I'm still leaning toward the idea that if this is happening at all, it's happening at the ISP/Backbone level. Which would mean none of these companies are lying- but still that the Government is way overstepping, by leaps and bounds.
There's also the distinct possibility this is all bullshit. There have been a lot of holes and misinformation on Snowden's side("They can watch your thoughts form as you type", when none of the services except for GMail send textual data at real-time, etc), and the Q&A either doubled down some of them or was trying to be misleading.
I'm still waiting for the Guardian to stop milking this and just give us the rest of the slides, the rest of their evidence. At this point, my confidence in the story is shaken enough that I want more if I'm gonna go Pitchfork in hand at the NSA with all of this.
This is what I've been wondering about. PRISM was revealed in a 41 slide doc, and we are yet to see any but the 4 slides guarding and WP shared. Now that NSA knows about the leak, I don't think releasing them would have any further repercussions, other than better a better understanding of the PRISM program.
Google still sends and accepts SMTP over TLS (using RC4) if your server is configured to handle it and has a snakeoil-CA-signed certificate. I just looked at our mail.log to confirm this.
We've known about the AT&T closets for years right?
My understanding of SSL is weak, but if the NSA theoretically acquired the right private keys / SSL certificates / whatever through hook or by crook, they couldn't just watch everything then could they?
Are the PRISM slide dates when they acquired said certificates/keys for said providers? Were non-legal means of acquiring used?
My real question is - Does it matter that the collection of data is outside of Google's control?
Should Google care that in the process of Google collecting data the NSA is intercepting it. Should Google want to stop that, if it were theoretically happening "in the middle".
Here's an interview question for you: "You're currently using 1024-bit SSL certificates. You want to start using 2048-bit certificates instead. What do you need to worry about if you're the size of Google?"
It's not try it wouldn't do them any good. It just ensures that they can't use the cert to go back and look at old data streams and decrypt them. It doesn't prevent them from using a cert for man in the middle attacks, for example.
How hard would it be for the NSA to "partner" with the SSL accelerator manufacturers to add functionality that sends copies of all the ECDHE negotiated keys to the NSA so that they can decrypt most of the encrypted traffic that they captured off the backbones?
One of us is misunderstanding the definition of perfect forward secrecy. From what I understand, it protects past/current session keys if one private key is compromised in the future. It does not protect session keys after one key is compromised (e.g. the NSA has Google's private key) and certainly not when all private keys are compromised and the attacker can observe all handshakes etc.
If this were happening at the packet level, PRISM would need constant maintenance for each service, and a MUCH higher budget than $20mil a year. Think about it, to be effective, you'd need to parse the format at which the data is sent. Formats and protocols change daily for all these services. And I highly doubt analysts are expected to look at pcap dumps to put together intelligence.
I think reality is that PRISM is nothing more than a parsing software for data dumps after NSA has legally obtained the data from the provider. And I'm willing to bet the other 37 slides show that.
But still, NSA would need to know the entire IP range of all public facing servers, their purpose in relation to the service (for example, which IP range handles Gmail vs Search).
Plus, if this were a store-it-and-forget-it situation, PRISM wouldn't be limited to the services it could support.
Much of this ISP / Tier 1 Network sniffing by Narus and other private tech companies is documented in James Bamfords' book about the NSA dating back to 2008.
yep. Current law allows to force them to be silent about the wiretapping to hide it from public. One can see how a creative government lawyer can force them to publish a denying PR release as extent of the same legal requirement to hide the wiretapping from public. One have a choice what to believe - either NSA is lying in internal secret docs or companies like Google are legally forced to publicly deny their involvement. Hard choice?
Yahoo now wants us to believe that this was a court order saying, in effect, Yahoo must comply with court orders to turn over specific user data. WTF? Yahoo also wants its users to believe that Prism is nothing to worry about, even though it tried to fight it back in 2008. "Notwithstanding the parade of horribles trotted out by the petitioner ... Little more than a lament about the risk that government officials will not operate in good faith." Nothing to see here folks, move along!
Of course, the thing about slippery-slope arguments is that you never have to deliver on them. It's curious that people who scoff at the idea of a rock that keeps tigers away are so willing to believe in one that attracts them.
Why would the NSA be building a facility large enough to store a big chunk of the planet's digital info if they'll have data for only a few thousand Google users?
