Evidence of Forgery in the 2013 PRISM Presentation

The content of the purported PRISM presentation has been proven false.

Besides that, the purported presentation has incorrect security markings. In addition, its design and content reflect the intent to accuse the leading tech companies and the NSA of illegal surveillance, rather than the purported intent to train its readers.

The Guardian claimed that it had verified the authenticity of the PRISM presentation. This was a lie.

At the relevant time, the classification goals and procedures were determined by Executive Order 13526 from 2009. The main thrust of this order was to avoid excessive classification and make declassification easy. Among its requirements is the individual marking of each page and slide and portion marking – separately marking each document element (including a heading, a figure, a table, and even line items), which might have a classification lower than the whole page.

Classification marking was regulated by multiple documents issued by NARA and intelligence agencies. Some of the most relevant documents were: Intelligence Community Authorized Classification and Control Markings Manual (“CAPCO”, 2011–2012), NSA/CSS Policy Manul 1-52 (“NSA/CSSM 1-52”, November 16, 2012), and National Archives Information Security Oversight Office rules (2010). These documents were publicly available.

Incorrect Security Marking

  • Multiple mistakes in the classification authority block. It appears on the first slide as a red stamp, saying:

Derived From: NSA/CSSM 1-52

                         Dated: 20070108

NSA/CSSM 1-52 is an unclassified classification manual. A top-secret document cannot derive information from it. Based on the content of the purported presentation, this line had to be “Derived From: Multiple Sources”. See  NSA/CSSM 1-52, p.21.

The purported presentation is dated April 2013. The relevant NSA/CSSM 1-52 went into force on November 16, 2012, superseding one from January 8, 2007. Thus, if an NSA official made a mistake by referring to the manual instead of the original sources, s/he would have referred to it: “Dated: 20121116”.

The likely cause of these mistakes is that the individual manufacturing this “document” just looked at examples found on the Internet. Many unclassified documents online, especially samples, have this “Derived From: NSA/CSSM 1-52” line. Most documents available on the Internet in June 2013 were created when the 2007 version was in effect, so they reference it.

The banner line  (“TOP SECRET//SI//ORCON//NOFORN”) is placed incorrectly in most slides. The rules say: “The banner line must be conspicuously placed at the top and bottom (header and footer) of each page, in a way that clearly distinguishes it from the informational text …” (CAPCO, p.18). In the purported presentation, the top banner line blends with the companies’ logos instead of being above them. The bottom banner line is partially obscured on slide 7 and is inside the content on slide 9.

One can see the banner line in other declassified or leaked documents (e.g., 1, 2).

  • The purported presentation violates other marking rules. For example, slide 2 contains only public information but is marked as top secret. Excessive classification would have been a serious offense.
  • Portions marking is not applied.

 

The Content Reveals Wrong Intent

“I thought it was a joke at the beginning, like a caricature of an overly corporate slide template,” said one designer after seeing the purported presentation. It looks like a caricature because it is a bad forgery. Bad forgery looks like a caricature.

In this case, it is also intended to deliver the (dis)information that the Guardian and WaPo wanted to manufacture a scandal. This is why the common header contains 13 logos. That does not make sense because the names of companies are supposed to change as the program grows. But it makes sense to smear those companies.

This is supposed to be a training presentation, but there is very little useful for training. Most slides add to the message that the NSA is spying on Americans by accessing all the data that big tech companies store.

 

The Purported Presentation is Incomplete

The page numbers refer to the PDF with 11 slides (out of claimed 41) posted by the Guardian. These slides were published over several days; the latter ones likely incorporated the feedback from the earlier ones. The Washington Post and the Guardian published slides in a different order.

There were some differences between the slides, which might be explained by the different software used.

unpublished draft