They are not fighting the mining by the government, only the secrecy. They are fighting for the right to tell you what is happening, just like they tell you what they are doing with your data.
The cynic in me thinks that Google is deliberately fighting a losing battle, so that later on they can say, "Hey, it's not our fault -- we want to tell you what is happening, they won't let us!"
I don't think the outcome of the battle matters at all in this case. Google is still putting up a fight. Their track record shows that they do at least tell us what is happening, so "it's not our fault, we want to tell you, they won't let us" is consistent with their actions, AFAIK.
It's not your data once you've submitted it to a Google-run service. The expense of all the services Google provides without monetary compensation is the data they can collect. You trade that to them when you use the site: that's their fee.
Firstly I was responding to the parent who said that Google tells us what they do with our data. Whether you think of it as ours or theirs, they don't tell us what they do with it.
Secondly, if what you say is true, then we should stop complaining about what Google passes it to the government - what business is it of ours what they do with their data?
Thirdly, I doubt that anyone seriously believes that the 'fee' for using GMail is that their messages become Google's property.
It doesn't necessarily convert to their property from an intellectual property POV, but it is "Google's data" in the sense that you contractually allowed them to utilize it as described in the ToS and privacy policies, which one is free to reject or accept.
You know the old saying, "If you're not paying for a service, you're the product." Why expect anything else? Google is a for-profit company and it's an expensive thing to run. They deserve something for the services provided, don't they?
In other words it's nothing at all like a fee, as you described it earlier.
But, if things are as you say, Google can do whatever it likes with the data according to the ToS. If people don't like data about them being given to the Government, or used for any other undisclosed purpose, they shouldn't have used Google.
It sounds like a fee to me. That is the price that Google asks for admission to its services -- access to the data that you transfer whilst using Google services. Monetary fees are also contractually specified. I'm not sure why you think that just because the "fee" is non-monetary that you have to transfer all ownership rights in whole, instead of those defined as the price of entry in the contracts agreed to upon account registration.
The cynic in me notes that the companies were spurred into action by the leak. Google has always showed some interest in providing transparency about government requests, but even they were not taking the US government to court over it.
The companies involved are taking these actions because the leak may have undermined consumer trust (eg. small drops in activity) in them. Perhaps even wrongly, if PRISM isn't as widespread as the initial leak suggested.
Depending on what precisely they do with the data, they could do things quite a bit more damaging than turning off your Gmail account, though it certainly wouldn't rise to the level of sending you to gitmo. The worst would probably be some kind of financial and/or career blackballing, if they sold data-mined information about you to credit agencies, lenders, private investigators, and/or prospective employers, and something particularly damaging were contained in it.
I believe their privacy policy currently says they won't do that, and it's especially clear that they won't do anything except target ads using information mined out of your email. But I don't think there would be anything illegal about it, as long as they didn't do something like outright blackmail (offer to let you pay to expunge negative information or something).
The difference is that if Google did that, everyone would immediately stop giving them that information, which is worth more to them than the advantage they could gain in screwing you over once.
On the other hand, if the government does this, people can do... what, exactly? Stop giving their information to the government? They didn't willingly do that to begin with. Stop giving it to Google? Maybe, but they would have to stop giving it to anyone, which is a lot more difficult than just switching from one service to another.
Well if you're willing to talk about illegal things the government could do to you it makes sense to talk about the illegal things Google could do to you; i.e., anything.
Our government has decided that it is allowed to do all of those things "legally" in certain circumstances. Execution, asset forfeiture, and detainment are all considered "legal". Nothing besides the government is permitted to do these things, they have a monopoly on that right.
You don't need to put scare quotes around words, I'm well aware of the potential legality of all three categories.
Slavery used to be legal too. I'm sorry the government is not completely perfect, but the answer is to go fix it and make things that should not be legal, illegal. Until then it's like complaining about shell companies used by Google and Facebook to avoid paying taxes (a strategy typically well-defended on HN because they're "technically complying with the law").
If you have an actual monopoly on violence, you don't need to retaliate against other people using violence with your own violence, because there aren't other people using violence.
Now, perhaps the government has a monopoly on legitimate use of force (indeed, Max Weber used that as the criteria to define whether an entity was the government of a particular territory).
The legitimacy of an act (violence in this case) is highly subjective. The legality is a lot more objective. In this particular scenario, I think I would rather say that the government has a legal monopoly on violence. The legitimacy argument breaks down for oppressive governments where some revolting citizens take up violence because they see it as their last and only option. Some might argue that their act is legitimate, but it is still illegal. Now, one could always say that if the violence by government is not legitimate, it is no longer a government. But that is largely a philosophical/literary point. Here, when people are saying that Government has a monopoly on violence, they mean that the voters have granted them a legal right to do use force (which is at least pseudo-aggressive if not violent in all cases). The legitimacy can be contested in courts and debated upon in the next election - but till then, they reserve the monopoly.
> The legitimacy of an act (violence in this case) is highly subjective.
In the sense Weber uses it, it may be fuzzy, but its not subjective (its essentially the aggregate of how it is treated by the people in the territory.)
> The legitimacy of an act (violence in this case) is highly subjective.
The idea that legality is objective in a way legitimacy is not is debatable.
> I think I would rather say that the government has a legal monopoly on violence.
Perhaps, but that seems to be a trivial tautology, in that what is legal is precisely, by definition, what is formally allowed by some government.
> The legitimacy argument breaks down for oppressive governments where some revolting citizens take up violence because they see it as their last and only option.
Weber would state that, to the extent that this is a general failure over some subset of its territory, the entity has failed as the government of that territory -- that, in the case where no entity exercise a legal monopoly on violence over a territory, there is no government, and in the case where there is such an entity but its not the one that is claiming to be the government, then the claiming entity is simply wrong.
> Some might argue that their act is legitimate, but it is still illegal.
In the eyes of the purported government that they are revolting against, but not in the eyes of the purported government that they have formed in the revolution. Legality has no meaning without reference to a governing authority.
I'm certainly not the government, and I can quite legitimately be violent when defending myself from illegitimate (aka non-governmental) violence.
For example, if someone breaks into my home and behaves threateningly, I can (rather violently) shoot them, and the government won't object in the slightest. So much for them having a monopoly.
Yeah but the world is not the USA. Some states DO have the monopoly of violence. E.g.: if you try to kill me in Spanish with a knife and I shoot you, I'll go to jail.
Sorry, I was editing and just addressing that :( It's a bad habit of mine. I moved the edit here.
Okay, I know that he specifically refers to the US (he mentioned Gitmo) but remember that even then the state is the one who lets you exercise violence. The monopoly's just lending some of its power to make you shut up and stop whining so he can keep minding his (evil) business.
Also: Windows had a monopoly even when Linux existed. Monopolies don't always have 100% of the market share, but they're still a monopoly de facto and will fight hard to achieve the full monopoly.
I knew we could defend ourselves against theft of property with violence in Texas, but I left that out because it's not all that common across the United States - we're a bit more liberal with our rights down here.
What's the deal with the prostitute? Breach of services (especially illegal services) doesn't justify violence. Did the prostitute grab the john's money and then try and run off? If that's what happened, I'm not too surprised by the result, since we're allowed to defend ourselves against theft.
> Google by comparison can turn off your gmail account.
I take it you've never lost an important email account, it can be very isolating. For some people that can be deadly.
I'm not saying that them fighting it isn't a good thing, but its hillarious that they're holding themselves out to be crusaders of freedom and privacy when they are one of the most prolific producers of "profile" data. You could even say they create "anti-privacy".
The difference is that they mine data in order to better target ads. When the Feds ask them to share the same data with them, it's for reasons that are vastly more disconcerting. Intent is everything, and that's twice as true when you're dealing with a lethal organization that shows every sign of having escaped from its legal restraints.
They are fighting for the right to tell their customers about the government mining their data(through google). Google already tells their customers what they mine in theToS and Privacy Policy. I see no hypocrisy.
Also, Google isn't brokering the information they gather. From what I understand they're simply using it to target ads (which is what they actually sell), while keeping the data itself very close to the vest.
If you've got something on offer, and want to know who might buy, Google won't tell you who is interested. They'll just deliver your message to the right people, and if you get a suitable response, you'll know that their service was worth the price.
There's a world of difference between the mediated transactions they have with their customers, and the exchange that takes place when the government says "hand over the data itself."
If you're referring to the whole wifi thing, tell me, what information do you expect the street view car to be able to pick up in the 10 or so seconds it would have been associated with the AP? Their engineers have basically come out and said that was a fuckup, and I'm inclined to believe them because I find it hard to imagine what use that random data would be.
And to be honest, I'm more likely to believe a Google engineer rather than a namecalling troll who's virulently against them for no good reason.
>> The court approved each of the 1,789 government requests it received in 2012, except for one that was withdrawn.