To be fair, there was plenty to pick apart, and there was the eerie similarity to the letters from other companies. And they (all) refuted "direct access" but weaseled / legalesed out of any kind of actual refutation of excessive access to data.
This is much clearer. This is what everyone very obviously wanted at the very beginning, and it does seem strange that they didn't do this then, or at all sooner. What took them so long?
I'm sorry, but I can't take these statements at face value. Those PRISM slides have not exactly been disavowed by the NSA, and they make it quite clear that there is some kind of "program" that Google (and others) are part of. I don't buy that it's no more than "you send us a court order and we send you the data" because that wouldn't justify having a name ("PRISM") and a list of "join dates" for the various companies, etc.
Simply put, I think Google, Yahoo, Apple, MS, etc. are all lying about their involvement in all this, to some extent. Maybe the NSA does or doesn't have "direct" access (whatever you think that means) but I believe there is something going on, beyond the run of the mill request/response scenario.
Is your hypothesis falsifiable? In other words, is there anything Google could do or say to convince you that they are not, in fact, in cahoots with the NSA?
They could release all details regarding what the NSA asked of them, for starters, and what they do to ensure the NSA has no way to get data from Google in one way or another.
And participate in stopwatching.us. Why no support there?
Yes, and it seems more like a PR coup than anything else, seriously. For a company that has as much resources as Google, this is far from being significant.
stopwatching.us's letter to Congress is based on the premise that the Guardian and WashPo articles are true. Of course, Google and others are swearing that it's false. So why would Google want to sign that letter?
This also assumes that a letter like this does any good. I would think that Google actually filing a legal challenge with FISA is going to be more effective.
is there anything Google could do or say to convince you that they are not, in fact, in cahoots with the NSA?
First of all, I don't see it as a binary thing, where I'm 100% convinced they are or 100% convinced they aren't. It's more like, "what's the probability that they are?" That said, they could lower my estimate of the probability that they are (in cahoots with the NSA), although perhaps not lower it to zero. But nothing they are likely to actually do.
For example, agreeing to an extensive audit of all of their internal systems, by a 3rd party organization which gets full access to everything inside Google for some period of time, including looking at source code. If somebody did that, and came back and said they found no signs of any kind of NSA tie-in, I'd be somewhat more convinced.
But, that's obviously not realistic and I won't be holding my breath for it to happen. :-)
Let me get this straight... You would trust Google MORE if they let a third party company come in and have full access to EVERYTHING? Source code and data? And whose to say that company isn't associated with the NSA or the Chinese government?
This is what auditors exist for - to bolster trust - they get to ask the difficult questions, look at the systems and processes in place, and assess the behaviour of a company in order to reassure external parties (often investors). They do often genuinely have access to data and code, even if it is perhaps slightly rarer for them to bring the skills to truly interrogate them.
The reliability of an auditor is based on their perceived level of trust in the community. As an investor, you want to be assured that your investment is worthwhile, so you want to work with an auditor that is thorough and highly confidential.
If an auditor can be proven to have intentionally misled in the past, or to have worked with shady agencies / outside parties, that would be a very black mark against them and future business, so it should, ideally, not be in their best interests. Note that this does not except the behaviour of humans in practice, where short term gains of a person might not be aligned with their parent organization (c.f. banking).
And whose to say that company isn't associated with the NSA or the Chinese government?
That's the rub... you never really know. Especially when we have "secret government" with things like gag orders, secret laws, secret courts, etc. That's what makes all this so insidious.
Having seen first hand the number of ex CIA/SS/NSA/MIL emps there are at FB, GOOG would have to prove that they did not have the same level of infestation....
Do they have a DC policy Office? FB does... What is the nature of the policy office GOOG has... Can it be verified that its not just a YESSIR system? Probably not...
When someone answers a different question than the one asked, or uses different terms that are more flexable in scope or definition. Originally they focused on 'no direct access' and ' no back door'. As a computer person you can understand that there are lots of ways to get information in or out of a system that can be characterized differently than the above phrases. It's like talking to child about a how they got the cookie they have in their hands, did they take it, did they pick it up, did they steal it, did the find it, did it fall off a truck, did a guy name Vinny give it to them because hes a nice guy, etc. And what is the legal definition of 'cahoots' anyway?
A lawyer is talking, so you have to be extremely careful with what they say. "I’m not sure I can say this more clearly: we’re not in cahoots with the NSA and there’s is no government program that Google participates in that allows the kind of access that the media originally reported."
