48 comments

[ 4.6 ms ] story [ 80.1 ms ] thread
I, too, would like to use this opportunity to declare that I was not aware of PRISM until the story broke and that the US government does not have any backdoors installed on my private servers (to the best of my knowledge, certainly not with my participation).

I will make sure to include this information on my annual Christmas cards, possibly becoming the first individual to do so.

(comment deleted)
(comment deleted)
Now that PRISM has been exposed, the NSA should consider outsourcing data collection to China. They already have a huge team of elite hackers with a proven track record of breaking into top tech companies. Chances are, the Chinese hackers already have a backdoor on your servers. And with their low labor costs, we could save US taxpayers millions!
We too would like to make known we do not share any of the high quality client data we have available but we're always open to offers. #callmemaybe
(comment deleted)
Forgive my lack of understanding, but what's with the four paragraph pattern in all these responses?
Gag orders and supplied public statements.
Direct access, direct access, and direct access - all use the same word. What do we make out of it?
1. The Guardian article that leaked this program used that exact term. 2. This is a joke.

That's what we make out of this.

These companies could write a 500 bullet point list of every possible denial variation, and people would still say there's weasel wording.

If they said not a single packet of customer data is sent to the NSA, they'd say that's because it is laundered through the FBI first. Or, they'd say it could be sent by sneakernet. Or they'd say that it is sent to GCHQ so that the UK can snoop domestically on US citizens to avoid the NSA legal restrictions.

It's simply not possible to construct a denial to which there is no "workround". At this point, no matter what the NSA or the companies say, or Congress says, no one will believe them.

If we can't even get nuts to stop calling the moon landing a hoax, or the 9/11 truthers who think the building was a controlled detonation, there's no way this conspiracy will ever end, even if it turns out to be something much more mundane than first leaked.

This is the whole problem with lacking transparency. The trust is broken now, and the whole network operates on some level on the basis of trust.
Sure you can: "We do not share your data without requesting your explicit consent before hand"
From the Google privacy page: http://www.google.com/intl/en/policies/privacy/

(Heavily redacted, to make it smaller and highlight the more relevant points.)

  Information we share 
  [...] 
  * With your consent 
    [...]
  * For legal reasons 
    We will share personal information [...] if we
    have a good-faith belief that [...] disclosure of the
    information is reasonably necessary to: 
    - meet any applicable law, regulation, legal process
      or enforceable governmental request. 
    - [...]
In spite of what you want to do, you can't ignore a enforceable governmental request, so Google can't say "We never share anything with the government." . Most sites have similar privacy policies.
Well yeah, I wasn't arguing against that point. But that's separate from the point which the OP raised. I was merely stating that you can write a privacy policy which doesn't sound like you're trying to weasel out, and posted a very basic one-liner to demonstrate that point. I could also add the following to cover your point as well:

"In the instance where a court order is raised to provide your information, we release only as much as we are legally obliged to and will inform you of the order"

"In the instance where a gag order prevents us from notifying you of the requested data, then you are probably heading for Guantanamo Bay regardless of what information we leak :p"

"we have not joined any program that would give the government for any country whose name begins with a vowel direct access to ports 81-49152 on any of our servers" -- so they're using FTP or just plain HTTP? On a more serious note, the big problem with PRISM and these new developments is that even if you were to participate, you could not tell us (without going to prison). So, all these "we don't do it, trust us" notices ring hollow since we can't really trust them; sorry...
False. All participants have admitted it in their statements (turning over specific user data in response to court orders). PRISM just turned out not to be as nefarious as initially reported.
While there's a framework in place that forces you to deny what you've done we cannot believe "denials". As long as there's a gun to their head, whatever they say is irrelevant. This is the true cost of surveillance and oppressive governments; the loss of trust.
(comment deleted)
Sigh! This is almost a very predictable blog post. But, I find one part quite amusing.

Google - We are the first company to be open about data requests from governments.

Easy Post - We are the first company to be open about data requests from governments.

So who is the first after all? I guess this is turning out to be one of those commercial stints where each product claims itself to be the No.1 in the world.

I wonder how many people will miss the subtlety here...
Given the number of people that missed it, I kinda think the government could flat out issue statements that "We are in fact watching everything you do" and just hide it in enough nuance that no one knows any better.

