204 comments

[ 4.6 ms ] story [ 268 ms ] thread
Is there any practical way for them to actually prove this is the complete number, rather than the number they're allowed to tell us about?
What would you accept as proof?
That's the problem. I don't think I we can accept anything at this point. We literally cannot trust our government, or the corporations under its control, to be telling us the truth.
I think the exploration of the answer to this question is about the most frightening implication of this whole mess
I don't think we can accept much as proof now seeing as the trust between client and service has been broken. Hopefully this whole debacle will drive new zero-knowledge services to take over. Let us use your servers and tools, we can handle the contents of our data.
This simple question raises so many interesting problems.
Perhaps I should defer to Jean Chretien... "A proof is a proof. What kind of a proof? It's a proof. A proof is a proof. And when you have a good proof, it's because it's proven."

Honestly though - I don't know. It's why I asked.

Possibly they can't, because how do you prove you're not lying other than saying you're not lying? It's not like there's some sort of an unshakable, absolute truth hardware log that details every single data access.

> how do you prove you're not lying other than saying you're not lying?

There is something called "evidence" used exctly at those circunstances.

Of course, I have no idea what kind of evidence those companies or the US government have, they are not telling anybody. And that is evidence that they are lying.

Vivisection. Public vivisection.

Strap these organizations down and cut them the fuck open with no regard for their wellbeing. If the procedure kills them, then so be it.

There is a threshold past which live dissection (https://en.wikipedia.org/wiki/Stasi#Recovery_of_the_Stasi_fi...) is the only way that trust can be restored. I assert we have run across that threshold. And before anyone whines about it; no, we are not as bad as the Stasi yet. The Stasi do not represent the position of the threshold, they were miles past it.

Incidentally, this would be a great advance on Zuckerberg's professed goal of making the world a more open place. Safer or better would be arguable - more open would not be.
Oh, don't get me wrong, we certainly should not start with Facebook.

Going after Facebook would probably be unnecessary after we were through with the accused government organizations. At that point Facebook's innocence would either be clear, or it would be clear that Facebook was a victim in this. If we found reason to believe both of these were not true, then we could pursue them as well.

I wonder if this is something that Google and Co. will also be allowed to do?
I imagine they're all getting the go-ahead.
They already do. Google have been publishing statistics and reports about this stuff for a while:

https://www.google.com/transparencyreport/

None of this is relevant though. These are legal requests. The issue that people should remain focused on is whether or not the NSA has illegal, ongoing, unfettered access to wholesale data under PRISM or other programmes.

Google was only allowed to release some of this data. FISA requests were not permitted.

>we can now include in a transparency report all U.S. national security-related requests (including FISA as well as National Security Letters) – which until now no company has been permitted to do.

So, this is a change, albeit still a limited one.

Google does not publish information about requests which come with a gag order. They were the first to request the ability to publish that data several days ago, followed by Facebook and others shortly after. Facebook is the first to publish updated statistics with the numbers from National Security Letter and FISA warrants included after being granted permission. Google presumably will do so soon as well.
Incorrect. Google disclosed NSL summary stats months ago. As you say, FISA stats are next. I'd expect them this evening.
I stand corrected. They do indeed have the NSL stats, in the somewhat useless 0 – 999 range, here:

https://www.google.com/transparencyreport/userdatarequests/U...

Yep, but it was more than any other company in the history of this country has ever disclosed. And give them another 48-72 hours from now to divulge more info.
Oh, I agree. I think it's great they're disclosing what they can and pushing to be able to disclose even more. The "somewhat useless" remark was directed more at the restrictions preventing them from divulging more than at Google themselves.
I'm waiting to see what the EFF says about this. Is all the information there? I hope that's the case.
Good call. This whole situation is so messed up that the EFF is one of the few agencies I trust. I'm glad to see there's healthy skepticism about the validity of this release though.
The trust is gone. They shouldn't have waited until they were caught red-handed to come up with some numbers. Doesn't even matter if it's correct now. No one will believe them.
If there is no way for them to regain trust, or make people whole in any way at all, then what reason do you leave for them trying to improve transparency? What should the Zuck do, commit seppuku? Is that what would make people happy going forward?
(comment deleted)
Donate his fortune to the EFF and start from scratch. Of course, that will never happen so for now, if you're concerned with security, you need to find new services to use.
>...Donate his fortune to the EFF and start from scratch. Of course, that will never happen...

Why?

Would it be legally contrary to shareholder value? I think this is a terrific idea for all of them to do. Zuck and the others appear genuinely upset from Snowden disclosure blowback and are frustrated at reclaiming their user's trust. These may be their best cred ROI. Perhaps someone experienced could organize this. EFF ...itself?(?!)

How do you regain trust in any relationship? Usually it's a combination of time and repeated demonstration of truthfulness. Right now, no one knows what happened behind closed doors, and the suspicion is still high.
There is no way.