Okay, so it's not a program, maybe it's a project, or a NSL, or and executive order, or a collaboration. Having shown themselves to be complicit in a lie of omission (not saying anything because of gag orders) And having changed their statements a few times their word is suspect and needs to be examined.
It is imposible to prove a negative. That kinda sucks for Google because they have brought into question our trust in them and it may take a good long while to rebuild that trust, even if they tried to.
He cannot enumerate everything someone might dream up and deny them all. He is denying directly the things people have accused. What more could he say?
It's a combination of things. I wouldn't say there's a "smoking gun" necessarily, but a lot of small things, taken together, strongly suggest that there is more to this.
One distinct possibility is that whoever put those slides together made misrepresentations in the case of some or all companies.
To me PRISM sounds like it's the front end that analysts use, something that unifies all the different data sources from companies, which in turn vary in their degree of cooperation with the government. The data from Google could very well be the data from specific court orders that name individuals. The join dates could just be the dates that whoever was writing the PRISM software was able to integrate the data from whichever company.
I think your absolutely correct here. From I have gleaned from various news articles, MAINWAY and MARINA were the systems that were used to store telephone and internet records respectively. Whereas PRISM was used as an analysis tool.
To be fair, the data was / is being collected about networks, IPs and phone numbers not Americans. The fact that the IPs and phone numbers are strongly correlated with individual Americans may be a technicality.
Persons holding clearances are not allowed to confirm or deny any purported classified material, so I would expect any NSA disavowal to take some time if it occurs at all.
Sorry to bring this up but this type of thinking seems to be running wild lately on HN regarding anything NSA related....
But it must be said that: Your Logical Fallacy Is: Burden of Proof.
You said that the burden of proof lies not with the person making the claim, but with someone else to disprove.
The burden of proof lies with someone who is making a claim, and is not upon anyone else to disprove. The inability, or disinclination, to disprove a claim does not render that claim valid, nor give it any credence whatsoever. However it is important to note that we can never be certain of anything, and so we must assign value to any claim based on the available evidence, and to dismiss something on the basis that it hasn't been proven beyond all doubt is also fallacious reasoning.
You're assuming I'm making a claim that I'm not. And if anything, you have it completely backwards. IF the claim were a simple "Google is complicit with the NSA", then one could say that the available evidence weighs in favor of that claim. IF Google want to make a claim "we are not in bed with the NSA" the burden of proof IS on Google to prove that "we are not in bed with the NSA", especially in light of evidence which strongly suggests that they are.
It's a moot point though, as the only claims I'm making are:
A. I don't trust Google (and Yahoo, etc.). That doesn't need any proof, as it's simply a statement of my position.
B. There is probably something more to the NSA/Google/Yahoo/MS/Apple relationship than what Google/Yahoo/Apple/MS are publicly saying. There is evidence (the PRISM slides) to directly support this.
I'm not making any more specific claim (eg "Google have a secret server that the NSA ssh into and do direct queries on Google's database" or something) because, quite simply, I don't know. And without the rest of the PRISM slides, or the other Snowden docs, or some other input, we'll probably never know. But I've seen enough to not trust Google/Yahoo/Apple/MS/etc. completely.
Powerpoint slides of unverified origin I don't think quite meets the burden of proof that Google is complicit or even involved in anything. They are just that: Powerpoint slides.
My understanding is that the origin is verified. I don't have the citation handy, but I believe that reporters from the WaPo contacted the NSA before the story ran, and verified that the slides are - at least - authentic.
Granted, there's a lot we don't know about them, but I haven't seen any reason to believe that they aren't exactly what they seem to be.
Drumond: "Note that I say “originally” because you’ll see that many of those original sources corrected their articles after it became clear that the PRISM slides were not accurate."
Someone, possibly a Google /Fb /Microsoft /Yahoo PR hack, started this rumor. The Guardian posted the slides and Snowden interviews and are sticking to the original story as far as I can tell. No one has said that the slides were fake and if they aren't, why would NSA mislead its employees on the ways of collecting data?
Given that it's from a lawyer also, who no offence are often skilled at lying by telling only the truth, it does make me a little hesitant to accept this. I'd rather hear it directly from the CEO or some senior engineer, in the hope that they'd know there's not some legal loophole they have to tread carefully around as they speak.
