That is basically a continuation of the Room 641A concept.
There are a few problems with that theory when you consider that these companies are using SSL now. They cannot MiTM data from a beam splitter and we know they are not actively MiTM'ing traffic from a spliced cable with their own private key signed by a cooperating CA (doing this would be noticed quickly if they tried it en masse). If they have the companies private keys then they could be passively decrypting the traffic, unless DHE/ECDHE were being used. If that was the case then they would need the companies private key and the ability to do an active MiTM.
I don't doubt that they are doing something, but I don't think we have enough information yet to say what. Hopefully further releases will shed more light on this.
Add on top of that the PRISM program only costs $20m/year. There is just no way a massive nationwide clandestine fiber tap collecting data from companies moving petabytes a day between datacenters can cost a mere $20m/year.
The thing that is most frustrating about this leak is we only get 4 slides out of a 41 slide deck, and are left to fill the gaps with paranoid worst-case assumptions. And the Internet is a great echo chamber of paranoid assumptions.
Well, we also don't know if PRISM is piggybacking on another, possibly far more expensive system (the hypothetical hardware could already be in place, and under the budget of another far more expensive program).
Really, we just don't know. We don't know anything, except that it sure seems that something is going on. The documents are not getting the same treatment as the fabricated documents of a raving lunatic anonymous coward on Slashdot.
It seems fairly prudent to assume the worse case scenario, better safe than sorry, but it is important to not confuse that assumption with knowledge.
Dr. Charlie Miller, former NSA global network exploitation analyst, @0xcharlie: While I was at the NSA (2000-2005) we were told it was against the law to spy on Americans and if you did it you'd be terminated. In retrospect, it was going on even then. I'm not surprised the heads there lie to Americans, but I'm surprised they lied even to their own employees.
There are a few problems with that theory when you consider that these companies are using SSL now. They cannot MiTM data from a beam splitter and we know they are not actively MiTM'ing traffic from a spliced cable with their own private key signed by a cooperating CA (doing this would be noticed quickly if they tried it en masse). If they have the companies private keys then they could be passively decrypting the traffic, unless DHE/ECDHE were being used. If that was the case then they would need the companies private key and the ability to do an active MiTM.
I don't doubt that they are doing something, but I don't think we have enough information yet to say what. Hopefully further releases will shed more light on this.