ZDNet.com reported in 2010 [1] (and others [2]), that when Google was hacked via suspected chinese hackers, that their "internal spy system was the target".
...they [hackers] apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s!@#, this malware is accessing the internal intercept [systems],'" he said.
I guess this could be the system that google uses to compile the data before transmission, or something else, but none the less, it does raise questions.
Or it could mean Google is lying or just trying to create rhetoric to confuse the public to keep them from looking for alternatives to their search engine and other services.
which appears to have been a list of people that had been targets of "surveillance orders", which would have given the Chinese intel on any operatives that were being watched by the US, but isn't the "backdoor access system" that Schneier said it was at the time (seemingly without a source, but it's hard to tell as he doesn't say where that information comes from and no one else seems to have picked it up subsequently).
I swear that that ars story had an HN thread (maybe the washington post source article did?) but I can't find it now.
Ah, well, glad that is cleared up. "We never give the government direct access to our systems, nor do we have a server set up for them to obtain copies. Instead, we just use scp to send the data directly to the government's systems! Trust us, we respect your privacy while we do this -- it's even encrypted!"
Google never said it doesn't send data on user accounts when proper legal warrants are served, it publishes these facts in the yearly Transparency Report.
What people were worried about, a "dragnet" that allows arbitrary access and intercept of any user data by the NSA turns out to be false.
Unless you think you can use SFTP to upload, in real time, all traffic on Google services.
If the NSA can request data on 'suspects' at will from Google, how is that functionally different from a dragnet? Arbitrary data could be collected via phone records, then email/user data could be requested from Google/Facebook based on 'suspicious activity'.
I bet that the bombshell disclosure will be that these 'proper legal warrants' are actually just arbitrary requests justified via the Patriot Act or similar.
I wonder why Greenwald and the Guardian haven't released more information yet. Maybe they are waiting for all the tech news to die down? Are there any other major things happening this week?
I don't know what the official definition of dragnet is, but when PRISM first came out, the hyperbolic, dramatic media interpretation was that of a firehose -- NSA gets a feed of everyone's data and can search it at will.
Now the scenario is: They must obtain NSL/FISA orders, Google reviews them, then the data on their target is released.
Is that a dragnet? What if when Google wins the right to publish statistics on NSL/FISA requests, it turns out to be just a few hundred per year, or less than regular search warrants, like when a guy is suspected of killing his wife.
Would that change your opinion? It seems that the pitchforks came out on the original WashPo/Guardian scenario, and if that turns out to be wrong, people will keep moving the goal posts and not put the pitchforks away.
Some people just want to believe that the tech companies are greedy, unscrupulous, entities.
Google continuing to deny that their is a dragnet is not evidence that their is no dragnet. If there was a dragnet it is very likely that they legally are not allowed to admit it as per terms of the court order.
There's nothing Google could say or do to clear their name on this. The NSA, Congress or the Executive branch need to detail the level of access and the form of access that the NSA has to Google's information in order to clear Google's name. Even that unfortunately has to be taken with a large grain of salt.
There's simply too much information pointing towards mass surveillance with assistance from US companies to believe what the companies themselves say. This is a shitty position for Google to be in but consumers didn't put them in it, the US government did by admitting to the PRISM slides being correct without detailing how the companies mentioned on them are involved.
> If there was a dragnet it is very likely that they
> legally are not allowed to admit it as per terms of
> the court order.
In the US, gag orders may compel silence but to my knowledge may not compel private citizens to claim they are not under a gag.
> The NSA, Congress or the Executive branch need to
> detail the level of access and the form of access
> that the NSA has to Google's information in order
> to clear Google's name.
Just to be clear: you believe that Google's press release is untrustworthy, but you would trust an NSA press release about the extent of NSA surveillance?
An NSA release that is confirmed by another party such as Senator Wyden, Rand Paul, ACLU or EFF.
Realistically I'm not sure what the NSA would share with anyone that could be conclusive. But a logical explanation of how the NSA gets into data without corporate cooperation and that explanation matching up with the timeline presented on the one slide would be a great start.
For instance, you could argue that the PRISM timeline is simply showing once the NSA had filters in place to identify and capture general internet traffic headed to and from those specific companies. But this has a large hole in that why would Google, a company who's search queries would be highly valued, come so far after Microsoft on the timeline. So an explanation that addresses the large questions like that.
As opposed to the current situation which is a credible leak that makes Google look very bad, an executive branch that is defending the information in the leak as being legal and Google flat out denying any involvement.