Great that Google are saying this though. Let's fix the politics, stop the secret court rulings and gag orders and have them say it one last time, along with the approximate number of users effected by all requests ever.
Doesn't the government have the capability to force corporations to lie about matters of national security (of which the most benign form is a gag letter)? Or is that just FUD?
At this point, it seems more plausible to me that Google is telling the truth here and the Prism slides are either inaccurate or refer to DPI reconstruction or just a live hosting/presentation environment for conventionally-delivered dossiers. I can't see Google intentionally making statements which are both incorrect and falsifiable to this degree, especially since it looks like more leaks are coming, or actual official declassifications.
There is absolutely some horrible shit going down -- backbone sniffing and DPI, mass telephone metadata (and either OTA or carrier-delivered copies of content for "interesting" numbers and maybe areas), etc. And, there are serious future trust issues with cloud computing. But, at this time, I don't think NSA has pervasive access at Google -- I'm sure they (and the Chinese, Israel, and others) have Google staff who they know are likely to be "friendly" if they actually did need to do something (much much more applicable to non-US agencies), but even that doesn't need to be formalized until used.
Because NSA has so many other tools (legal and technical) to use, I don't think they do high-odds-of-being-detected stuff, certainly not on a widespread basis. Active MITM of connections, or really intrusive requests to companies, seems unlikely.
This is not the case for China, Israel, etc., so they are far far more likely to use external or internal attacks (other than legal) to get data from companies. And, guess what -- look at the news or your own networks -- lots of attacks from China, some quite sophisticated and successful.
I'd actually say there are higher odds of a given Google SRE being purely commercially evil and selling access to crime organizations than that NSA is doing this actively against Google.
This all means the threat is every bit as real as if NSA were doing it pervasively if you're likely to be a target. I don't think we ever thought NSA was using its pervasive monitoring for anything other than ultimately going after some specific targets, not for general law enforcement risk, so the situation is no different either way -- you can mostly trust Google if you blend in, but can't if you're "interesting".
Against some kind of pervasive secret program involving many people: The odds of a single Googler on any team being a "whistleblower" are far higher than the odds at NSA, and we've had a lot of espionage leaks over the years, plus actual leakers.
Occam's razor is that Google is telling the truth here.
Against some kind of pervasive secret program involving many people: The odds of a single Googler on any team being a "whistleblower" are far higher than the odds at NSA, and we've had a lot of espionage leaks over the years, plus actual leakers.
Ya think that random Googlers would spy for NSA or feed them info? They are probably hundreds of Googlers with Top Secret clearance.
"Top Secret" doesn't mean very much (either positively or negatively). It's being read into very specific special access programs which matter. Those can have populations from like 2 to thousands.
I actually think the whole the USG handles classified information and clearances is broken -- it keeps too much secret from the public or businesses which could use it, AND fails to effectively keep essential-to-keep-secret stuff secret. It's borderline OK in operational DoD units other than NSA/intel/etc. (like, keeping maps and such secret), but other than that, it's horrible.
Unlike the 1980s, they now have laughable internal security, where a contractor in the provinces gets superuser access (unlogged!) to the point where he can exfiltrate mad data, tamper with things, etc.
There are commercial organizations who do a vastly better job with their secrets.
I'm torn between wanting to fix this all by making technical controls much stronger, background checks more effective, etc., and wanting to let it collapse (because 90% of what is classified is overclassified, and a lot of the mission is either unnecessary or immoral, both in the general Eisenhower "every dollar spent on bombs is theft from humanity" and in the specific sense of violating civil liberties.
The problem is that Google's business model fundamentally makes it into a liability for a free society. The more they stockpile data on people, the more dangerous they become.
Unless we have a change in the constitution that spells out a clear limit on the government's right to access this data (and for that matter, limits google's own rights to use it), the risk of misuse will only grow. Even if the NSA's access today is somewhat limited, the risk won't get any less.
Google is like a fireworks factory waiting for a stray spark.
I believe these statements are sidestepping the facts. Explicit requests for user data and backdoor access are a separate issue. If Prism involves capturing and storing packets at major Internet backbones (perhaps just upstream from private networks like Google's), anything plaintext could be searched and extracted after the fact - email messages, web browsing, chat, etc. To this day, a significant amount of communication related Internet traffic is not encrypted. I've worked on software that does exactly this. Here is a public marketing writeup:
"Every packet is recorded, classified, and indexed, making quick discovery, reconstruction, and delivery of files in their original formats easy and intuitive. Reconstruct email attachments, windows file transfers, PDF, Word, PowerPoint, Excel, and more, giving you full visibility into everything on your network.... Show all activity over time for a single user or all file-type activity over time for all users."