The government has already shown us how they are fully capable of lying, and even worse - forcing companies under their control to lie.

Non-US company CIOs will be having long conversations around their previously hyped US/five eyes cloud based infrastructure. The stories around US (five eyes too?) companies getting free corporate intel for favours - presumably on their competitiors - won't have helped.

The sucking sound we're hearing is trust in anything related to five eyes related corporate infrastructure having any integrity at all.

Yes, it's pretty clear that the DNI lied to Congress. But it is untrue that FedGov can force companies to lie. Neither AT&T nor Verizon lied: http://news.cnet.com/8301-13578_3-57589012-38/nsa-surveillan...
Did you read the PRISM denials?

It was very obvious that the companies were told exactly what to say. They might not be lying in a grammatical legal sense if you parse their words, but they were clearly told by someone how to deny everything.

I've read all of them. I've written about them. They're categorical.
> The government has already shown us how they are fully capable of lying, and even worse - forcing companies under their control to lie.

The government can, and does, lie.

The government can NOT force other companies to lie. Nor is the claim that Facebook & others are under the governments control remotely supported by anything resembling evidence.

Trust is fragile, even when you're talking about the relationships and reputations of a business.
I don't think it's Zucks fault and there's nothing he can do, but he's still going to hurt for this. It's a political and governance problem and can only be solved at those levels.

Until we're sure that intelligence agencies can't lie at senate hearings, secret courts and laws don't exist, and we're sure the government can't force CEOs to lie, we just can't be sure

And until foreigners get the same right to at least a judge overseeing a warrant we're going to see a move away from US companies no matter where in the world they are.

> what reason do you leave for them trying to improve transparency?

To decrease the mistrust.

Facebook hasn't been fully trustworthy for a long time, if ever. That's normal - I don't think any company really is.

I completely agree that there is a huge problem that this whole situation had to be leaked, but in all fairness to these companies I seriously doubt they'd have got anywhere attempting talks to achieve this sort of transparency before it leaked.
Where is the substance behind the statement "the trust is gone"? Has there been mass voluntary closings of Facebook accounts? Did their stock take a hit? Are their actual customers, the advertisers, even phased? I somehow doubt that we can attribute this release entirely to the fear of trust loss in their "user"base.
You're behind the times if you think people had trust in Facebook before this latest round of issues. I've had friends and family closing there accounts and not returning in a slow dribble for the last two years.

Go have a look at your friends list, see how many accounts are inactive but still listed. Most people I've done this come in around the 10-15% of contacts in that inactive state.

Mine has been growing slowly with most people not reactivating accounts. It started out around 5% a year or so ago, and was headed upto towards 15% before I just deleted a bunch of them and screwed my metrics.

Doing that should give you a metric you can start to track yourself without taking anyone else's word for it.

An interesting this I've noticed is with married couples, the less socially motivated of the pair will usually close there account and get there partner to do all the leg work for them. Generally its the husband that closes the account, but sometimes, in the case of my mother, its sometimes the wife that closes.

My mother did something novel I thought for handling family photos. She has started uploading them into a shared drop box account. I literally get notifications while I'm sitting at work that new photos have been sync'ed. I'm quite enjoying that form of photo sharing ATM.

These anecdotes are interesting, but do they address my comments? I'm talking about everybody.
> There is the substance behind the statement "the trust is gone"? Has there been mass voluntary closings of Facebook accounts?

Do you think there is a link between people "trusting" Facebook (whatever that would mean) and people not closing their accounts?

What do you think I meant by "trust"? What I believe I meant was: Sufficient assumption of good will, respect, and principle on the part of Facebook's staff such that their private messages, restricted-access content etc would stay that way in accordance with the privacy they expect living in the U.S. If their expectations are too low, and/or most people are simply uninformed, couldn't it easily be the case that people-in-general are really just no more Facebook-averse after this passed week?
Total bollocks. The statement simply discloses some more specific numbers about procedures that were never secret to begin with. The fact that a law enforcement agency could get a court order for an individual's data was never secret: it was even in the online documentation for the site!

Why is this surprising to anyone? I mean, bloody hell, anyone who's watched Law & Order should know that there are lawful procedures for these things.

There were lawful procedures for putting people onto trains to Poland. Lots of paperwork and rubber stamping.

Of course the public didn't find out what was going on in Auschwitz until the end of the war.

Distain with `Facebook trust' Hapless inane ad-feeds? Well, you too, you can reciprocate Clapper-speak. I was a youngster in the Warsaw ghetto, memories of forced labor clearing stones as a five year old, and for the past five months, I was a little girl. Watch your ad-feed adapt. Anyone I care about knows the truth, all else is noise.
A fraction of a percent of US citizens are wrongly incarcerated. I'm not sure what relative numbers even mean here. 19,000 people under scrutiny is still scary to me.
Unfortunately it's not a fraction of a percent.