I think you're conflating two different issues. The government was defending intercepting emails and getting phone records. The government too never claimed that they can access data from web companies.
"In the US, gag orders may compel silence but to my knowledge may not compel private citizens to claim they are not under a gag."
This is correct.
There is a difference between people lying, compelling silence, and being forced to lie.
The government can force people to be silent, be it upcoming raids, targets of investigations that they don't want tipped off, etc.
I know of zero legal authority that allows the government to force people to actively lie.
If anyone here does, i'd love to see it.
There is in fact, authority that the government cannot compel false or misleading statements. None that i'm aware of in the national security context, but this actually comes up quite a bit in the abortion context.
For example, Casey vs. Planned parenthood and others make it very clear the government cannot compel you to speak misleading information.
Opinions argue about what is false and what is misleading, but that is clearly not an issue here.
Does this imply that a personalized canary similar to [1] asserting that no information had been disclosed effectively makes it possible for a company to notify a user promptly (by discontinuing the daily canary)? Or would the court rule that discontinuing the canary is communication, thus requiring the company to continue updating the personalized canary after disclosing information about that person, despite the canary now being a direct lie?
> Google continuing to deny that their is a dragnet is not evidence that their is no dragnet.
Of course it is. It's not proof, but it's evidence. It shifts the probability towards "there is no dragnet" by some amount. Maybe it's not significant, but it's there.
Look, you either install the special bugging equipment -- and deny that it was ever installed -- or you find that you are suddenly guilty of wire fraud, insider trading, tax evasion, or similar.
Your post is not obviously connected to anything that's happened in reality. That is, you're just replying to Google's claim with "they're lying" but giving no way to move the argument forward. How do you plan to test this?
Then I don't feel sorry for him. Two wrongs don't make a right, if you don't want to go to jail for insider trading then don't put yourself, your company, and your customers in a position to be compromised by blackmail. That right there is beyond despicable.
I guess I never thought of it being about feeling sorry for him. It was about the NSA using black mail to get CEOs to do what they want. Allowing CEOs to get away with crimes such as insider trading as long as they did what the NSA wanted.
If I try to imagine the consequences of this it includes promoting corruption at the CEO level down in the industries that the NSA deals with. The long term effects of this are certainly negative and hard to quantify.
Now are the negative consequences out weighed by the benefit that the NSA receives and passes on to the USA then to the world? I do not know, I am not familiar enough with that arena, it is far from an obvious win from where I am sitting however.
Hate to leave irrelevant comments, but gawd Wired is annoying on mobile. That header just continuously jumps in and out senselessly as I consume the article, very distracting.
What is confusing to me about this idea is that it would seem as if Google would then only be passing over past data for the requested account.
Since FISA is all about active surveillance and wiretaps (of phones when it was written in 1978), wouldn't the government also want a way to watch activities in online accounts in realtime?
It's worth looking into FISA (and the DOJ interpretations of it) to see if the court can approve requests for user credentials/tokens. This would give intelligence officers more continuous access to user data, though they would still be legally limited to the time period approved by the court.
With a frequent enough update cycle there's no reason it can't be close to real time. The government's systems could then use inotify or some other filesystem watcher to automatically reload the page when new data comes in over SFTP.
I don't see why technical accuracy would ever be meaningless. I thought we were better than that. If we're smart enough to understand the technical details then we should be smart enough to understand the further implications of those details without having to be lied to by journalists.
Providing descriptions of how they comply with these requests is a good start.
However, they should be even more specific. A skeptical person could say this still leaves the door open to, say, a custom SFTP server that gives the NSA access to any user data. I don't believe that's the case, but I think they should provide more detailed procedures for exactly how they comply with these requests.
e.x.
"The following procedure is the only method by which we provide data to law enforcement:
1. When we receive a request for user data from law enforcement, our legal department thoroughly examines the request to ensure it's legitimate, not overly broad, blah, blah, blah.
2. X person performs Y steps to extract the specifically requested data from our data stores, with Z safeguards to assure no additional data is included.
3. The legal department reviews the extracted data to ensure it matches the requested data, and only the requested data.
4. X person sends data to law enforcement agency using Y methods (i.e. uploading data to a SFTP server account) and notifies the agency that the request has been fulfilled."
This is what they're dancing around, instead releasing tidbits of info that make it look as if it's not as bad.