Scary as hell, considering that one request can be as broad as: “It is hereby ordered that [Verizon Business Network Services'] Custodian of Records shall produce to the National Security Agency…all call detail records or ‘telephony metadata’ created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls,”
Google should cut the crap with PR moves and stop hoarding so much data about everything we do online. If they have, NSA will get it--one way or another.
> Google should cut the crap with PR moves and stop hoarding so much data about everything we do online.
I like that Google has a lot of data on me---it makes their services much more valuable to me. I don't like that the government can access it secretly.
These are distinct opinions and both can be reasonably satiated simultaneously if there are proper checks and balances in government.
Anyone familiar with the constitutional law on this? From a laymen's perspective it seems obvious that the government has some ability to restrict 1st amendment rights on matters of national security. If that wasn't the case, there would be no way to enforce legal restrictions on classified information. It would be the end of all government secrets, both good and bad. Or is this debate simply about where the actual line is drawn for national security and whether this this type of disclosure crosses that line?
National security most likely qualifies as "compelling state interest" in general, but it's not the only thing the government needs to infringe on constitutional rights. The government also needs to prove that the infringement is narrow and specific.
Even then, I wonder if the "compelling state interest" could be challenged on not being compelling enough.
(I am definitely not a lawyer, just remembering a con law class I took and refreshing my memory with Wikipedia.)
I'm a lawyer, although not one that regularly practices First Amendment law. That said, zachrose is right that strict scrutiny applies here. Usually, to restrict truthful speech based on the content of the speech, the government must show that (1) there is a compelling state interest and (2) that the government's restriction on speech is narrowly tailored.
National security is pretty compelling, but it's unclear how prohibiting disclosure of the number of requests is narrowly tailored to that interest. Without knowing more details about the nature of the program, it's hard to say why the number matters. But if the NSA can't demonstrate how disclosing a specific number, as opposed to an approximate range, has a noticeable impact on national security, the law would likely not be in their favor.
I guess I don't really understand "national security is compelling". National security, like basically everything else, is a matter of degree. There are presumably compelling and uncompelling national security risks. If the court is weighing some amount of speech restriction against some amount of national security risk, presumably the size of the risk matters?
What are the governments burdens here? Can they merely assert there's a security issue here or do they have to prove it? Does it have to pass some kind of severity test in order to restrict speech? I'm genuinely curious what the case law says on this stuff.
Most restrictions on classified information are enforceable because those with access to the information have voluntarily surrended their first amendment rights in respect of classified information as part of the agreement they entered into when they obtained a security clearance.
It's much less clear when you are talking about someone who hasn't agreed to the clearance process. In 1979 the Department of Energy tried to prevent The Progressive magazine from publishing an article by Howard Morland describing the design of the Hydrogen Bomb. The article was derived from unclassified sources, but the government argued that information about atomic weapon design is "born classified". There was no conclusive judgement, as the government eventually dropped the case and the article was published.
Much as I would love to see Google prevail in this, there is just no chance that would happen. The implications to any other form of Govt gag orders (think sealed court records) would be immense.
> ...The implications to any other form of Govt gag orders (think sealed court records) would be immense.
Gag order also of Greenberg/Guardian, then what are ES' options?
> "....The Ministry of Defence has issued a D notice preventing the UK media from 'publish[ing] information that may "jeopardise both national security and possibly UK personnel"'.
I recommend everyone have a look at the leaked documents and the extent to which all those companies participated in it and then judge their public relations reactions afterwards.
After the scandal was revealed, and only after it was revealed in an unprecedented act by Snowden, did Google come out in favor of their customers. This is ridiculous.
Google was caught pants down and there's no amount of PR bullshit they can use to white wash this and pretend the government forced them to do it. They willingly participated in exchange for political status with the government, that is the raw truth.
Can you explain what each slide of the document means and how the program was actually implemented? I still have no idea despite reading a variety of different articles.
| After the scandal was revealed, and only after it
| was revealed in an unprecedented act by Snowden,
| did Google come out in favor of their customers
Was Google not already in court opposing NSLs? Filing with FISA was something that the EFF recently spear-headed.
I'm not saying you should trust Google with all of your secrets, or even all of your data, but it should be an informed decision.
Right, but saying "Google only starts caring about its users now," is not true. For example, Google challenged the National Security Letters prior to the Snowden leak.
Let's presume that PRISM is the NSA getting the ability to copy unencrypted data being transferred across these companies' internal networks. Is that one request that affects every account or one request that affects zero accounts? I would expect that the latter would be asserted while the former is more true. And I can almost hear the justification: "if people weren't sending email from Gmail to Gmail and instead from Gmail to foomail, we could be collecting all of this information. You need to give us access to your network, or we need to break you up into smaller pieces which need to send information unencrypted to work."
It's not copying data being transferred, it's copying data sitting on-disk (which does include sending along updates to that data on-disk). NSA was getting that data even before PRISM, but companies were compiling it and sending it manually.
If one server queries a MySQL database on another server inside my network (using private IP addresses), I don't encrypt what's transmitted between the two servers any more than what's done by default. And that default isn't SSL or anything of the sort because I'm expecting that my network admin knows what they're doing with firewalls to keep the unwanted packet sniffers out of the private network. Besides, I don't want to spend the extra CPU cycles on encrypting when I can just fortify the firewall.
That seems pretty reasonable within a datacenter. Nobody(?) would encrypt traffic from local client to local mysql server. But accessing remotely over network links that could be tapped by governments or other antagonists? If you had dedicated netsec and infosec departments as big as Facebook's, you might encrypt that.
Some of the companies named in the PRISM slide deck are in a state of constant information warfare with hostile governments (like China) and governments openly desirous of tapping all networks (like India). They are also continuously beset by piratical criminals from all over the world. It seems unreasonable to assume that they would transmit data over long-distance links in the clear.
I'm not saying they do encrypt everything or even most things. But as the basis of one's theories about PRISM, it doesn't seem like a good assumption.
Email sent from mail server to mail server on port 25 is unencrypted. It's in the mail exchange spec. The only way email is secure is if it never leaves your internal network, and that's because of the network architecture, not encryption (which might include VPNs).
I don't imagine that hotmail or gmail move data from one server to another using SMTP. It's designed to exchange mail with external parties at arm's length. There are far more efficient ways to move data.
Again with the 'carefully worded denials' - the denials were similar because they were accused of the same thing, which is allowing "direct access".
The most worrisome and misunderstood part of these reports is the "direct access" bit: can the government arbitrarily query company servers? their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and yes also the secretive FISA requests.
So by revealing the number of FISA requests they receive and their scope they hope to clear this "direct access" mess. As even FISA orders are much more acceptable than wholesale access.
As for the development being reported here: I think it has merit seeing how this clearly falls under the first amendment, but I'd like a lawyer to chip in.
> So by revealing the number of FISA requests they receive and what sort of data is being sought they hope to clear this "direct access" mess. As even FISA orders are much more acceptable than wholesale access.
Not necessarily. As another commenter pointed out [1], a single FISA order doesn't have to correspond to a single citizen. One order can encompass millions of accounts.
> their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and such, including the secretive FISA requests.
While I think it's reasonable to doubt the claim that the NSA has true direct access to servers, I haven't been given a reason to doubt that information can be requested without court orders, warrants or FISA requests.
> Not necessarily. As another commenter pointed out [1], a single FISA order doesn't have to correspond to a single citizen. One order can encompass millions of accounts.
They would want to publish the scope of the FISA requests.
The other companies aren't going this far and I think they deserve a credit for what they're doing.
And I disagree with commend you link to, the solution isn't limiting data collection, sure it makes you a target but more data equals a better product. It's an issue of government overreach not engineering decisions.
I agree with this entire comment. Even the part where you disagreed with part of the comment I linked to. I even responded to that poster before replying to you. :-)
(Sorry about that. I meant to link to the comment for the text of the FISA order, and not for the jab against Google.)
This is a distinction without a difference. If I (the NSA) can request yesterday's backups, isn't that close enough? I don't particularly care if they have direct access to Google's servers. Having access to the backups (through sftp or whatever other mechanism) is bad enough.
It's a checks and balances thing. If you're a large ISP and you retain physical control over your servers and network, if you're asked to hand over too much information, it's at least possible to delay and fight it in court. If they have root then you don't even know what they've done.
If they had to request anything from Google or FB, they wouldn't need such huge storage capacities. My guess is that these large companies have been forced to forward data (e-mail, chat lines, posts...) to the NSA as it arrives. It's not "direct access", it facilitates all the searches the NSA could wish for on NSA's own servers and does not contradict any of Google's, FB's or the NSA's claims so far from what I can tell (they store the data, then "collect" it as needed).
From what Google's said, it appears the government can't arbitrarily query Google's servers. Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government can access and that the data cannot be accessed without this happening.
That's Google. We've yet to hear from many of the other companies in the program about whether this sort of access is technically impossible, or whether it's an honor system that the government is supposed to follow.[1] I haven't been closely following the Facebook, Microsoft, or Apple statements, so maybe they have also been explicit that it is a restriction that is implemented by technical means. Some of the companies haven't said anything yet.