2.2 million people in prison in the US at the moment.

That's probably about 1.5 million that are "wrongly" incarcerated (extrapolating based on the number of people in prison before the war on drugs began, and what it should be today based on population growth). They're political prisoners.

This graphic nicely sums up the obviousness of that:

https://upload.wikimedia.org/wikipedia/commons/6/67/US_incar...

Technically 2.2 million is something around 7/10ths of a percent.
Well that's my whole point; half a percent of the population, which is what I also calculated when writing my original comment and consider a fraction, being wrongly incarcerated is an atrocity so Facebook's "fraction of a percent" means nothing to me.
It's scrutiny beyond national security and secret requests.

Facebook gives some good examples of requests that aren't NSA or FISA based, e.g. "a federal marshal tracking a fugitive". Given the appropriate legal paperwork, should it be scary for a federal marshal to request access to a fugitive's facebook data to check things like last login time and IP address, or private messages?

To really decide how "scary" it is, we need to know what proportion of the requests are related to what kind of thing, and of what scope are the requests. Unfortunately, Facebook has still not been permitted to release any of this data.

I think this is intended to be comforting, especially for corporate entities as they feel scrapegoated into bad light by the government, but there's very little for the public to acknowledge these numbers. I'm not saying Facebook is lying, I'm saying the people giving Facebook the numbers are probably lying. There's no way to tell.
Facebook know how many requests they've responded to. If there is any dishonesty here, it's coming from Facebook. They might have been told to give false numbers, but they've got the correct numbers.
There's the shared-private-keys argument, by which they wouldn't actually know how many requests were made. I haven't been followed very closely so I don't know if private keys thing was specifically denied - was it?
As far as I know, they deny any sort of blanket availability of data - so a shared private key would seem to be denied under that guise. I think claiming a number as they have, and a number of affected users, would also be denial of that. Circular logic, but we can't do much better. If they're lying and just made up these numbers, there's nowhere to really go with that.
Why give false numbers when you can give true numbers for only a six month period? Just leave out the NSA request for all user data that was made earlier.
What people would be giving Facebook the numbers? Those are Facebook's own stats, compiled by their own legal department.
... or so says Facebook's legal department ;). How can we tell?
The issue to me is if the so-called "upstream" actually stores all the raw SSL data, and how fast it's decrypted. This is apart from any corporate cooperation, except for the Mark Klein AT&T splitter variety. (Unless of course Google, Facebook, etc are handing over their private SSL keys.)
You can't believe anything these companies say. If they are ordered to misreport info to the public, they will. Remember that companies are not monolithic things. They are made of people, and if anyone or a group try to make a stand they will be hunted down. It's easier to follow along than be honest.

Personally, I won't trust any of these companies until the entire Homeland security dept is dismantled and its component agencies restored to their pre-9/11 statuses.

And although the TSA is not directly part of this spying issue, they need to go away as well. It's all part of the same shadowy cabal and its time for a clean slate.

I'm not against the principles of the FBI and NSA. They do a lot of good work. But there's too much dry brush and weeds cluttering up their mandates and it needs to be burned out.

And it's very easy to release misleading statements like this. It's great to know about all the "user data requests" from law enforcement, but they mention nothing about the allegation that NSA didn't need to submit these requests.
Yep. If you can't legally acknowledge the request, leave it out of the data you report.

Or walk the line by conveniently reporting your data for a six month period that doesn't include the NSA request for all user data now and in the future.

If there's slipperiness in this statement, I think it's probably in the use of the term "user data requests".

>The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand [user data] requests was between 18,000 and 19,000 accounts.

Is a "user data request" a request for data about a specific user? Would the request "give us the names and birthdays of everyone that has searched for 'discontent with government'" constitute a user data request? Or would that be a "search term request"?

I'm not sure I think this is slippery language, but there's definitely room for that interpretation.

If there is slipperyness it's the fact that the guy who wrote this and is Facebook General Counsel, Ted Ullyot, use to be G.W Bush's right hand man.
If character assassination is wrong when they do it to Snowden, why is it right when you do it to Ullyot? Did he lie or did he not?
I don't view it as character assassination so much as suspicion by association. He was part of the group (Bush + Obama Administrations) that pushed for these programs. It makes him more suspect to be lying than a random person. It's not proof of a lie, just reason for scepticism (grain of salt and all that).

The stuff about Snowden doesn't even make any sense. The fact that he's a high school drop-out doesn't matter. Some people who drop out of high school have a lower intelligence, but that doesn't imply the Snowden does. The fact that he worked for the CIA, the NSA, and as a NSA contractor actually implies that he is either intelligent or the CIA/NSA are incompetent. Even if Snowden was of lower intelligence, it would imply that there is less likelihood that the documents are elaborate fakes, and more likely to the be the real deal.