They likely already do this. Somewhere. In a drawer in a file cabinet in a closet with a sign that says beware the cheetah.

They did. Listen to when Bush signed the Patriot Act on TV. He straight out said "this new law will allow surveillance of all communications used by terrorists, including emails, the Internet, and cellphones":

http://youtu.be/NLYZn1MXS8s?t=6m57s

The sad part about it all, is that I can imagine what people thought back then when listening to that, especially since he said "by terrorists", which I bet in people's minds it made them forget about all the previous "surveillance on all communications" part of the comment.

Plus, they also must've thought that he "only" means that he will target the communications by some specific terrorists, not that he will spy on everyone to find those terrorists. Most people probably thought he was just referring to the "normal" type of wiretapping certain targets (with a warrant).

That's why Ron Wyden said 2 years ago in Congress that "if the public really knew the secret interpretation of the Patriot Act and FISA, they would be very angry about it", which is exactly what's happening now, because they misled the public about how far this program goes. I don't think most "normal" people actually thought the government is collecting all of their emails, chats, video-talks, and even phone call records.

For people who didn't get the (probably too subtle) joke, that's all this is -- a joke.

Not every relatively-unknown company can be as lucky as PalTalk.

At the point that a company called "Easy Post" is claiming it didn't send "call detail records" to the NSA, you know it is a joke.
So since the government has no access after port 80, I wonder what services are used?

qotd 17/tcp? gopher 70/tcp?

It must be "A, NSA Notify".

    $ grep 'nsanotify' /etc/services
    ansanotify      116/udp     # ANSA REX Notify
    ansanotify      116/tcp     # ANSA REX Notify
22 ssh? Secret web portal on 80?
Hey, that's great--but were they accused of anything?

From my perspective, this seems more like a grab for attention than anything else.

I work for a technology company too, and we also didn't provide data to the NSA. We're not releasing a statement, though, because no one accused us of doing so.

Forgive me if EasyPost was included somewhere and I missed it.

It was a joke. They are parodying the (allegedly) vague wording that companies used. E.g.

direct access to ports 81-49152 on any of our servers.

Obviously they could use a port outside that, etc, etc.

Whoops! Serves me right for commenting at three in the morning after having legitimate conversations about PRISM all day :)
At the time of writing this comment, only 25 percent of people have realised that this is satirical.
Unknown startup, headline grabbing PR based on facetious response to trending scandal, thousands of hackers asking what on earth is EasyPost, well played.
So ... What about port 22?
EasyPost just embarrassed itself. You look quite lame trying to cash in on a serious topic.
Speak for yourself.
Why? Because making jokes about serious things is wrong? Of course not. They're the best jokes.
haha, the last two paragraphs are the same from the post larry page wrote.
I get that this is a joke, but could EasyPost assure us with a statement that it doesn't divulge its users' private information and communication to everyone who asks for it? In their Privacy Policy page (which I assume is genuine), all I see are "weasel" words that allow EasyPost to give away user data for every reason under the sun:

https://easypost.com/privacy

> The User’s Personal Data may be used for legal purposes by the Owner of the Application in court or in the stages leading to possible legal action arising from its improper use or that of related services by the User.

> The User’s Personal Data may be further used in ways and for purposes required for Application maintenance.

edit: this should go without saying, but I'm obviously not arguing to call for the pitchforks. EasyPost has a privacy policy that is in line with anyone else's (and one of the best organized ones, IMO)...but using the standard that they seem to judge the statements by the alleged PRISM participants, their privacy policy is full of vague "weasel" words and does not contain enough full-throated support for privacy and/or Patrick Henry quotes. In fact, the word "never" doesn't exist on EasyPost's privacy page...as in "we will never give your private data to...[such and such]"

Does that mean the EasyPost staff are weasels? Or is it just that they have a competent lawyer and that they realize that no number of words and power of rhetoric can satisfy every skeptic?

Good thing you guys put that denial generator to some good use.
"...frequently pushes back when requests are overly broad or contain spelling mistakes"

"We include this information in our anual Christmas card whenever possible."

Was that meant to be ironic?

It's satire. The whole post is a parody.
(comment deleted)