How many of the companies really make sure there is legitimate documentation for each request? Do they really do this every time, or have they become resigned to the fact that there's nothing they can do, so they just rubber stamp each request coming through, even without the proper legal documentation?
[1] This seems to be a major issue--the President and NSA leaders have claimed that analysts "cannot" access your phone metadata and phone call content without the correct legal instruments. But by "cannot", they seem to mean "they are not allowed to" rather than "it is not possible for them to".
re: [1]... Right. In fact, this morning I think we heard this is definitely policy and not technology. We were told that for this to happen [paraphrasing from memory] "One person would have to break the law [analyst], his boss would have to break the law [because he's supposed to approve the access], and remember this entire process is 100% auditable, so we'd catch them for sure."
Of course, this isn't remotely reassuring for a bunch of reasons. Most of all though, I'd be curious to hear more about how the auditing process works. He kept saying "auditable" I noticed, not you know... "actually audited".
Snowden mentioned in the Q&A that 5% of the GCHQ accesses are audited, as one example. He mentioned 5% as if it's a low value but that's actually fairly high, especially if randomly-picked.
Yeah, there are generally two things keeping society in order. Ethical beliefs about right and wrong and fear of punishment from the powers that be for breaking the law. My concern with the NSA is that there is a culture of "the current laws are unduly stifling on our jobs, so us ignoring them is 'required'", coupled with management's belief in same and thus non-interest in prosecuting people that cross the line. Not to mention such prosecution would inevitably be public and thus the program exposed and the public seeing it is being abused. Taken together you have a perfect recipe for safeguards that exist in theory and are utterly ignored in reality, "for the greater good".
> Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government
my understanding of PRISM and all this is that the entire internet is vacuumed and everything is stored, just in case. I cannot imagine a guy "checking off" on every email or every mailbox for millions of gmail users every day or even once a month manually. With 11K terabytes of digital data created per hour by US, I cannot imagine any sort of manual system being implemented.
It has to be totally entirely automatic, otherwise it won't fly.
There was a fifth Powerpoint slide published by the Guardian[1] which clearly distinguished between PRISM and "Upstream" methods which collect "communications on fiber cables and infrastructure as data flows past."
The PRISM program mentioned in the Powerpoint slides is very likely the same program that is mentioned in unclassified documents such as Army Field Manual (FM) 3-55, Information Collection[2]:
> 6-12. Two joint ISR planning systems—the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers. In joint collection management operations, the collection manager coordinates with the operations directorate to forward collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit responsible for the collection operations. At the selected unit, the mission manager makes the final choice of platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The Air Force uses the collection management mission application. This application is a Web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines
Any understanding of PRISM outside the classified world seems to be incomplete. Some people version of PRISM seems to involve caching the whole Internet. That might sound implausible, yes. But we won't know until or if the whole thing gets declassified.
Yes, but that vacuuming is apparently being done, just not under PRISM (for example, see https://en.wikipedia.org/wiki/Room_641A). PRISM is just one method of getting the data.
They don't need to store all the data if they can just compel whoever is storing it to give them access to said data. (Which seems to be what is alleged).
Why do people assume that Google has the only copy of what is on Google's servers. It is not hard for the NSA, since they are already admittedly the "man in the middle" to have copies of all data going in and out of any server they target.
The leaked slides say clearly the government can query the servers at will. They get real time login data, logout data and payload data.
I don't know why people keep putting this into question, giving Google the benefit of the doubt, when they were caught pants down, no questions asked.
If the companies mentioned in the slides just complied with the law, why would they be singled out in those slides? Honoring search warrants and FISA requests is an obligation, not an extra.
The reason Google was singled out as a partner since 2009 is because they gave the government full unrestricted access.
Well, judging by your comment history(about 100% anti-Google), I won't be taking your word for it. I'm still waiting for the dust to settle and see where Google ends up.
Right now, it's just a bunch of people pointing fingers at each other. The truth will be found once everyone calms down.
The reason Google was singled out as a partner since 2009 is because they gave the government full unrestricted access.
Which part of the PRISM slides make you think that? They certainly indicate pretty much full access to accounts which have been OK'd by Google (at least in archive form), but that is very different from 'full unrestricted access' to servers. I'd say we don't really know the extent of it, and welcome Google's decision to try to challenge the government in court to reveal more details.
As far as I read them the few PRISM slides we've seen don't really indicate:
1) The extent of access (how many accounts, how many accounts per order etc)
2) The mechanisms for FISA access
3) Any time delay in receiving documents/access
4) Whether data is realtime or not after access is granted
and the figures that FB, MS, Apple have announced hardly constitute full unrestricted access to all accounts as you seem to be implying. It's still a serious invasion of privacy, there are serious doubts about the efficacy of the FISA court supervision, and for foreigners I'm not even sure there are any protections at all (the NSA might not even feel obliged to get specific permission for non-US communications), so for everyone outside the US this is really invasive, but I'm not sure I can agree with your characterisation of these slides as showing full access (full access to what, to all Google servers, seriously?).
Google and Facebook are trying to clear their name here.
But what I'm afraid of is that this mess with deciding exactly how much access the government has to Google will turn into a distraction from the larger picture. Which is that, in all likelihood, the NSA does not have access to Google. What they do instead, and what the name PRISM implies, is that they connect to the backbone (Verizon/AT&T), scoop up ALL data, and store it in their freshly built data center in Utah.
The slides I saw seemed to indicate when certain applications or filters came online. Such as a filter for Facebook data, or a filter for Google search/map/GPS data, etc. That's how I interpreted the graph, at least. It would indicate the NSA is rolling out specialized applications to handle data coming to and going from specific sites. Which allows them to more intelligently decipher what is being said, in more or less shotgun fashion.
Hence, the name PRISM. It's a project to split the full Internet stream into a Facebook bucket and a Google bucket, etc.
It doesn't help just to have network transmission data if the data is encrypted. Google has increasingly been moving all of their services to https, I think facebook might be also.
The problem I have with the "duplicate the Internet" theory is that it favors the hard solution vs the easy solution.
The hard solution is to secretly duplicate traffic from every data center operated by each of these companies, reverse engineer every HTTP request that goes back and forth so that the data can be parsed, maintain it for every product change that happens at these companies, circumvent HTTPS by compromising the certificate authorities, store it all, and still maintain a massive analytics tool that can make sense of the astounding amount of data coming through.
The easy solution is to avoid all of the technical ugliness of acquiring the data, and just legally make the companies give you the relevant information, neatly structured and packaged. NSLs are the ultimate hack.
It honestly wouldn't surprise me if the gov't has issued a secret subpoena for every PRISM provider's SSL key (e.g. Google/Facebook/Yahoo/etc). That way they get to claim "hey, we're not giving them full access" and the government gets what they want anyway.
I wouldn't be so sure if that was the easy solution, as it depends on the cooperation of those companies.
They at least have the choice to resist in some way or another.
They also could be using both solutions simulatneously.
From their perspective, why not?
A lot of the communication won't be encrypted anyways, and some of it will be, but they may be able to decrypt it at some point in the future.
The hard solution isn't just a little bit harder ... it's several orders of magnitude harder and more expensive. It's also highly vulnerable to simply using encryption. The easy solution works because the US companies are bound by law to cooperate. There's no reason to believe that legal pressure on these companies has failed to get the government what it wants.
As I understand it, they don't have to focus to the data center of those companies when doing the duplication.
For example for emails: emails travel unencrypted through the hops, and they would store them all, and then constantly analyzing them. When something suspicious comes up, they would go to the email provider to ask for more data. So for example if gmail address is there, they would go to Google and use their PRISM interface to get more data associated with that gmail adress, if it will be yahoo email, they will go to Yahoo for more data, etc.
Gmail users sending to each other will only relay inside Google's own private network. If all of my co-conspirators are using Gmail, there are no external relays to be tapped. Someone would have to read all of our SSL/TLS traffic to see what we're writing about.
This is even more complicated when the data centers are in other countries, and none of the data actually enters the US. So if two EU users were accessing Gmail from the EU, the data may never enter the US at all. This means any network tapping would have to be done in the EU as well, requiring cooperation from many international telecom companies.
It's still easiest to just force Google to hand it over via NSL. Google's still legally bound to deliver the data even if it isn't physically stored in the US.
If the government had a wiretapping program for fiber-optics, they wouldn't call is PRISM. Why? Because you don't name your top-secret stuff with descriptive names that imply what it does.
PRISM is a web-app. The slides make it pretty clear its a web-app. The army field manual link helpfully posted before in this discussion outright says its a web-app.
Steve Gibson presented a good case[1] that the companies are telling the truth, but that NSA nevertheless has the equivalent of full access by tapping the tier-1 or -2 router nearest to each. Fiber-optic "splitter" makes the codename "Prism" cogent.