I was just bringing the point to light for discussion.
I consider myself unusually sensitive to slippery language and have called out--on HN--several fishy denials by tech companies that I thought were laughably weasely, including Facebook's previous statements. But I'm not seeing it here. A user data request is a request for users' data, and I don't see a way around that. Additionally, this is remarkably unambiguous:

...>this means that a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request

The only wiggle there is "subject to", and it's not much. So right, they could always be lying, but I don't see much room for interpretation.

More broadly, at some level, we're always going to be dependent on companies to be honest about what they do with our data. Not trusting them is fine, but that's not really a question of transparency or policy; it's just a question of corporate integrity. We should instead focus on what we can concretely hope to control:

- Transparency, which means a) we know exactly what the rules are governing what the government can ask for, b) a detailed accounting of what they actually do ask for, and c) the range of data that can be requested and a precise account of what the standard for requesting the various kinds of data.

- Reform, by which I mean changes to the rules about what can be accessed by whom and under what conditions, with an eye towards individualized requests for specific data, the way wiretaps have been handled (until recently) for a long time. The domestic/foreign distinction should also be removed as part of this point.

- Accountability, by which I mean that companies should never, ever get any form of immunity from law suits. Companies should be liable to their customers about privacy issues, and they should face real consequences if they lie about it. I think this might be the heart of the trust issue.

- Oversight, which is largely colinear with transparency, wherein there is a meaningful adversarial process for balancing the issues of privacy and security, as opposed to the lame, secretive rubber stamping we have now.

- Scale. Last but not least, the relative values of privacy and security are way out of wack, especially given how few people terrorism has really killed and how small of a threat thoughtful analysis reveals it to be (or even the extent to which "terrorism" is a coherent concept). So we just need to raise the bar on what constitutes a reasonable seizure of data.

All of that is stuff you could reasonably pass laws on, so some of the nihilism in this thread is unfortunate. Maybe we'll get all of those reforms, or some of them, or maybe none of them; I don't know. But if those are genuinely our aims as a people, we should see Facebook's release as a real step in the right direction on three of those fronts. If they're lying, of course that sucks, but I'm not sure what we hope to do here besides pushing for more accountability. But in meantime, kudos to Facebook.

You should look at this in the context of the company's earlier blanket denials.
> but they mention nothing about the allegation that NSA didn't need to submit these requests.

That's because everyone has already denied that claim. If you didn't believe them the first thousand times they said they don't do that, why would you believe them if they said it yet again?

I wouldn't trust them even after all the agencies are dismantled. New agencies get made and who knows what they'll turn into?

The only thing that would work is some kind of widespread ban on the use of gag orders, non-disclosure agreements, and similar legal devices by our government. And for what, so we can trust our own corporations to at least say what is in their own best interest? So then you also have to ban the use of funds to keep them silent. Really, the whole thing is a mess.

But how will you know you're not just a brain in a vat being fed false electrical signals?
Presumably the same way he goes about answering that question now.
You are just a brain in a biochemical vat being fed electrical signals through the sensory organs.

Are they false signals? There are non-negligible priors that support his accusation, such as gag orders and a proven and recent history of lies and obfuscation. I personally think the simpler model of Facebook telling the truth holds more weight -- to the point of a conspiracy of this magnitude sounding more than a little silly -- but there will always be a shadow of doubt to some, and not fully without reason.

Then what is going on? What did Snowden risk his life for? Is he just a silly person?
There's a lot to be said for cleaning house in D.C.

But contrary to your suspicion, there is no law requiring companies to misreport info to the public. Even AT&T, which illegally opened its network to the NSA, never lied about it, as I showed here earlier this week: http://news.cnet.com/8301-13578_3-57589012-38/nsa-surveillan...

To keep things in perspective (assuming these numbers are roughly accurate...)

The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning...

source : http://well.blogs.nytimes.com/2007/10/31/how-scared-should-w...

I still find these numbers fairly high. If cops need a warrant to get into my home why don't they need one to get into my "facebook home"?

I agree with your point re: the odds of it happening. It puts things in perspective.

Entire books have been written about the legal standards required. It's difficult to summarize here. One short answer is that the Fourth Amendment is not viewed as applying to non-U.S. citizens abroad. Check out the NSA director's 2006 testimony on nsa.gov for more on this.

Well, except that the risk of Facebook handing over my data is uncorrelated with how often I swim at beaches or stand under a tree in an electrical storm.

It's not like someone goes around with a random number generator deciding whether you'll have horrible things happen to you. They depend on your specific circumstance.

I find it darkly amusing that the rarity of these events is being invoked to convince people to moderate their concern, when this situation only exists due to the government's insistence that we treat even more rare events as gravely serious threats to our way of life.
Goddamned that's a brilliant take I hadn't considered. Well said.
> "why don't they need one to get into my "facebook home"?