NSA could apply simple port based filtering to limit capture to only those packets related to communication, thereby streamlining storage requirements. If this was the Prism architecture, then these company statements would be truthful, but misleading. The NSA does not have direct access to their systems or user data, but if the NSA is allowed to record user traffic before it enters, or after it leaves their doors, then the end result is similar.
Source encryption does not guarantee endpoint encryption. In the case of gmail via https, an email recipient might download or forward in it in plaintext via pop, imap, smtp or an http email client.
Of course, the one thing we know for certain is that to the extent that a company is required to assist with extra-Constitutional surveillance efforts, they are also required to lie about it if asked.
So this is yet another zero-information thread on the subject.
84 comments
[ 2.8 ms ] story [ 38.5 ms ] threadThere's also the distinct possibility this is all bullshit. There have been a lot of holes and misinformation on Snowden's side("They can watch your thoughts form as you type", when none of the services except for GMail send textual data at real-time, etc), and the Q&A either doubled down some of them or was trying to be misleading.
I'm still waiting for the Guardian to stop milking this and just give us the rest of the slides, the rest of their evidence. At this point, my confidence in the story is shaken enough that I want more if I'm gonna go Pitchfork in hand at the NSA with all of this.
My understanding of SSL is weak, but if the NSA theoretically acquired the right private keys / SSL certificates / whatever through hook or by crook, they couldn't just watch everything then could they?
Are the PRISM slide dates when they acquired said certificates/keys for said providers? Were non-legal means of acquiring used?
My real question is - Does it matter that the collection of data is outside of Google's control?
Should Google care that in the process of Google collecting data the NSA is intercepting it. Should Google want to stop that, if it were theoretically happening "in the middle".
Google's attitude scares me.
Because they do.
(Discussion releated to this topic is getting quite redundant on HN. Same discussion in every thread.)
Agree/disagree?
I think reality is that PRISM is nothing more than a parsing software for data dumps after NSA has legally obtained the data from the provider. And I'm willing to bet the other 37 slides show that.
Plus, if this were a store-it-and-forget-it situation, PRISM wouldn't be limited to the services it could support.
Things just aren't adding up, here.
http://www.amazon.com/The-Shadow-Factory-Eavesdropping-Ameri...
It has been going on for a long time.
yep. Current law allows to force them to be silent about the wiretapping to hide it from public. One can see how a creative government lawyer can force them to publish a denying PR release as extent of the same legal requirement to hide the wiretapping from public. One have a choice what to believe - either NSA is lying in internal secret docs or companies like Google are legally forced to publicly deny their involvement. Hard choice?
http://www.wired.com/threatlevel/2007/05/mark_klein_docu/
This has been public knowledge since 2007. ;)
PRISM helps the NSA in 2 ways:
1 - Collecting unencrypted versions of secured (https) communication. Note: They already have the encrypted copy.
2 - Collecting metadata, as in the case of Verizon. This allows them to make targeted database retrievals, from their massive data set.
It's entirely possible that this is happening, especially if it's plausible that the government forcibly acquired Google's root certs.
Yahoo now wants us to believe that this was a court order saying, in effect, Yahoo must comply with court orders to turn over specific user data. WTF? Yahoo also wants its users to believe that Prism is nothing to worry about, even though it tried to fight it back in 2008. "Notwithstanding the parade of horribles trotted out by the petitioner ... Little more than a lament about the risk that government officials will not operate in good faith." Nothing to see here folks, move along!
Of course, the thing about slippery-slope arguments is that you never have to deliver on them. It's curious that people who scoff at the idea of a rock that keeps tigers away are so willing to believe in one that attracts them.
Why wouldn't the NSA request all Google searches, with IP address? That would be highly valuable info.
This is much clearer. This is what everyone very obviously wanted at the very beginning, and it does seem strange that they didn't do this then, or at all sooner. What took them so long?
Simply put, I think Google, Yahoo, Apple, MS, etc. are all lying about their involvement in all this, to some extent. Maybe the NSA does or doesn't have "direct" access (whatever you think that means) but I believe there is something going on, beyond the run of the mill request/response scenario.
