEY was established with AT&T, for capturing foreign communications at or near key international fiber-optic cable landing points, like the AT&T facility Room 641A in San Francisco that was revealed in 2006. A similar facility was reportedly built at an AT&T site in New Jersey.

After the 2001 attacks these intercept capabilities were expanded to top-level telecommunications facilities within the United States, like main switching stations for telephone and internet traffic. These are accessed through arrangements with American internet backbone providers. Finally companies providing internet services like Microsoft, Google and Facebook were added.

Since 2008 this collection takes place under authority of the FISA Amendments Act (FAA) and the dedicated BLARNEY sub-programs and corporate partners are identified by SIGADs in the format US-984X. Except for PRISM, none of them are publicly known.

A chart showing the top ten SIGADs under US-984X is presented in the slide below, but unfortunately, the details aren't readable:




According to the recently disclosed US Intelligence Budget, NSA pays 65.96 million USD for costs made by corporate partners under the BLARNEY program. As PRISM is part of BLARNEY, it's possible that part of that money is also for expenses made by the internet companies like Facebook, Google and Yahoo.

When PRISM was unveiled in June, the Guardian said this program was one of the main contributors to the President's Daily Brief, the top-secret document which briefs the US president every morning on intelligence matters. Being the PRISM parent program, BLARNEY is also one of the top sources to this document. According to a report by Der Spiegel, some 11,000 pieces of information reportedly come from BLARNEY every year.

Some more information about BLARNEY is in another slide that was shown on Brazilian television:



Among other things, the slide says that BLARNEY is used for gathering information related to counter proliferation, counter terrorism, foreign diplomats and governments, as well as economic and military targets. PRISM seems to be used against more or less the same targets, as can be seen in a lesser known slide of the famous PRISM powerpoint presentation:



Once again this makes clear that programs like BLARNEY and PRISM are used to gather information about the usual strategic and tactical topics and therefore not for spying on Americans or other ordinary people.

(Updated on September 23 with the slide describing US-984X, the slide with the PRISM topics and some additional information from the WSJ report)