You didn't add any valuable information to this discussion. Why doesn't Gibson know what he's talking about? Explain what exactly regarding SSL breaking? What's the jump?
If you're talking about this, you should have a cursory understanding of what SSL is and why the MitM attack Gibson is describing is, at best, far fetched.
His point wasn't "all fibre optic" but that by tapping specific routers, e.g. one close to Facebook where FB traffic is concentrated, the NSA can filter and store nearly all FB traffic while FB has full deniability. At the referenced link are links to court documents in which exactly this kind of tap was revealed to exist at AT&T.
As to SSL, is there a claim that NSA has broken it? I wasn't aware of that. Not relevant to Gibson's idea, anyway.
> At any rate, assuming all fibre optic is tapped, how does that explain breaking SSL?
Large governments don't need to break SSL. They have SSL root keys and can man-in-the-middle at will. Doing so across the board would likely be detected, but targeted usage likely wouldn't be.
If this was widespread, I'd expect someone to have found a Google cert signed by different root. Then again I suspect Google pins their certs in chrome for a reason.
> Doing so across the board would likely be detected but targeted usage likely wouldn't be
This whole conversation is about wholesale data access, so targeting is not relevant. Besides, even if you are talking about targeting, the claim is, they are storing data and then targeting 'retrospectively'. So without a time machine there's no way they are going to be able to go back and MITM the targeted conversations they want to listen to after the fact. They would have to be MITM everything all the time.
> how does that explain breaking SSL? That's a really big jump.
How about this: the NSA has issued a secret subpoena for the private SSL key of every listed provider (Google/Facebook/Yahoo/etc). They are using those keys to transparently decrypt traffic and suck up what they want.
When news of the PRISM program was first revealed two weeks ago, officials at Facebook, Google and other tech firms informally conferred on a public response...
First of all, it doesn't really matter what Google says because they could be lying. Second of all, there are trivial ways around "direct access". Google will have world class mirroring capabilities, so they need only mirror to a government server. They could do this manually (per request) or automatically. This would fit within "no direct access".
So what can the gov't do if companies don't co-operate? With individuals, there is blackmail and illicit co-ercion. What does the gov't do to corporations worth updwards of 100B to get them to comply?
This is where we need more than one company to stand up. If Google is the only one doing it, and the government vigorously slaps them around a few times, more than likely they'll stop before they go out of business. And then all the tech companies get put in their place -- want to resist government overreach? You're going to get damaged.
On the other hand, if they all resist, who is the government going to retaliate against? The entire industry? It would be too great a hit to the economy.
So the question is whether Facebook, Apple et al are going to take the short view or the long view. If they let Google be the only one to stand up then maybe it will encourage the government to damage their competitor, but in so doing set the precedent that the industry won't stand together on issues like this, which can only make the government more brazen in the future.
My current theory on this is that companies such as Google probably generate vast amounts of metadata (there must be a fair amount of it behind Google Now), primarily for advertising purposes, and that it's this which PRISM has "direct access" to under some sort of gagging order.
Yeah, that's right according to the Supreme Court, corporations now have citizenship, so they should have First Amendment rights too. Wouldn't that be ironic if that ruling actually did some good for our nation.
If anything good comes out of this NSA thing, I think it's the fact that liberals will be forced to concede that Citizens United was, in fact, the right decision. Do you really want the government arbitrarily banning speech by corporations that it deems to be impermissible? There is a reason the ACLU came out in favor of the ruling in Citizens United...
What does that mean? Reaching an audience today takes money so a individual who wishes to be heard will need to raise money from her like minded citizens. Are you suggesting the the EFF should not be allowed to buy issue-oriented advertising during an election season?
For as much as I'm familiar with the CU vs. FEC case, the reasons don't stack up all that well for corportation's 'right of speech' in this context. Trevor Potter I think very reasonably explains why here: http://www.pbs.org/moyers/journal/09042009/watch2.html
Mainly, that it's essentially overstepping the speech of the less powerful. It results in the poor having unequal, lesser freedom of speech.
I would have expected you to be on my side on this issue, as you seemed to be more of a 'spirit of the law' guy rather a 'letter of the law' kind of guy.
I've got a bit of a textualist streak. I'm more amenable to looking at the spirit of the law and the motivating justifications in something like the 4th amendment, where you can hang your hat on the word "unreasonable" than with something like the 1st amendment, which is written in terms of "Congress shall make no law."
Anyway, I'm curious to know more on why you think CU was the right decision. I advise watching all 31 minutes of the Trevor Potter vs. Floyd Abram debate if you have time and if you haven't watched/read it already.
I was very sad that ACLU came out in support of CU, I think they were wrong on this one.
If the difference in power of one class vs. another were the overriding concern when deciding to limit speech, then that logic would also apply to two individuals in different classes. Would you also say that a white teenage son of a rich businessman should have their speech curtailed in comparison to the poor Hispanic daughter of a single mom?
I'm not a terrorist; I'm a law abiding citizen of the U.S. Can I opt out of the PRISM thing? All I'm doing is adding unnecessary noise to their data. I want to do the patriotic thing and help my country, and in this case the best way to do that is to shrink the pool of data that they must monitor. (And no, I'm not kidding!)
If you're ordinary enough you're probably not triggering any flags, so you'd probably already not really being considered part of the dataset.
One person opting out probably won't help them at all, but it would be interesting to consider a more scaled up "opt out" program whereby you go through a one-time deep check and might be granted less monitoring as a result. They would need to sufficiently automate it to make it feasible, though. I also suspect the people who feel most strongly about opting out would also be against the idea of even a one-time check.
> but it would be interesting to consider a more scaled up "opt out" program whereby you go through a one-time deep check and might be granted less monitoring
No, that would not be interesting, that would be treason.
If you want to help the country and they won't let you do so by opting out of prism, you can always mail the government a check to make up for the prism resources you're consuming:
> In the petition, Google is seeking permission to publish the total numbers of requests the court makes of the company and the numbers of user accounts they affect.
Nice confirmation that the "in the last 6 months" numbers reported by Facebook et al are worthless. No company has yet said how many users are affected total. I assume it's all users, by an earlier "request" (actually all but an order). Why shouldn't an organization that gains a bigger budget the more people it surveils demand the moon?
If we're to believe the number of requests reported so far are 1-to-1 with users, all the information could fit on a single drive. The Bluffdale, UT facility seems capable of handling a good amount of data for each of the entire digital population, even if half of the buildings is space for bureaucrats.
Hypothetically, couldn't Google just decide to break the gag order, be charged with a crime, and then argue this issue in front of a jury of their peers, and then be acquitted, establishing a precedent? It would probably be appealed all the way to the Supreme Court. I know Google is probably risk-averse enough to not do this, but they'd garner a lot of good will I think. Maybe I'm missing some gotcha that they'd never be granted a trial and the board of Google would end up in secret prisons.
> ...argue this issue in front of a jury of their peers, and then be acquitted, establishing a precedent?
This is conceptually confused.
Juries aren't judges or lawyers. They don't get to rule on questions of law, and their verdicts don't set precedent.
If Google does what you suggest and then a judge rules that, as a matter of law, the FISC order was unconstitutional, that means that what Google would have been accused of doing was not illegal -- which means no jury ever gets involved.
If on the other hand a judge holds that what Google would be accused of was illegal, then you get a jury to decide whether, as a matter of fact, they did what they're accused of. But in that case, an acquittal by the jury wouldn't set a precedent that their actions were legal, any more than a jury finding someone not guilty of murder sets a precedent that murder is legal.
All of which means there's no reason for them not to seek a declaration of the order's unconstitutionality before breaching it.
No. Jury nullification does not mean a jury gets to rule that 'thing X is not illegal'.
Rather, it's a jury saying 'I know thing X is illegal (and I can't change that), but I'm going to say that the defendant is not guilty of doing thing X, even though I think he did, because I think thing X shouldn't be illegal'.
That may sound like a fine distinction, but it isn't, it's crucial. A legal precedent that X is not a crime means no-one can thereafter get tried for X (where the precedent applies). A jury nullification doesn't have that effect.
It will be interesting to see how few or many FISA requests there really are. Google implies its a small number. The government was okay releasing the numbers opaquely, inside an aggregate of all law enforcement requests, which also implies to me the number may actually be low. If it's conspicuously low, we're left to wonder what alternative sources of raw data they're relying upon primarily. They may be trying to avoid that implication, thus, release of a low number may appeal to Google, but not the government.
Hey, Google. Reporting what the government is requesting en-masse is nice, but how about you actually give us end-to-end encryption for as many of your services as possible, so we don't have to second-guess our thoughts and chats anymore simply because we know the government is watching and will be getting that data no matter what? It might help with the whole trust issue you're having now.
Maybe Google has a business relationship with the NSA. It's likely the reason Google hasn't added encryption and never will - the boss doesn't want it.