And participate in stopwatching.us. Why no support there?
http://money.cnn.com/2013/06/18/technology/security/google-n...
This also assumes that a letter like this does any good. I would think that Google actually filing a legal challenge with FISA is going to be more effective.
First of all, I don't see it as a binary thing, where I'm 100% convinced they are or 100% convinced they aren't. It's more like, "what's the probability that they are?" That said, they could lower my estimate of the probability that they are (in cahoots with the NSA), although perhaps not lower it to zero. But nothing they are likely to actually do.
For example, agreeing to an extensive audit of all of their internal systems, by a 3rd party organization which gets full access to everything inside Google for some period of time, including looking at source code. If somebody did that, and came back and said they found no signs of any kind of NSA tie-in, I'd be somewhat more convinced.
But, that's obviously not realistic and I won't be holding my breath for it to happen. :-)
The reliability of an auditor is based on their perceived level of trust in the community. As an investor, you want to be assured that your investment is worthwhile, so you want to work with an auditor that is thorough and highly confidential.
If an auditor can be proven to have intentionally misled in the past, or to have worked with shady agencies / outside parties, that would be a very black mark against them and future business, so it should, ideally, not be in their best interests. Note that this does not except the behaviour of humans in practice, where short term gains of a person might not be aligned with their parent organization (c.f. banking).
That's the rub... you never really know. Especially when we have "secret government" with things like gag orders, secret laws, secret courts, etc. That's what makes all this so insidious.
Do they have a DC policy Office? FB does... What is the nature of the policy office GOOG has... Can it be verified that its not just a YESSIR system? Probably not...
Gut feel? hunch?
When someone answers a different question than the one asked, or uses different terms that are more flexable in scope or definition. Originally they focused on 'no direct access' and ' no back door'. As a computer person you can understand that there are lots of ways to get information in or out of a system that can be characterized differently than the above phrases. It's like talking to child about a how they got the cookie they have in their hands, did they take it, did they pick it up, did they steal it, did the find it, did it fall off a truck, did a guy name Vinny give it to them because hes a nice guy, etc. And what is the legal definition of 'cahoots' anyway?
A lawyer is talking, so you have to be extremely careful with what they say. "I’m not sure I can say this more clearly: we’re not in cahoots with the NSA and there’s is no government program that Google participates in that allows the kind of access that the media originally reported." Okay, so it's not a program, maybe it's a project, or a NSL, or and executive order, or a collaboration. Having shown themselves to be complicit in a lie of omission (not saying anything because of gag orders) And having changed their statements a few times their word is suspect and needs to be examined.
It is imposible to prove a negative. That kinda sucks for Google because they have brought into question our trust in them and it may take a good long while to rebuild that trust, even if they tried to.
To me PRISM sounds like it's the front end that analysts use, something that unifies all the different data sources from companies, which in turn vary in their degree of cooperation with the government. The data from Google could very well be the data from specific court orders that name individuals. The join dates could just be the dates that whoever was writing the PRISM software was able to integrate the data from whichever company.
To be fair, the data was / is being collected about networks, IPs and phone numbers not Americans. The fact that the IPs and phone numbers are strongly correlated with individual Americans may be a technicality.
You said that the burden of proof lies not with the person making the claim, but with someone else to disprove. The burden of proof lies with someone who is making a claim, and is not upon anyone else to disprove. The inability, or disinclination, to disprove a claim does not render that claim valid, nor give it any credence whatsoever. However it is important to note that we can never be certain of anything, and so we must assign value to any claim based on the available evidence, and to dismiss something on the basis that it hasn't been proven beyond all doubt is also fallacious reasoning.
https://yourlogicalfallacyis.com/burden-of-proof
It's a moot point though, as the only claims I'm making are:
A. I don't trust Google (and Yahoo, etc.). That doesn't need any proof, as it's simply a statement of my position.
B. There is probably something more to the NSA/Google/Yahoo/MS/Apple relationship than what Google/Yahoo/Apple/MS are publicly saying. There is evidence (the PRISM slides) to directly support this.
I'm not making any more specific claim (eg "Google have a secret server that the NSA ssh into and do direct queries on Google's database" or something) because, quite simply, I don't know. And without the rest of the PRISM slides, or the other Snowden docs, or some other input, we'll probably never know. But I've seen enough to not trust Google/Yahoo/Apple/MS/etc. completely.
Granted, there's a lot we don't know about them, but I haven't seen any reason to believe that they aren't exactly what they seem to be.
