Director of National Intelligence James Clapper briefs President Barack Obama. Image credit: White House Photostream

The US government has been spying on millions of people’s phone records and internet activity for years, according to a series of leaked documents published this week by The Guardian and The Washington Post. President Obama on Friday confirmed that these two intelligence gathering programs were going on, defending them as limited, legal, and helpful in preventing terror attacks. Both stem back to the some of the same anti-terror laws, but there are big differences between the internet surveillance effort, known as PRISM, and the phone records spy program.

PRISM internet surveillance: targets online communications outside the US, no court order needed

First of all, the programs are different in who they target and the types of data they have been reported to collect so far. PRISM allegedly lets the US National Security Agency access most types of online user activity and communications on Google, Apple, Facebook, Microsoft, Yahoo and other large internet companies.

When it comes to the types of data that can be collected under the NSA’s PRISM internet surveillance program, it’s still unclear exactly what data the government can scoop up. A leaked classified PowerPoint presentation published Thursday says that PRISM gives the government access to basically all types of online user communications — email, voice and video chat, photos, VoIP, file transfers, "online social networking details," to name a few. PRISM theoretically lets the FBI and NSA see what you’re saying on Skype or storing in Google Drive. "They quite literally can watch your ideas form as you type," the officer who leaked the files told The Washington Post.

But many of the tech companies that were named in the PowerPoint as partners in the PRISM program have come out saying they don’t allow "direct access" by the government to their servers or to user content. Still, most of the companies have also said they nonetheless comply with government orders to hand over user information.

Ashkan Soltani, an independent electronic privacy consultant who works with major government and media outlets, has a theory on how both statements could be correct. "Notice all the companies are using the exact same term ‘direct access.’ They might still give them some other type of access. There’s a cleverness to the wording." Soltani believes that the tech companies alleged to be participating in PRISM could be letting the government search for information on specific users through application programming interfaces (APIs) set up to filter only users outside the US.

That would comply with the legal justification for PRISM. In a statement, US National Intelligence Director James Clapper, the head of the NSA and other intelligence agencies, explained that PRISM is justified under Section 702 of the FISA Amendments Act of 2008, which was just reauthorized by Congress late last year. The act states that if a US intelligence agency believes its target is a foreigner outside the US, the Attorney General and the director of National Intelligence can make an executive decision on collecting data.

"With respect to internet and emails, this does not apply to US citizens, and it does not apply to people living in the United States," Obama said Friday. That means that communications from internet users around the rest of the world could be accessed through this program. But some US user data is also being collected along with it on the side, as Clapper acknowledged, saying that there were procedures in place to "minimize the acquisition, retention and dissemination of incidentally acquired information about US persons," although it’s unclear how this information is weeded out.

Unlike the phone surveillance, PRISM doesn’t require a court order to operate. Judicial oversight comes afterwards, when the Foreign Intelligence Surveillance Court (the same court that approves the phone surveillance orders) and Congress can review the decision. This means there’s one less hoop to jump through in order to start surveillance.

Phone data surveillance: targets callers inside and outside the US, court order required

Meanwhile, the phone surveillance program, which does not have a catchy name yet, targets customers of major US-based phone companies like Verizon — including customers in the US — but it does not monitor the audio of phone calls themselves. Instead, it sweeps up all other data related to calls, known as "metadata," which includes phone numbers, the length of each call, device and customer ID numbers, and some geolocation data.

"You can infer a bunch of different things just based on calling patterns," said Soltani. "If they know that my call to you today was 45 minutes, and that 10 other people called you today, that probably means you’re a central hub in a network … they can tell your role in the network."

When the FBI and NSA requested information about Verizon and presumably other major phone companies including AT&T and Sprint, they did so under Section 215 of the Patriot Act, which lets the FBI request an order from a secret court — the Foreign Intelligence Surveillance Act (FISA) Court, set up under the passage of the first FISA bill back in 1978. If a judge on this court grants an order, as in the case of Verzion, companies or organizations must give the NSA any "tangible things" related to an investigation of international terrorism or spying. "Tangible things" explicitly includes books, records, documents, and papers, but as in the case of the Verizon court order, it also includes metadata.

Under Section 215, the FBI can request records on who you're calling, when you're making calls, and many other details that add up to a broad picture of the person who's being surveilled. It's also the source of the infamous Patriot Act "library provision," which allowed government agencies to go after the library records of suspects in their investigations.

In some ways, the PRISM program feels far more invasive than the collection of call logs. Phone metadata is important, but knowing that someone has been given your phone’s device ID number or a list of contacts doesn’t carry the same sense of violation as someone actually listening to your phone calls. But civil liberties groups have repeatedly cited Section 215 as a danger to American privacy. That's partly because unlike some other sections of FISA, it allows the government to collect data on anyone — not just non-citizens outside US borders — so long as it's in the interest of national security. It's also because the exact interpretation of the law remains fuzzy.

The way Section 215 is being used is "far beyond what Americans expect from the terms of the statute," says Kaufman. Soltani agrees: "This Verizon order indicates that the intelligence community's interpretation of 215 for that type of data is not limited to certain targets. It’s extremely overbroad, a large-scale mining of domestic data by multiple national intelligence agencies." Because it potentially sweeps in so many US citizens, including lawmakers and journalists, Soltani believes it may be used to identify the very types of insiders who leaked the information on the program’s existence in the first place.

After the Verizon court order was leaked, NSA head Clapper argued that The Guardian was twisting the facts to make a limited provision look expansive. "The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization," he said. "Only a very small fraction of the records are ever reviewed because the vast majority of the data is not responsive to any terrorism-related query."

Kaufman, however, doesn’t see any evidence of those limitations in the order itself. "The statute requires an order like the one we've seen from Verizon to have these minimization procedures," he says, but "any discussion of those minimization procedures is absent."

Which is worse?

In an abstract sense, the differences between how the NSA and FBI can manage PRISM and their phone log collection boils down to scope and oversight. Their surveillance of Verizon under Section 215 swept up the metadata of millions of Americans, even if Clapper claims the majority of it was never examined . "Only a very small fraction of the records are ever reviewed because the vast majority of the data is not responsive to any terrorism-related query," Clapper wrote in a statement late Thursday, saying that the FISA Court got to decide which data the NSA was able to see. "The court only allows the data to be queried when there is a reasonable suspicion, based on specific facts, that the particular basis for the query is associated with a foreign terrorist organization."

PRISM, by contrast, can snoop through email or other information for a full year as long as the FBI and NSA heads approve it. That surveillance, however, isn’t supposed to target anyone but non-citizens located outside the US.

In practice, though, it’s hard to say how much most of the ostensible limits matter. "I think this is along the lines of the broad interpretation that we've been warning about since the provision was passed," Kaufman says of Section 702. "I think it would be foolish to dismiss that they could be stretching this authority even more broadly given what we've learned over the past few days."

Carl Franzen contributed to this report. Graphic design by Dylan Lathrop.