I don't get it when people keep repeating something like this. Google pushed a lot for adding TSL/SSL encryption between Google's servers and the client, to the point of inventing several performance improvements in TSL start-up. However they sure don't encrypt inside the client [note] and then sends it as a blob to server to storage, mostly because that's not really how webapps can work (for practical "can work" values). For example this wouldn't allow you to full-text-search all your own emails in gmail.
Moreover this would mean significant performance regression every time you would open up any Google web app, because the client would have to decrypt all data, without much help from indexes.
[note] Even encrypting and decrypting in the client would only help so much. It is likely they could be ordered to splice they data while in the client for any person of interest.
Cloud web apps simply requires a legal system that respects peoples' data.
As has been replied to you several times, you don't want your web-based client in charge of client-side encryption. Yes, it may help as a second line of defence against run-of-the-mill phishing and hacking attempts, but it does absolutely nothing against government requests, as the government can either request the private key that you've stored on their servers, or the government can force them to give you broken encryption software. See, as always, [1].
Whether or not your browser client is providing the encryption, however, you've also rendered completely useless any reason for having web mail in the first place, as you've become next-to-useless to them (no content for ads, no content for things like Google Now) and all their infrastructure is useless to you (no content to search over, no content to spam filter, etc). You no longer have a relationship except they're your SMTP gateway and a backup drive. You can get those today all over the place, you don't need google. If you want to stick with Google, go download a desktop mail client and chat client and install the open source PGP and OTR plugins for them. You can do this right now.
First, that was the non-original version of Hushmail, and over a decade (of development of more capable browsers) has elapsed since the original. Second, the business model would then change to charging for email. Google does that for many services already; paid Google business apps accounts currently provide "no content for ads."
I'm not saying it's not possible (business-wise) as a product offering, I'm just saying there's not really any point to webmail at that point. You can pay Google to be an SMTP gateway and encrypted mail backup now, true, but there's no difference between that and any other email provider at that point, except maybe uptime. No web interface, no search, no spam filtering, no label filtering, no Google Now interaction. Those are all the reasons I like gmail, so I'm not sure about the point of it if those are gone. Just go client-side at that point; at least you'd be able to search your email. And if you're using an email client, you don't need (and probably don't want) google to provide content encryption.
As for the browser side of things, it seems like it would be much much better not to rely on google, but to write a browser extension that identifies the gmail textbox and runs some version of PGP using a private key in your OS/lastpass/whatever keychain. The main thing you'd want to do is somehow isolate the input textbox from the page so that keystrokes only go to the extension, and only the encrypted data goes into the page, preferably when the Send button is pressed.
If Google were to be technically capable of decrypting your email so they can show it to you in a browser, and you're a target for an investigation (a narrow one or an overly broad NSA one), why on earth would the court order/warrant not demand that they decrypt your email to show them, too?
All of these are good points. You make a strong argument that there might be little need for a web interface.
A few other thoughts, though:
- You could still do spam filtering, of course. If it scores highly as spam and the user trusts the spam filtering, it could be deleted or moved into a likely spam folder. (I'm assuming plaintext email is encrypted automatically right away.)
- If the encryption is handled on the client side, Google would NOT be technically capable of decrypting your mail. They would not be able to comply with a court order demanding they decrypt your mail. This is what the original version of Hushmail did, before they added the flawed later version that was exploited by FedGov in, if I recally properly, precisely the way you describe.
PRISMA PROYECT BRAIN WASHING AND BRAIN ACTIVITY INFORMATION SENT TO SATELITES
------------------------------------------------------------------------------------
PRISM USED, CHINESE EUROPE AND NORTH KOREA JAPAN.
TRYING TO BE LOVELYG MIND CONTROLER WHEN KILL MILLIONS FROM SATELITES AND BUSINESS PROJECTS.
------------------------------------------------------------------------------------------
THE DEMAND FOR ALL PRESIDENTS.
VENEZUELAN INTELLIGENCE AGENCIES SELLING GENETIC INFORMATION VENEZUELAN JUAN CARLOS VALLEJOS CASE.
-------------------------------------------------------
1,000,000 FOR EACH IRRADIATION TELOMERE LOST SATELLITE
PRESIDENTS WHO CHARGE MONEY FOR STUDIES OF THE HUMAN RACE.
600,000 MILLION TELOMERE EXIST IN EACH CELL NUCLEUS.
COLLAPSE THEORY FOR ACCUMULATION BITS 0 BITS PER SECOND.
HUMAN CLONATION.
SEMEN SALES FOOD POLITICAL PRISONERS OF POLITICAL PRODUCTS.
WHICH ARE LOST BY STUDIES OF THE HUMAN RACE, IN METHODS OF CAUTERIZATION, IRRADIATION AND BRAIN WASHING.
BE CAREFUL WHAT YOU EAT BECAUSE CORPORATIONS INCLUDE COMPUTERS NANO DRINKS FOOD AND MEDICINE.
PROVEN HAVE VIDEOS OF NANO COMPUTERS, VIDEOS AS MANUFACTURED, AND SOFTWARE TRANSMITTED FROM SATELLITES.
EACH NEURON CELL AND YOUR BODY.
SEND IT TO ALL HACKERS.
THIS IS ONLY FOR BANK BUSINESS MODEL PERFECTED.
THE METHOD IS TO DENOUNCE EVERY PRESIDENT SINCE UNIVERISDADES, NGOS, ORGANIZATIONS THAT PROTECT HUMAN RIGHTS, WITH DEANS GOVERNING LAWYERS.
SINCE ALL COUNTRIES COURTS, JUDGES AND PROSECUTORS.
BEFORE DIETS REVIEW JUAN CARLOS VALLEJOS.
DIETS.
CELL DUPLICATION, COMPANIES AND RESEARCH ORGANIZATIONS OF THE HUMAN RACE, PAY MONEY TO BURN, NERVE CELLS, NEURONS.
THE METHODOLOGY USED TO GROW THEM ARE HERE.
-------------------------------------------------- -
SUPPORTING CRIME VICTIMS WITH USE OF TECHNOLOGIES FOR HUMAN RIGHTS VIOLATIONS.
CREATE GENOCIDE RESEARCH PROJECT.
WE ASK LAWYERS NETWORK BE OUR SPONSOR.
1. - STUDY THE INTERNATIONAL DEMAND LEGAL PROPOSAL TO BE SENT TO 14,000 MEMBERS AND THE MEDIA, UNIVERSITIES, NGOS, ORGANISATIONS THAT PROTECT HUMAN RIGHTS.
TWO. - STUDY THE BUSINESS PROPOSAL, PAYMENT FOR ADVERTISING ACTIVITIES, PUBLICATION AND SENT THE CASE TO THE MEMBER, 10% OF TOTAL DEMAND.
THE COMPLAINT SHALL BE SUBMITTED BY PROFESSIONALS LIBERAL LAWYERS AND COMPANY REDABOGADOS.NET, TO THE COMPETENT COURTS, THE COMPLAINANT, JUAN CARLOS VALLEJOS, CHILEAN, RESIDING IN VENEZUELA, CARABOBO, VALENCIA, CAMORUCO VALLEYS, STREET 133, LOPEZ LATOUCHE, (THIS IS THE RED CROSS STREET), BLDG 1-B SUITABLE ALTAMIRA.
THREE. - THE SERVICES ARE REQUESTED TO JUDGES, PROSECUTORS, LAWYERS, JURISTS.
A PROFESSIONAL JUDGES AND LAWYERS WORKING IN INTERNATIONAL CRIMINAL LAW DRAFTING THE COMPLAINT IS REQUESTED, THE DOCUMENTS WILL BE SUBMITTED TO THE COURTS.
THE COMPLAINT INCLUDES;
1. RIGHTS VIOLATIONS, IRRADIATION, GENETIC DAMAGE, ROBBERY.
TWO. PERFECTIBLE BANK WHICH HAVE VIDEO AND IS THE MAIN REASON WHY THESE AGENCIES PERFORM THE CAUTERIZATION, RADIATION AND TORTURE. CREATED BY JUAN CARLOS VALLEJOS, AT THE UNIVERSITY OF CARABOBO, FACES, SCHOOL OF ECONOMICS, PROF PAUL POLO.
181 comments
[ 3.0 ms ] story [ 217 ms ] threadThe cynic in me thinks that Google is deliberately fighting a losing battle, so that later on they can say, "Hey, it's not our fault -- we want to tell you what is happening, they won't let us!"
If they wanted to fight, they'd just publish the info instead of asking some court before doing anything.
Then again, it's doubtful whether anyone would believe them at this point if they published anything and claimed the information was complete.
Secondly, if what you say is true, then we should stop complaining about what Google passes it to the government - what business is it of ours what they do with their data?
Thirdly, I doubt that anyone seriously believes that the 'fee' for using GMail is that their messages become Google's property.