Because there is no such thing as your Facebook home.

If you're associating Facebook with "your home", they have you by the balls. Google is trying desperately to grab your balls too, so that your Google profile is the center of your online persona. They make incremental, subtle changes to push users towards Google+ to achieve this. The latest change happened this week, where you can no longer have a profile picture on Youtube unless it comes from Google+. They actually removed my profile picture, and popped a message up saying I have to go to Google+ to set up the profile picture again. They replaced my avatar with a generic blue pattern that looks like crap. Bastards. I don't want a Google+ profile. I don't like being forced to use social media services just to have a profile picture on Youtube, or just to rate an app on the play store.

Your "home", digital or otherwise, should be under your control, not sold out to a company. IMHO there needs to be new laws designed to protect our "digital homes" from the very tech giants who facilitate them and change the rules at their choosing, absent user preference and input.

Imagine not being able to get into your own house without first logging into Facebook? Or not being able to use the internet without first checking in with Google? Far-fetched? Not really, it's slowly heading that way in baby steps. The needs and wishes of companies and government first, citizen freedoms and user-control and true privacy second or third, or not at all.

   They make incremental, subtle changes to push users towards Google+ [...]
I wouldn't call it subtle. These steps are very direct and probably successful in that avoiding a G+ profile became really hard.
I don't know what numbers you are using but my calculations are different.

I don't think it matters that there are 1 billion users worldwide. I think it's fair to assume that a majority of local, state, and federal requests affected US users. That number is more like 165 million [1]. Which means the likelihood you are affected assuming a random distribution of requests and you live in the US is closer to one in a thousand.

And that only accounts for Facebook requests. Consider if you regularly visit 10 websites. That might make the odds much closer to one in a hundred.

[1] http://www.quintly.com/blog/2013/02/facebook-country-stats-f...

Why do you assume the NSA mostly targets US users? That's not a fair assumption at all.
I was under the impression they only needed to get a warrant, or, broadly speaking, gave a *k about the privacy of American citizens.

Anyone else, world wide, could have their data accessed without any need for special secret orders.

Am I mistaken? I honestly thought that was the case.

They would still need to issue a National Security Request to compel Facebook to release data.
If you're a non-resident alien, they have to get the FISC court to review and approve a FAA 702 order targeting you. The bad news is that there's no standard of probable cause or anything remotely like it: more or less the only thing the FISC is actually even supposed to review and rule on is the likelihood that you are not a US citizen or in the US. The good news is that they still have to issue that FAA 702 order, and fewer than 2000 FAA 70* orders have been issued in any year prior to this one. (That number includes 702s along with other orders which can intentionally target US citizens or residents but involve a higher burden of proof.)

That still leaves the possible loophole of having those 2000 orders cover a huge number of people in a manner similar to the Verizon metadata order (which is a FISA order, but isn't a FAA 70* order and isn't counted among the 2000 https://news.ycombinator.com/item?id=5879366 ). But this Facebook disclosure along with earlier statements from Google and others allows us to cautiously rule that out (though we probably don't have the same clarity on the situation of all 9 PRISM firms).

Of course, none of this tells us much about what they're doing (or able to do) using "upstream collection" at the telcos. Or indeed through similar "direct collection" from non-US Web companies running non-US servers, which I'm guessing (IANAL) would probably be outside US law altogether.

> I still find these numbers fairly high. If cops need a warrant to get into my home why don't they need one to get into my "facebook home"?

The COPS do - they are required to get warrants for data requests and those warrants can't be overly broad.

The NSA are not cops, though, and somehow ended up with different rules.

"The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning..."

How do yo know that? What if I have friends, relatives or clients in the middle east and I'm known to be unhappy about particular political issues but never swim in shark infested waters?

This is true. The average Facebook user is unlikely to be affected, but that's not true for everyone. And you don't have to be a "terror suspect" or easily mistaken for one: if you have reason to worry about industrial espionage or Watergate tactics from the US government then your odds are likely to be a lot shorter too.
"The odds of Facebook handing over your data to a government agency are similar to the odds of dying from a shark attack or lightning..."

The odds can only be determined by how many requests they rejected. If they approved 100% of the government's requests, then the odds of them handing over data requested by the government are notably higher than lightening or shark bites. All they're waiting for is the request.

>Remember that companies are not monolithic things. They are made of people, and if anyone or a group try to make a stand they will be hunted down. It's easier to follow along than be honest.

Hunted down? In the bay area? As a software engineer? You must be new here.

(comment deleted)
Neither the NSA nor the FBI are part of the Department of Homeland Security.
New rule: anyone who uses a computer for a technical reason may be in on the conspiracy.
I hope Edward Snowden sees this. He and Glenn Greenwald should be proud.