Someone, possibly a Google /Fb /Microsoft /Yahoo PR hack, started this rumor. The Guardian posted the slides and Snowden interviews and are sticking to the original story as far as I can tell. No one has said that the slides were fake and if they aren't, why would NSA mislead its employees on the ways of collecting data?
Great that Google are saying this though. Let's fix the politics, stop the secret court rulings and gag orders and have them say it one last time, along with the approximate number of users effected by all requests ever.
From Larry Page, CEO of Google
That IS what you wanted, right?
Really it's all for nothing though until the politics are sorted out
There is absolutely some horrible shit going down -- backbone sniffing and DPI, mass telephone metadata (and either OTA or carrier-delivered copies of content for "interesting" numbers and maybe areas), etc. And, there are serious future trust issues with cloud computing. But, at this time, I don't think NSA has pervasive access at Google -- I'm sure they (and the Chinese, Israel, and others) have Google staff who they know are likely to be "friendly" if they actually did need to do something (much much more applicable to non-US agencies), but even that doesn't need to be formalized until used.
Because NSA has so many other tools (legal and technical) to use, I don't think they do high-odds-of-being-detected stuff, certainly not on a widespread basis. Active MITM of connections, or really intrusive requests to companies, seems unlikely.
This is not the case for China, Israel, etc., so they are far far more likely to use external or internal attacks (other than legal) to get data from companies. And, guess what -- look at the news or your own networks -- lots of attacks from China, some quite sophisticated and successful.
I'd actually say there are higher odds of a given Google SRE being purely commercially evil and selling access to crime organizations than that NSA is doing this actively against Google.
This all means the threat is every bit as real as if NSA were doing it pervasively if you're likely to be a target. I don't think we ever thought NSA was using its pervasive monitoring for anything other than ultimately going after some specific targets, not for general law enforcement risk, so the situation is no different either way -- you can mostly trust Google if you blend in, but can't if you're "interesting".
Against some kind of pervasive secret program involving many people: The odds of a single Googler on any team being a "whistleblower" are far higher than the odds at NSA, and we've had a lot of espionage leaks over the years, plus actual leakers.
Occam's razor is that Google is telling the truth here.
Ya think that random Googlers would spy for NSA or feed them info? They are probably hundreds of Googlers with Top Secret clearance.
I actually think the whole the USG handles classified information and clearances is broken -- it keeps too much secret from the public or businesses which could use it, AND fails to effectively keep essential-to-keep-secret stuff secret. It's borderline OK in operational DoD units other than NSA/intel/etc. (like, keeping maps and such secret), but other than that, it's horrible.
Unlike the 1980s, they now have laughable internal security, where a contractor in the provinces gets superuser access (unlogged!) to the point where he can exfiltrate mad data, tamper with things, etc.
There are commercial organizations who do a vastly better job with their secrets.
I'm torn between wanting to fix this all by making technical controls much stronger, background checks more effective, etc., and wanting to let it collapse (because 90% of what is classified is overclassified, and a lot of the mission is either unnecessary or immoral, both in the general Eisenhower "every dollar spent on bombs is theft from humanity" and in the specific sense of violating civil liberties.
Unless we have a change in the constitution that spells out a clear limit on the government's right to access this data (and for that matter, limits google's own rights to use it), the risk of misuse will only grow. Even if the NSA's access today is somewhat limited, the risk won't get any less.
Google is like a fireworks factory waiting for a stray spark.
How else would you get the human race to move forward?
"Every packet is recorded, classified, and indexed, making quick discovery, reconstruction, and delivery of files in their original formats easy and intuitive. Reconstruct email attachments, windows file transfers, PDF, Word, PowerPoint, Excel, and more, giving you full visibility into everything on your network.... Show all activity over time for a single user or all file-type activity over time for all users."
NSA could apply simple port based filtering to limit capture to only those packets related to communication, thereby streamlining storage requirements. If this was the Prism architecture, then these company statements would be truthful, but misleading. The NSA does not have direct access to their systems or user data, but if the NSA is allowed to record user traffic before it enters, or after it leaves their doors, then the end result is similar.
"Under this program"
"That we know of"
"Not willfully"
They are like a get-out-of-jail-free card.
"No more illegal wiretapping of all US citizens like under Bush" (we'll just make it legal instead).
So this is yet another zero-information thread on the subject.