You know the old saying, "If you're not paying for a service, you're the product." Why expect anything else? Google is a for-profit company and it's an expensive thing to run. They deserve something for the services provided, don't they?
But, if things are as you say, Google can do whatever it likes with the data according to the ToS. If people don't like data about them being given to the Government, or used for any other undisclosed purpose, they shouldn't have used Google.
The companies involved are taking these actions because the leak may have undermined consumer trust (eg. small drops in activity) in them. Perhaps even wrongly, if PRISM isn't as widespread as the initial leak suggested.
Google by comparison can turn off your gmail account.
I believe their privacy policy currently says they won't do that, and it's especially clear that they won't do anything except target ads using information mined out of your email. But I don't think there would be anything illegal about it, as long as they didn't do something like outright blackmail (offer to let you pay to expunge negative information or something).
On the other hand, if the government does this, people can do... what, exactly? Stop giving their information to the government? They didn't willingly do that to begin with. Stop giving it to Google? Maybe, but they would have to stop giving it to anyone, which is a lot more difficult than just switching from one service to another.
Slavery used to be legal too. I'm sorry the government is not completely perfect, but the answer is to go fix it and make things that should not be legal, illegal. Until then it's like complaining about shell companies used by Google and Facebook to avoid paying taxes (a strategy typically well-defended on HN because they're "technically complying with the law").
No, it doesn't.
People who aren't the government, and who lack its sanction in doing so, apply violence every day.
Now, perhaps the government has a monopoly on legitimate use of force (indeed, Max Weber used that as the criteria to define whether an entity was the government of a particular territory).
In the sense Weber uses it, it may be fuzzy, but its not subjective (its essentially the aggregate of how it is treated by the people in the territory.)
> The legitimacy of an act (violence in this case) is highly subjective.
The idea that legality is objective in a way legitimacy is not is debatable.
> I think I would rather say that the government has a legal monopoly on violence.
Perhaps, but that seems to be a trivial tautology, in that what is legal is precisely, by definition, what is formally allowed by some government.
> The legitimacy argument breaks down for oppressive governments where some revolting citizens take up violence because they see it as their last and only option.
Weber would state that, to the extent that this is a general failure over some subset of its territory, the entity has failed as the government of that territory -- that, in the case where no entity exercise a legal monopoly on violence over a territory, there is no government, and in the case where there is such an entity but its not the one that is claiming to be the government, then the claiming entity is simply wrong.
> Some might argue that their act is legitimate, but it is still illegal.
In the eyes of the purported government that they are revolting against, but not in the eyes of the purported government that they have formed in the revolution. Legality has no meaning without reference to a governing authority.
http://en.wikipedia.org/wiki/Monopoly_on_the_legitimate_use_...
There is a lot more nuance there than the party-line recitation suggests.
I'm certainly not the government, and I can quite legitimately be violent when defending myself from illegitimate (aka non-governmental) violence.
For example, if someone breaks into my home and behaves threateningly, I can (rather violently) shoot them, and the government won't object in the slightest. So much for them having a monopoly.
Okay, I know that he specifically refers to the US (he mentioned Gitmo) but remember that even then the state is the one who lets you exercise violence. The monopoly's just lending some of its power to make you shut up and stop whining so he can keep minding his (evil) business.
Also: Windows had a monopoly even when Linux existed. Monopolies don't always have 100% of the market share, but they're still a monopoly de facto and will fight hard to achieve the full monopoly.
What's the deal with the prostitute? Breach of services (especially illegal services) doesn't justify violence. Did the prostitute grab the john's money and then try and run off? If that's what happened, I'm not too surprised by the result, since we're allowed to defend ourselves against theft.
I take it you've never lost an important email account, it can be very isolating. For some people that can be deadly.
I'm not saying that them fighting it isn't a good thing, but its hillarious that they're holding themselves out to be crusaders of freedom and privacy when they are one of the most prolific producers of "profile" data. You could even say they create "anti-privacy".
If you've got something on offer, and want to know who might buy, Google won't tell you who is interested. They'll just deliver your message to the right people, and if you get a suitable response, you'll know that their service was worth the price.
There's a world of difference between the mediated transactions they have with their customers, and the exchange that takes place when the government says "hand over the data itself."
Google was caught pants down spying on everyone, stop trying to white wash it.
If you're referring to the whole wifi thing, tell me, what information do you expect the street view car to be able to pick up in the 10 or so seconds it would have been associated with the AP? Their engineers have basically come out and said that was a fuckup, and I'm inclined to believe them because I find it hard to imagine what use that random data would be.
And to be honest, I'm more likely to believe a Google engineer rather than a namecalling troll who's virulently against them for no good reason.
Scary as hell, considering that one request can be as broad as: “It is hereby ordered that [Verizon Business Network Services'] Custodian of Records shall produce to the National Security Agency…all call detail records or ‘telephony metadata’ created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls,”
Google should cut the crap with PR moves and stop hoarding so much data about everything we do online. If they have, NSA will get it--one way or another.
I like that Google has a lot of data on me---it makes their services much more valuable to me. I don't like that the government can access it secretly.
These are distinct opinions and both can be reasonably satiated simultaneously if there are proper checks and balances in government.
National security most likely qualifies as "compelling state interest" in general, but it's not the only thing the government needs to infringe on constitutional rights. The government also needs to prove that the infringement is narrow and specific.
Even then, I wonder if the "compelling state interest" could be challenged on not being compelling enough.
(I am definitely not a lawyer, just remembering a con law class I took and refreshing my memory with Wikipedia.)
National security is pretty compelling, but it's unclear how prohibiting disclosure of the number of requests is narrowly tailored to that interest. Without knowing more details about the nature of the program, it's hard to say why the number matters. But if the NSA can't demonstrate how disclosing a specific number, as opposed to an approximate range, has a noticeable impact on national security, the law would likely not be in their favor.
What are the governments burdens here? Can they merely assert there's a security issue here or do they have to prove it? Does it have to pass some kind of severity test in order to restrict speech? I'm genuinely curious what the case law says on this stuff.
It's much less clear when you are talking about someone who hasn't agreed to the clearance process. In 1979 the Department of Energy tried to prevent The Progressive magazine from publishing an article by Howard Morland describing the design of the Hydrogen Bomb. The article was derived from unclassified sources, but the government argued that information about atomic weapon design is "born classified". There was no conclusive judgement, as the government eventually dropped the case and the article was published.
Gag order also of Greenberg/Guardian, then what are ES' options?
> "....The Ministry of Defence has issued a D notice preventing the UK media from 'publish[ing] information that may "jeopardise both national security and possibly UK personnel"'.
http://www.guardian.co.uk/world/2013/jun/17/defence-d-bbc-me....
what's left-- pastebin, Kim Dotcom, Prate's Bay, that New Yorker thing(no, gag order), Anonymous posting onto defaced sites, Wikileaks, ... ?
After the scandal was revealed, and only after it was revealed in an unprecedented act by Snowden, did Google come out in favor of their customers. This is ridiculous.
Google was caught pants down and there's no amount of PR bullshit they can use to white wash this and pretend the government forced them to do it. They willingly participated in exchange for political status with the government, that is the raw truth.
I'm not saying you should trust Google with all of your secrets, or even all of your data, but it should be an informed decision.
Some of the companies named in the PRISM slide deck are in a state of constant information warfare with hostile governments (like China) and governments openly desirous of tapping all networks (like India). They are also continuously beset by piratical criminals from all over the world. It seems unreasonable to assume that they would transmit data over long-distance links in the clear.
I'm not saying they do encrypt everything or even most things. But as the basis of one's theories about PRISM, it doesn't seem like a good assumption.
The most worrisome and misunderstood part of these reports is the "direct access" bit: can the government arbitrarily query company servers? their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and yes also the secretive FISA requests.
So by revealing the number of FISA requests they receive and their scope they hope to clear this "direct access" mess. As even FISA orders are much more acceptable than wholesale access.
As for the development being reported here: I think it has merit seeing how this clearly falls under the first amendment, but I'd like a lawyer to chip in.
[edit: clarity]
Not necessarily. As another commenter pointed out [1], a single FISA order doesn't have to correspond to a single citizen. One order can encompass millions of accounts.
> their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and such, including the secretive FISA requests.
While I think it's reasonable to doubt the claim that the NSA has true direct access to servers, I haven't been given a reason to doubt that information can be requested without court orders, warrants or FISA requests.
[1] - https://news.ycombinator.com/item?id=5901811
The court document from Google (http://assets.nationaljournal.com/img/MOTION.pdf) clearly states the desire to clearly list, in aggregate, the number of accounts impacted.
The other companies aren't going this far and I think they deserve a credit for what they're doing.
And I disagree with commend you link to, the solution isn't limiting data collection, sure it makes you a target but more data equals a better product. It's an issue of government overreach not engineering decisions.
I agree with this entire comment. Even the part where you disagreed with part of the comment I linked to. I even responded to that poster before replying to you. :-)
(Sorry about that. I meant to link to the comment for the text of the FISA order, and not for the jab against Google.)