The economics of surveillance have now changed because it comes with reputation effects on US based companies.

That's a massive load of shit, the 'economics of surveillance' is a drop in a very large bucket.

Most people don't give a shit about surveillance and half the people that do care think it's great.

This blog post is damage control to avoid getting banned across the world since it's become painfully clear that Facebook is inseparable from the US Government.

Most people don't give a shit because it does not effect them. If we can show them that it does effect them, their opinions will change. And it does effect everyone, because if you have to worry about explaining what you say to other people or face consequences then freedom of speech and freedom of conscience is effectively dead.
Yes and these ass holes will keep lying their teeth out and now no one will believe them.
> a tiny fraction of one percent of our user accounts were the subject of any kind of U.S. state, local, or federal U.S. government request (including criminal and national security-related requests) in the past six months.

Nice try, Facebook. Key words, in the past six months. The NSA could've requested a continuously updated copy of all user data more than six months ago.

But it says "were the subject ... in the past six months".
"were the subject of [a] request", not necessarily the subject of the data the NSA is reading.
I'm pretty surprised they've been given the go-ahead to release this. Typically, these agencies would never consider such a thing, especially under pressure.

If I were more trusting, I suppose I would see this as a nice evolution toward a more transparent state of affairs. But it's uncharacteristic of these agencies and the state of affairs that has been going on.

I find it hard to believe they would move so quickly to pull back some of the secrecy they've imposed if they weren't expecting a great deal of scrutiny for what we've yet to learn.

It's already been reported that you can expect to see more disclosures from the DNI and NSA next week. I think the government understands that the past week has been bad for them - and that it's bad for all of us if Americans have recent to doubt their government.

You can also look at it as they would like a chance to correct bad impressions given by inaccurate or incorrect reporting (we can't really judge this yet).

I may be part of the minority here, but I have/see no reason to believe the Facebook is lying about these numbers, or lying about the fact they actually check every request, and don't have a NSA backdoor. If I am correct, they only thing that shows Facebook has given the NSA/government agency access to their servers is a leaked PowerPoint presentation. I believe it is more than likely that one of the following two options is true. (1) The PowerPoint is just wrong, and was made it up someone working for a government contractor. (2) The PowerPoint is inaccurate in that these corporations have complied with the government, when asked to and required by law too, through the use of warrants, both secret and otherwise.

Personally I think option 2 is the most likely scenario. Facebook (and Google and most of the other named corporations) have done nothing to lose my trust in them. The only party that at this time, I know is to blame is the NSA/government for conducting a cloaked surveillance operation on the entire US population. Until there is proof, or a reasonable argument, showing that these corporations willingly complies with the NSA and were a part of PRISM, I don't think they have lost any substantial part of my trust.

They have very good reasons to lie if the government threatened Zuckerberg, et. al., with the Worldcom treatment.
I'm not saying you are wrong. There is most definitely a chance that you are correct. I guess my point is that I think these companies deserve the right of "innocent until proven guilty." And I don't believe enough has been done to prove they are guilty.

EDIT: I don't think that "innocent until proven guilty" should only apply to crimes. I think the same concept can and should be used in almost all cases of accusing a party of something.

They aren't being accused of a crime (or at least most of the controversy isn't about things that are normally considered crimes), so I'm not sure if innocent-until-proven should necessarily apply.
Innocent until proven guilty is as much logic as law/ethics. There is nothing Facebook can say or do to prove their honesty, but their dishonesty can be proven, eg, someone could leak data which could plausibly only have come from the sort of backdoor they say doesn't exist.

Of course, even if you can't prove anything, it might be prudent to hedge against the possibilities by assuming everything is actually public, but given the sort of things people post publicly (to four thousand of their closest friends and confidants) on Facebook, that might be a pretty low bar.

That's kinda the point: the US Government is threatening to literally put them on trial.

The rest of us are watching all the signs for info to help us develop our own strategy in this not-so-theoretical game of prisoner's dilemma.

Put them on trial? OK, I'll do it; source please?
<marshray> cited a CNET article I wrote this week as a threat to "put them on trial." As the author, I disagree.

If FB received a FISA Sec. 702 order for the contents of nycterrorcell@facebook.com's account, and they disclosed that, that would presumably violate a court order and they would find themselves in contempt of court. For good reason: when there is an actual terrorist investigation (remember the terrorist threat is overhyped and you're more likely to get struck by lighting), you don't want to tip off the bad guys.

But aside from that very narrow non-disclosure exception, there is no threat to "put them on trial."

And if you refuse or actively obstruct the court order?

(I was mainly citing your article to establish the the gag order. First hit for https://duckduckgo.com/?q=facebook+gag+nsa )

Ah, thanks. Didn't know it was the first hit.