Just because the transfer mechanism is sftp doesn't matter. My supposition is that prism is an auto-importer of these files: able to parse the data formats from these companies and present it to agents in their database UI.
So no Plug&PLay device installed at Google by the NSA?
Even so it would be so easy to install a generic program on Google's servers to make live query on any dataset. Google probably use SQL everywhere right?
Seriously, these conspiracy theories are simply impossible most times.
Google continue to deny, rather than explicitly explain why their name is mentioned as a partner in an internal NSA document.
A remaining explanation that matches all the known facts right now is that PRISM is a data format or data standard. It makes the process more efficient since it doesn't require the NSA to adapt disparate data sources from different web companies.
One of the other slides mentions that this is a big problem for SIGINT at NSA. PRISM being a data standard would also explain why the program only cost the NSA $20M.
The difference between the tech companies participating in the program would be how they implemented it - perhaps Google push the data to the NSA but it sounds like other participants let the NSA pull the data (or they store it on a third server which the NSA retrieves from - the lockbox).
Also, saying that the requests are 'legal' isn't reassuring, since a large part of the recent NSA revenlations is the world finding out just what the Obama administration considers to be 'legal'.
Legal means nothing more than finding a government lawyer who will write an opinion that blanket metadata requests or pulling or pushing data from Facebook and Google is legal. The opinion is classified, the court arguments are classified, there is only the government at the court and it is presented to a judge who is appointed by the government.
Exact same thing happen with John Yoo and his legal opinion that the torture the government was carrying out was legal[1]. When the rest of the world found out just what the government considered legal, it very quickly became illegal.
Well, John Yoo authored his torture opinions in 2003. They were only really repudiated in 2009, when Obama took office. That's not "very quickly", in my book.
48 comments
[ 5.4 ms ] story [ 103 ms ] threadAnd SFTP stands for secure for NSA file transfer protocol, cause they are cool katz apparently.
...they [hackers] apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s!@#, this malware is accessing the internal intercept [systems],'" he said.
I guess this could be the system that google uses to compile the data before transmission, or something else, but none the less, it does raise questions.
[1] http://www.zdnet.com/blog/foremski/googles-internal-spy-syst...
[2] http://www.informationweek.com/security/attacks/google-auror...
which appears to have been a list of people that had been targets of "surveillance orders", which would have given the Chinese intel on any operatives that were being watched by the US, but isn't the "backdoor access system" that Schneier said it was at the time (seemingly without a source, but it's hard to tell as he doesn't say where that information comes from and no one else seems to have picked it up subsequently).
I swear that that ars story had an HN thread (maybe the washington post source article did?) but I can't find it now.
What people were worried about, a "dragnet" that allows arbitrary access and intercept of any user data by the NSA turns out to be false.
Unless you think you can use SFTP to upload, in real time, all traffic on Google services.
I bet that the bombshell disclosure will be that these 'proper legal warrants' are actually just arbitrary requests justified via the Patriot Act or similar.
Now the scenario is: They must obtain NSL/FISA orders, Google reviews them, then the data on their target is released.
Is that a dragnet? What if when Google wins the right to publish statistics on NSL/FISA requests, it turns out to be just a few hundred per year, or less than regular search warrants, like when a guy is suspected of killing his wife.
Would that change your opinion? It seems that the pitchforks came out on the original WashPo/Guardian scenario, and if that turns out to be wrong, people will keep moving the goal posts and not put the pitchforks away.
Some people just want to believe that the tech companies are greedy, unscrupulous, entities.
There's nothing Google could say or do to clear their name on this. The NSA, Congress or the Executive branch need to detail the level of access and the form of access that the NSA has to Google's information in order to clear Google's name. Even that unfortunately has to be taken with a large grain of salt.
There's simply too much information pointing towards mass surveillance with assistance from US companies to believe what the companies themselves say. This is a shitty position for Google to be in but consumers didn't put them in it, the US government did by admitting to the PRISM slides being correct without detailing how the companies mentioned on them are involved.
Realistically I'm not sure what the NSA would share with anyone that could be conclusive. But a logical explanation of how the NSA gets into data without corporate cooperation and that explanation matching up with the timeline presented on the one slide would be a great start.
For instance, you could argue that the PRISM timeline is simply showing once the NSA had filters in place to identify and capture general internet traffic headed to and from those specific companies. But this has a large hole in that why would Google, a company who's search queries would be highly valued, come so far after Microsoft on the timeline. So an explanation that addresses the large questions like that.