That's Google. We've yet to hear from many of the other companies in the program about whether this sort of access is technically impossible, or whether it's an honor system that the government is supposed to follow.[1] I haven't been closely following the Facebook, Microsoft, or Apple statements, so maybe they have also been explicit that it is a restriction that is implemented by technical means. Some of the companies haven't said anything yet.
How many of the companies really make sure there is legitimate documentation for each request? Do they really do this every time, or have they become resigned to the fact that there's nothing they can do, so they just rubber stamp each request coming through, even without the proper legal documentation?
[1] This seems to be a major issue--the President and NSA leaders have claimed that analysts "cannot" access your phone metadata and phone call content without the correct legal instruments. But by "cannot", they seem to mean "they are not allowed to" rather than "it is not possible for them to".
Of course, this isn't remotely reassuring for a bunch of reasons. Most of all though, I'd be curious to hear more about how the auditing process works. He kept saying "auditable" I noticed, not you know... "actually audited".
my understanding of PRISM and all this is that the entire internet is vacuumed and everything is stored, just in case. I cannot imagine a guy "checking off" on every email or every mailbox for millions of gmail users every day or even once a month manually. With 11K terabytes of digital data created per hour by US, I cannot imagine any sort of manual system being implemented.
It has to be totally entirely automatic, otherwise it won't fly.
The PRISM program mentioned in the Powerpoint slides is very likely the same program that is mentioned in unclassified documents such as Army Field Manual (FM) 3-55, Information Collection[2]:
> 6-12. Two joint ISR planning systems—the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers. In joint collection management operations, the collection manager coordinates with the operations directorate to forward collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit responsible for the collection operations. At the selected unit, the mission manager makes the final choice of platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The Air Force uses the collection management mission application. This application is a Web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines
[1]http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server...
[2]http://armypubs.army.mil/doctrine/DR_pubs/dr_a/pdf/fm3_55.pd...
I don't know why people keep putting this into question, giving Google the benefit of the doubt, when they were caught pants down, no questions asked.
If the companies mentioned in the slides just complied with the law, why would they be singled out in those slides? Honoring search warrants and FISA requests is an obligation, not an extra.
The reason Google was singled out as a partner since 2009 is because they gave the government full unrestricted access.
Which part of the PRISM slides make you think that? They certainly indicate pretty much full access to accounts which have been OK'd by Google (at least in archive form), but that is very different from 'full unrestricted access' to servers. I'd say we don't really know the extent of it, and welcome Google's decision to try to challenge the government in court to reveal more details.
As far as I read them the few PRISM slides we've seen don't really indicate:
1) The extent of access (how many accounts, how many accounts per order etc) 2) The mechanisms for FISA access 3) Any time delay in receiving documents/access 4) Whether data is realtime or not after access is granted
and the figures that FB, MS, Apple have announced hardly constitute full unrestricted access to all accounts as you seem to be implying. It's still a serious invasion of privacy, there are serious doubts about the efficacy of the FISA court supervision, and for foreigners I'm not even sure there are any protections at all (the NSA might not even feel obliged to get specific permission for non-US communications), so for everyone outside the US this is really invasive, but I'm not sure I can agree with your characterisation of these slides as showing full access (full access to what, to all Google servers, seriously?).
But what I'm afraid of is that this mess with deciding exactly how much access the government has to Google will turn into a distraction from the larger picture. Which is that, in all likelihood, the NSA does not have access to Google. What they do instead, and what the name PRISM implies, is that they connect to the backbone (Verizon/AT&T), scoop up ALL data, and store it in their freshly built data center in Utah.
The slides I saw seemed to indicate when certain applications or filters came online. Such as a filter for Facebook data, or a filter for Google search/map/GPS data, etc. That's how I interpreted the graph, at least. It would indicate the NSA is rolling out specialized applications to handle data coming to and going from specific sites. Which allows them to more intelligently decipher what is being said, in more or less shotgun fashion.
Hence, the name PRISM. It's a project to split the full Internet stream into a Facebook bucket and a Google bucket, etc.
The hard solution is to secretly duplicate traffic from every data center operated by each of these companies, reverse engineer every HTTP request that goes back and forth so that the data can be parsed, maintain it for every product change that happens at these companies, circumvent HTTPS by compromising the certificate authorities, store it all, and still maintain a massive analytics tool that can make sense of the astounding amount of data coming through.
The easy solution is to avoid all of the technical ugliness of acquiring the data, and just legally make the companies give you the relevant information, neatly structured and packaged. NSLs are the ultimate hack.
You cannot decrypt passive monitoring with a CA's key.
Google started using these for their TLS setup about a year ago, and it's smart. They blogged about it, hoping others would follow suit.
I wonder if perhaps that change, and blog post, were their way of saying without saying.
From their perspective, why not?
A lot of the communication won't be encrypted anyways, and some of it will be, but they may be able to decrypt it at some point in the future.
The hard solution isn't just a little bit harder ... it's several orders of magnitude harder and more expensive. It's also highly vulnerable to simply using encryption. The easy solution works because the US companies are bound by law to cooperate. There's no reason to believe that legal pressure on these companies has failed to get the government what it wants.
Also, not every company is a US company.
I doubt that costs for such an operation would make any difference to the US government, considering how much it is spending per day on its military.
For example for emails: emails travel unencrypted through the hops, and they would store them all, and then constantly analyzing them. When something suspicious comes up, they would go to the email provider to ask for more data. So for example if gmail address is there, they would go to Google and use their PRISM interface to get more data associated with that gmail adress, if it will be yahoo email, they will go to Yahoo for more data, etc.
This is even more complicated when the data centers are in other countries, and none of the data actually enters the US. So if two EU users were accessing Gmail from the EU, the data may never enter the US at all. This means any network tapping would have to be done in the EU as well, requiring cooperation from many international telecom companies.
It's still easiest to just force Google to hand it over via NSL. Google's still legally bound to deliver the data even if it isn't physically stored in the US.
PRISM is a web-app. The slides make it pretty clear its a web-app. The army field manual link helpfully posted before in this discussion outright says its a web-app.
[1]http://twit.tv/show/security-now/408 for audio and relevant links
At any rate, assuming all fibre optic is tapped, how does that explain breaking SSL? That's a really big jump.
As to SSL, is there a claim that NSA has broken it? I wasn't aware of that. Not relevant to Gibson's idea, anyway.
Large governments don't need to break SSL. They have SSL root keys and can man-in-the-middle at will. Doing so across the board would likely be detected, but targeted usage likely wouldn't be.
If this was widespread, I'd expect someone to have found a Google cert signed by different root. Then again I suspect Google pins their certs in chrome for a reason.
This whole conversation is about wholesale data access, so targeting is not relevant. Besides, even if you are talking about targeting, the claim is, they are storing data and then targeting 'retrospectively'. So without a time machine there's no way they are going to be able to go back and MITM the targeted conversations they want to listen to after the fact. They would have to be MITM everything all the time.
How about this: the NSA has issued a secret subpoena for the private SSL key of every listed provider (Google/Facebook/Yahoo/etc). They are using those keys to transparently decrypt traffic and suck up what they want.
When news of the PRISM program was first revealed two weeks ago, officials at Facebook, Google and other tech firms informally conferred on a public response...
I expect Google's filing to show up here shortly: http://www.uscourts.gov/uscourts/courts/fisc/index.html
So what can the gov't do if companies don't co-operate? With individuals, there is blackmail and illicit co-ercion. What does the gov't do to corporations worth updwards of 100B to get them to comply?
If Google's too big to fail on it's own, but the Feds want them to fail because they're (Google) are poking around too much, what happens?
On the other hand, if they all resist, who is the government going to retaliate against? The entire industry? It would be too great a hit to the economy.
So the question is whether Facebook, Apple et al are going to take the short view or the long view. If they let Google be the only one to stand up then maybe it will encourage the government to damage their competitor, but in so doing set the precedent that the industry won't stand together on issues like this, which can only make the government more brazen in the future.
No. Nobody is "forcing" me to concede that. Certainly no logical aspect of this situation.
Mainly, that it's essentially overstepping the speech of the less powerful. It results in the poor having unequal, lesser freedom of speech.
I would have expected you to be on my side on this issue, as you seemed to be more of a 'spirit of the law' guy rather a 'letter of the law' kind of guy.
Anyway, I'm curious to know more on why you think CU was the right decision. I advise watching all 31 minutes of the Trevor Potter vs. Floyd Abram debate if you have time and if you haven't watched/read it already.
I was very sad that ACLU came out in support of CU, I think they were wrong on this one.
One person opting out probably won't help them at all, but it would be interesting to consider a more scaled up "opt out" program whereby you go through a one-time deep check and might be granted less monitoring as a result. They would need to sufficiently automate it to make it feasible, though. I also suspect the people who feel most strongly about opting out would also be against the idea of even a one-time check.