If you, the recipient, want to challenge the order as invalid, you're free to do so, and there's an appeal process. I was the first to disclose two weeks ago that Google is fighting two national security orders in two different federal courts (SF and NYC). There have been other similar cases. A facial challenge to FISAA 702 (by Amnesty, not the provider) went all the way to the Supreme Court.

You really need to read the applicable laws. My articles link to them. Otherwise it's like talking about the details of mobile app development without knowing how to program.

One can't read the applicable laws, they may not have been written yet. Executives who cooperate get retroactive immunity. Those who don't go to jail for stock transactions while knowing secrets they can't legally share.

http://webcache.googleusercontent.com/search?q=cache:http://...

(Note I'm not pretending to be a journalist here, just wearing my conspiracy hat today)

There is no trial for contempt of court. The judge can throw you in the slammer for disobeying a lawful order issued under valid authority of the Court.

Sounds kind of tyrannical to me, but what do I know?

The judge can "throw you in the slammer" for Direct Contempt of Court. This is when you are physically in the court room or in front of the presiding judge and do/say something that "disturbs the court." However not complying with a court order is Indirect Contempt of Court and the defendant has the right to a hearing in this case.

So disobeying a court order is contempt of court, but a judge can't throw you in jail without a hearing for it.

Source: http://en.wikipedia.org/wiki/Contempt_of_court#United_States

The problem is that before these leaks, the Director of National Intelligence was asked point-blank in a congressional hearing whether or not the NSA was conducting surveillance on Americans, and he unequivocally said no. Given that history, I think it's prudent to approach the veracity of further denials with caution.

It's true that Facebook is not the US government, so perhaps we should be less hesitant about the claims they make. However, Facebook does have a history in this area that gives me some pause. Their former CSO was Max Kelly, who is ex-FBI, and would give talks about shit like the need for "uniting" military and commercial "cyber defense." So to the extent that we're dependent on Facebook's internal narrative to determine how they respond to the US government, my sense is that at Facebook, much of that narrative was set by someone who is largely sympathetic to government cooperation.

I think you're correct in pointing out that the NSA is ultimately to blame. However, I think we should acknowledge that while companies like Facebook obviously do not have malicious intent, they are still in the surveillance business. What they are building does have some inherent danger, and will continue to attract the interest of the US government, foreign governments, and attackers.

I wish I saw more people hammering home the point you made in the first paragraph. Too many people are looking for ways around discussing what is just as an important piece of this puzzle as the leak itself: The director of National Intelligence lied to the Senate. To their faces, through his teeth, on camera, in front of the American people.

I'm in the camp that Senator Wyden asked the question in such a way because he knew what the answer was going into the thing.

At this point, you need to start looking at everyone as a suspect. It's an uncomfortable notion, we might not like it, but it's a reality pill ya gotta swallow.

And also Obama promised no surveillance before winning the first election. It took him weeks to change his mind.
I'm sure it's all shrouded in "classified" and "top secret" tape, but I'm intensely curious to know what President Obama knows that Candidate Obama doesn't.

Maybe it's the same thing all presidents learn their first couple of months in office. Maybe it's a memo that gets placed on the desk in the Oval Office by some shadowy figure. Whatever the case, the honeymoon is over, folks.

It could be as easily be the case that Candidate Obama was free while President Obama is blackmailed.

That's the problem with centralization, with representative democracy. A single point of failure is a bad idea. It's time for participatory/direct democracy.

I suspect that it was much like the "too big to fail" scandal. President Obama was new to the game and let the people who said they knew what they were doing run the show. On one hand he's got the feel-good speeches he made as a candidate and on the other hand he's got agencies and contractors with billions of dollars of budget on the line all pushing as hard as they can to justify their existence and their budgets. The inertia alone was probably impossible to defeat given how divided his focus was (the economic collapse and the two years of obamacare politics come to mind).
Yes, but you're missing something. Google, Apple, Microsoft, Yahoo also offered blanket denials. So the fact that FB has a former CSO with some FBI background has nothing to do with the other companies.

Put another way, DNI lying != FB|Google|Apple|MSFT|Yahoo lying.

Does anyone have a link the the congressional hearing that was mentioned? I haven't seen it and would be curious to watch it, in particular the part that was referenced here. I think that the Director of National Intelligence flat out lied in a congressional hearing is one of the scariest aspects to all of this. Obviously he/the NSA isn't scared to lie to us and to the government while under oath. (At least I presume he was under oath.)
I agree some skepticism is warranted, so I am looking to see what Google and others say. If several big companies all say similar things then we either believe in a much bigger conspiracy or accept their claims there is not bulk access to all accounts.
What are you looking for? The statements have all been made by those companies, and they all deny that any sort of broad data access by the NSA happens.

Either FB|Microsoft|Google|Yahoo|etc... are all lying, or Snowden didn't understand what he leaked. I'm betting the later.