As opposed to the current situation which is a credible leak that makes Google look very bad, an executive branch that is defending the information in the leak as being legal and Google flat out denying any involvement.
It takes what the company was doing manually before PRISM (complying with NSLs and FISA warrants)...
and automates part of that process.
What it doesn't do is insert NSA as a wiretap into all their systems's traffic, as that's not what FISA compliance needed in the first place.
This is correct.
There is a difference between people lying, compelling silence, and being forced to lie.
The government can force people to be silent, be it upcoming raids, targets of investigations that they don't want tipped off, etc.
I know of zero legal authority that allows the government to force people to actively lie.
If anyone here does, i'd love to see it.
There is in fact, authority that the government cannot compel false or misleading statements. None that i'm aware of in the national security context, but this actually comes up quite a bit in the abortion context.
For example, Casey vs. Planned parenthood and others make it very clear the government cannot compel you to speak misleading information.
Opinions argue about what is false and what is misleading, but that is clearly not an issue here.
[1] http://www.rsync.net/resources/notices/canary.txt
Of course it is. It's not proof, but it's evidence. It shifts the probability towards "there is no dragnet" by some amount. Maybe it's not significant, but it's there.
https://en.wikipedia.org/wiki/Joseph_Nacchio
I guess I never thought of it being about feeling sorry for him. It was about the NSA using black mail to get CEOs to do what they want. Allowing CEOs to get away with crimes such as insider trading as long as they did what the NSA wanted.
If I try to imagine the consequences of this it includes promoting corruption at the CEO level down in the industries that the NSA deals with. The long term effects of this are certainly negative and hard to quantify.
Now are the negative consequences out weighed by the benefit that the NSA receives and passes on to the USA then to the world? I do not know, I am not familiar enough with that arena, it is far from an obvious win from where I am sitting however.
Since FISA is all about active surveillance and wiretaps (of phones when it was written in 1978), wouldn't the government also want a way to watch activities in online accounts in realtime?
However, they should be even more specific. A skeptical person could say this still leaves the door open to, say, a custom SFTP server that gives the NSA access to any user data. I don't believe that's the case, but I think they should provide more detailed procedures for exactly how they comply with these requests.
e.x.
"The following procedure is the only method by which we provide data to law enforcement:
1. When we receive a request for user data from law enforcement, our legal department thoroughly examines the request to ensure it's legitimate, not overly broad, blah, blah, blah.
2. X person performs Y steps to extract the specifically requested data from our data stores, with Z safeguards to assure no additional data is included.
3. The legal department reviews the extracted data to ensure it matches the requested data, and only the requested data.
4. X person sends data to law enforcement agency using Y methods (i.e. uploading data to a SFTP server account) and notifies the agency that the request has been fulfilled."
Just because the transfer mechanism is sftp doesn't matter. My supposition is that prism is an auto-importer of these files: able to parse the data formats from these companies and present it to agents in their database UI.
Prism: import.io for anyone's data?
Seriously, these conspiracy theories are simply impossible most times.
Anyone else find humor in this?
A remaining explanation that matches all the known facts right now is that PRISM is a data format or data standard. It makes the process more efficient since it doesn't require the NSA to adapt disparate data sources from different web companies.
One of the other slides mentions that this is a big problem for SIGINT at NSA. PRISM being a data standard would also explain why the program only cost the NSA $20M.
The difference between the tech companies participating in the program would be how they implemented it - perhaps Google push the data to the NSA but it sounds like other participants let the NSA pull the data (or they store it on a third server which the NSA retrieves from - the lockbox).
Also, saying that the requests are 'legal' isn't reassuring, since a large part of the recent NSA revenlations is the world finding out just what the Obama administration considers to be 'legal'.
Legal means nothing more than finding a government lawyer who will write an opinion that blanket metadata requests or pulling or pushing data from Facebook and Google is legal. The opinion is classified, the court arguments are classified, there is only the government at the court and it is presented to a judge who is appointed by the government.
Exact same thing happen with John Yoo and his legal opinion that the torture the government was carrying out was legal[1]. When the rest of the world found out just what the government considered legal, it very quickly became illegal.
[1] http://en.wikipedia.org/wiki/Torture_Memos
Assuming that PRISM is the mechanism by which FISA requests are fulfilled, they can't discuss FISA requests in the open without breaking the law.
As a result I'm reluctant to take this article with more than a grain of salt.