No, that would not be interesting, that would be treason.
http://www.treasurydirect.gov/govt/resources/faq/faq_publicd...
Nice confirmation that the "in the last 6 months" numbers reported by Facebook et al are worthless. No company has yet said how many users are affected total. I assume it's all users, by an earlier "request" (actually all but an order). Why shouldn't an organization that gains a bigger budget the more people it surveils demand the moon?
If we're to believe the number of requests reported so far are 1-to-1 with users, all the information could fit on a single drive. The Bluffdale, UT facility seems capable of handling a good amount of data for each of the entire digital population, even if half of the buildings is space for bureaucrats.
This is conceptually confused. Juries aren't judges or lawyers. They don't get to rule on questions of law, and their verdicts don't set precedent.
If Google does what you suggest and then a judge rules that, as a matter of law, the FISC order was unconstitutional, that means that what Google would have been accused of doing was not illegal -- which means no jury ever gets involved.
If on the other hand a judge holds that what Google would be accused of was illegal, then you get a jury to decide whether, as a matter of fact, they did what they're accused of. But in that case, an acquittal by the jury wouldn't set a precedent that their actions were legal, any more than a jury finding someone not guilty of murder sets a precedent that murder is legal.
All of which means there's no reason for them not to seek a declaration of the order's unconstitutionality before breaching it.
A jury can rule on questions of law.
Rather, it's a jury saying 'I know thing X is illegal (and I can't change that), but I'm going to say that the defendant is not guilty of doing thing X, even though I think he did, because I think thing X shouldn't be illegal'.
That may sound like a fine distinction, but it isn't, it's crucial. A legal precedent that X is not a crime means no-one can thereafter get tried for X (where the precedent applies). A jury nullification doesn't have that effect.
Whether or not your browser client is providing the encryption, however, you've also rendered completely useless any reason for having web mail in the first place, as you've become next-to-useless to them (no content for ads, no content for things like Google Now) and all their infrastructure is useless to you (no content to search over, no content to spam filter, etc). You no longer have a relationship except they're your SMTP gateway and a backup drive. You can get those today all over the place, you don't need google. If you want to stick with Google, go download a desktop mail client and chat client and install the open source PGP and OTR plugins for them. You can do this right now.
[1] http://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_p...
As for the browser side of things, it seems like it would be much much better not to rely on google, but to write a browser extension that identifies the gmail textbox and runs some version of PGP using a private key in your OS/lastpass/whatever keychain. The main thing you'd want to do is somehow isolate the input textbox from the page so that keystrokes only go to the extension, and only the encrypted data goes into the page, preferably when the Send button is pressed.
If Google were to be technically capable of decrypting your email so they can show it to you in a browser, and you're a target for an investigation (a narrow one or an overly broad NSA one), why on earth would the court order/warrant not demand that they decrypt your email to show them, too?
A few other thoughts, though:
- You could still do spam filtering, of course. If it scores highly as spam and the user trusts the spam filtering, it could be deleted or moved into a likely spam folder. (I'm assuming plaintext email is encrypted automatically right away.)
- There are provably secure techniques to perform searches on encrypted data assuming an untrusted server, such as: http://www.cs.berkeley.edu/~dawnsong/papers/se.pdf
- If the encryption is handled on the client side, Google would NOT be technically capable of decrypting your mail. They would not be able to comply with a court order demanding they decrypt your mail. This is what the original version of Hushmail did, before they added the flawed later version that was exploited by FedGov in, if I recally properly, precisely the way you describe.
I would love to see a ruling that corporations have no constitutional rights. But the people running them do, of course.
PRISMA PROYECT BRAIN WASHING AND BRAIN ACTIVITY INFORMATION SENT TO SATELITES ------------------------------------------------------------------------------------ PRISM USED, CHINESE EUROPE AND NORTH KOREA JAPAN.
TRYING TO BE LOVELYG MIND CONTROLER WHEN KILL MILLIONS FROM SATELITES AND BUSINESS PROJECTS. ------------------------------------------------------------------------------------------ THE DEMAND FOR ALL PRESIDENTS.
VENEZUELAN INTELLIGENCE AGENCIES SELLING GENETIC INFORMATION VENEZUELAN JUAN CARLOS VALLEJOS CASE. -------------------------------------------------------
1,000,000 FOR EACH IRRADIATION TELOMERE LOST SATELLITE PRESIDENTS WHO CHARGE MONEY FOR STUDIES OF THE HUMAN RACE.
600,000 MILLION TELOMERE EXIST IN EACH CELL NUCLEUS.
COLLAPSE THEORY FOR ACCUMULATION BITS 0 BITS PER SECOND.
HUMAN CLONATION.
SEMEN SALES FOOD POLITICAL PRISONERS OF POLITICAL PRODUCTS.
---------------------------------------------------------------------------------------------
WHICH ARE LOST BY STUDIES OF THE HUMAN RACE, IN METHODS OF CAUTERIZATION, IRRADIATION AND BRAIN WASHING.
BE CAREFUL WHAT YOU EAT BECAUSE CORPORATIONS INCLUDE COMPUTERS NANO DRINKS FOOD AND MEDICINE.
PROVEN HAVE VIDEOS OF NANO COMPUTERS, VIDEOS AS MANUFACTURED, AND SOFTWARE TRANSMITTED FROM SATELLITES.
EACH NEURON CELL AND YOUR BODY.
SEND IT TO ALL HACKERS.
THIS IS ONLY FOR BANK BUSINESS MODEL PERFECTED.
THE METHOD IS TO DENOUNCE EVERY PRESIDENT SINCE UNIVERISDADES, NGOS, ORGANIZATIONS THAT PROTECT HUMAN RIGHTS, WITH DEANS GOVERNING LAWYERS. SINCE ALL COUNTRIES COURTS, JUDGES AND PROSECUTORS. BEFORE DIETS REVIEW JUAN CARLOS VALLEJOS. DIETS.
https://docs.google.com/document/d/1WKsU8pYPTkHgAVBuMOPFvxR7...
CELL DUPLICATION, COMPANIES AND RESEARCH ORGANIZATIONS OF THE HUMAN RACE, PAY MONEY TO BURN, NERVE CELLS, NEURONS. THE METHODOLOGY USED TO GROW THEM ARE HERE.
https://docs.google.com/document/d/1kwOTL_K6Sm8NQ7FCx330h484...
-------------------------------------------------- - SUPPORTING CRIME VICTIMS WITH USE OF TECHNOLOGIES FOR HUMAN RIGHTS VIOLATIONS. CREATE GENOCIDE RESEARCH PROJECT.
WE ASK LAWYERS NETWORK BE OUR SPONSOR.
1. - STUDY THE INTERNATIONAL DEMAND LEGAL PROPOSAL TO BE SENT TO 14,000 MEMBERS AND THE MEDIA, UNIVERSITIES, NGOS, ORGANISATIONS THAT PROTECT HUMAN RIGHTS. TWO. - STUDY THE BUSINESS PROPOSAL, PAYMENT FOR ADVERTISING ACTIVITIES, PUBLICATION AND SENT THE CASE TO THE MEMBER, 10% OF TOTAL DEMAND. THE COMPLAINT SHALL BE SUBMITTED BY PROFESSIONALS LIBERAL LAWYERS AND COMPANY REDABOGADOS.NET, TO THE COMPETENT COURTS, THE COMPLAINANT, JUAN CARLOS VALLEJOS, CHILEAN, RESIDING IN VENEZUELA, CARABOBO, VALENCIA, CAMORUCO VALLEYS, STREET 133, LOPEZ LATOUCHE, (THIS IS THE RED CROSS STREET), BLDG 1-B SUITABLE ALTAMIRA.
THREE. - THE SERVICES ARE REQUESTED TO JUDGES, PROSECUTORS, LAWYERS, JURISTS. A PROFESSIONAL JUDGES AND LAWYERS WORKING IN INTERNATIONAL CRIMINAL LAW DRAFTING THE COMPLAINT IS REQUESTED, THE DOCUMENTS WILL BE SUBMITTED TO THE COURTS. THE COMPLAINT INCLUDES; 1. RIGHTS VIOLATIONS, IRRADIATION, GENETIC DAMAGE, ROBBERY. TWO. PERFECTIBLE BANK WHICH HAVE VIDEO AND IS THE MAIN REASON WHY THESE AGENCIES PERFORM THE CAUTERIZATION, RADIATION AND TORTURE. CREATED BY JUAN CARLOS VALLEJOS, AT THE UNIVERSITY OF CARABOBO, FACES, SCHOOL OF ECONOMICS, PROF PAUL POLO.
THREE. WELLS EXTRACTION SYSTEM TERMINALS, DESIGNED FOR EXTRACTING HEAVY HYDRO CARBIDE. URL: https://docs.google.com/file/d/0B7rdd1w6dkcSZFRTZW9hTF...