If we're talking about the same question, he was asked if the NSA collects data of millions Americans, to which he answered in the negative. This information from Facebook does not contradict that statement.

And to me, that's an important distinction: millions versus < 20,000. I might be persuaded that there existed a few thousand cases in those six months where law enforcement had legitimate reasons to get data from Facebook, for the types of criminal activity mentioned in this post from Facebook.

Facebook's comments do not discredit the leaked materials because even if you treat Facebook as trustworthy, the NSA slides explicitly encourage analysts to use a combination methods including "UPSTREAM" data collection ("You should use both", the document reads).

The only really interesting revelation here is Facebook's confirmation that the FISA court is bundling approval for multiple users into single warrants. And if we assume that the vast majority of requests are for single users, this is a non-trivial admission. With those numbers, there could easily be a handful of warrants used to grab information on thousands of users.

While I've never believed their statements...

..by their own account this is ~50 "intercepts" per day, on facebook alone... that's more than 2 per hour, every hour, for 6 months.

And now you see why they've tried to automate the part of the process that could be automated.
That's a remarkably low rate, considering that it includes all levels of law enforcement. For instance, around 2000 children are reported missing in the US every day. I would expect a lot of those to lead to local police to ask to see the child's Facebook data, and that alone could account for most of the requests.

Now throw in all the other ordinary crime local police deal with every day, and I'm completely astonished that Facebook only deals with 50 requests a day.

Those numbers seem odd. So almost 2 persons are the subject of every request?
It's possible that some requests they aren't counting as hitting any accounts.
"Submit profile data for user $FOO and all users $FOO has messaged from $DATE_1 to $DATE_2". I'm assuming it's something like that.
How much longer till a similarly-worded release from Google?
All you need to remember about Zuckerberg and Facebook from his quotes here:

Zuck: Yeah so if you ever need info about anyone at Harvard Zuck: Just ask Zuck: I have over 4,000 emails, pictures, addresses, SNS Friend: What? How'd you manage that one? Zuck: People just submitted it. Zuck: I don't know why. Zuck: They "trust me" Zuck: Dumb fucks

He was 19 years old.

He's 29 now. Think about that for a second.

Zuckerberg, perhaps. Facebook, as in the current Facebook entity, absolutely not.
The principle still applies: the information has been submitted, collected, and is accessible to those who ask persuasively enough.
You say those who ask persuasively enough, but we only know they've given data to governments, they are legally obliged to do so. I wouldn't say that's the same in any way as giving it to friends.
I actually don't see anything particularly wrong there. If I were to set up a page asking for personal info, and a bunch of college students (supposedly more technologically informed people) were to give them to me, I'd consider them somewhat dumb as well. It's not that I'd do anything wrong with the data, but they didn't know that.

This doesn't mean I support him or Facebook; I certainly don't.

(comment deleted)
Am I to understand that this:

>The total number of Facebook user accounts for which data was requested pursuant to the entirety of those 9-10 thousand requests was between 18,000 and 19,000 accounts.

Is global? As in, 19,000 accounts in total across the globe over the past six months? The description of the requests is "all U.S. national security-related requests (including FISA as well as National Security Letters)." Or is this just the number of persons 51% likely to be a US citizen?

It says " the total number of user-data requests Facebook received from any and all government entities in the U.S. ", which I take to mean the target accounts may or may not be US citizens, but the requests came from US government agencies.

International government agency requests, which I assume they also comply with in certain situations, would be not included.

Yes that is global 19,000 accounts in total USA and non-USA citizen.
So if people don't trust them, figure out how to verify this. Hint: they are publicly traded companies.
They don't have to be lying.

19k over 6 months is still quite a large number, I think.

> from things like a local sheriff trying to find a missing child

So ... why do they need to hide a request for something as 'innocent' as this?

They don't, but were either not allowed or not willing to publish the number of requests excluding the non-secret ones or the breakdown of the total number into "innocent" and otherwise.
Everybody here seems to be distracted. The law abiding requests disclosed here could still be served alongside a covert operation. This has no impact on the PRISM scandal.
Why are they only offering figures for the last 6 months?
With all of the secrecy and secret gag orders, and all of the blatant, proven lies, how on earth are we supposed to trust anything anyone says about this issue?

Why aren't people getting fired and prosecuted for lying to the American public?

Because the American public simply doesn't care.

As a Brit this is the attitude the US is currently projecting.

Of course as a brit I suspect our programs are far more invasive than anything the NSA has cooked up (so far).

*insert reference to 'Spooks' here.
"the total number of user-data requests Facebook received from any and all government entities in the U.S."

It's common for 3 letter agencies to set up a corporation to handle their dirty work. I wonder if a front organization would be considered a government entity?

http://en.wikipedia.org/wiki/Front_organization#Intelligence...