309 comments

[ 3.7 ms ] story [ 344 ms ] thread
> "With that said, do you really want to buy a Microsoft product? Do you want to buy anything that gives easy access to snoops poking around at their leisure? If you'd think twice about this, then why would a foreign government rely on Microsoft Office with any confidence? Personally, if I were any foreign government or corporation, I'd stop using all Microsoft products immediately for fear of America spying on me. Nothing can be secret."

That's exactly what I'm hoping will happen. It may be the only way to actually roll back most of this shameless and abusive mass spying of everything and everyone. I'm not sure what else would stop it. Americans protesting it? I'm not holding my breath for that one, and even if they do, they'll only try to fix the spying internally, as they couldn't care less what they do to the world as long as the government keeps telling them "it's to keep them safe" (which obviously trumps everyone else' rights).

> "With that said, do you really want to buy a Microsoft product? Do you want to buy anything that gives easy access to snoops poking around at their leisure?

You know... Up until this whole NSA/PRISM thing got uncovered, Microsoft had actually rather successfully started to rebuild the perception and image of its cloud-service Azure.

It had shown the world that in less than a year, it was well on its way to catch up with Amazon Web Services. It was going from an experiment to serious business. Something the company invested in. Even more so than the traditional parts of the business.

As someone who once looked at Azure and laughed it off, I was coming around, actually considering it. I don't have any inside info on this, but I would guess/assume Azure was just about to take off. All those investments, finally about to pay off.

Then the whole NSA/PRISM thing came about. Now there's no chance in hell I'm going there. Not that I expect AWS to be any better in that regard either. I'm currently pulling out my data from Google. I trust them even less.

Hell, at this point, the only viable option privacy-vice seems to be open-source software, deployed by me, to an account I control, hosted on a service-provider outside the US's reach.

It may not be immune to unauthorized, illegal snooping, but it will be off the main grid, take a bit more effort and it wont be done automatically 24/7.

If I become paranoid enough to put in the effort, I'll just get a VPS instead and encrypt the shit out of it.

(Disclaimer: Not a US citizen.)

(comment deleted)
Exactly. Microsoft were making a comeback and I moved my email and online storage from Google to Microsoft. Now I feel back-stabbed.

I don't use the hate word often, but I HATE Microsoft now.

Just for the record, I think Dvorack is bang on with this article. Couldn't agree more.

Personally, I would not go that far. I mean, what is the practical risk?
This is a financial disaster waiting to happen. Microsoft is oblivious if it is not doing something to divorce itself from the NSA.

Apple, on the other hand, could have come out smelling like a rose, but following the death of Steve Jobs, who apparently refused to play ball with the NSA, it stupidly jumped on board to join the PRISM club.

According to the Prism slides, it really looks so:

   "Dates when Prism collection began for each provider

   Microsoft 9/11/07
   Yahoo 3/12/08
   Google 1/14/09
   Facebook 6/3/09
   PalTalk  12/07/09
   YouTube 9/24/10
   Skype 2/6/11
   AOL 3/31/11
   Apple (added Oct 2012)"
Steve Jobs: February 24, 1955 – October 5, 2011.

If it's true, it's one reason more to deeply admire him.

And can you just imagine how much more sales Apple would get now for not being on that list?

That reminds me of Putin a little bit. Even if you think some leader is an asshole, sometimes you need an asshole to stand up to an even bigger bully. I just imagine someone like former president Medvedev (and with no Putin in sight) would've offered Snowden to US government on a silver platter, just like France, Spain, Portugal and Italy tried to do (fortunately unsuccessfully). I remember I was very much against Putin when he fought the US' anti-rocket shield, but over the past few years I've started to understand why he would do that. No country should own the whole world.
Don't mistake a former KGB guy's taunting for a principled stance. Here's how Putin deals with whistleblowers: https://en.wikipedia.org/wiki/Alexander_Litvinenko_poisoning
I don't think mtgox was implying principle, just a willingness to resist, even for the wrong reasons. ("You can't imprison dissidents. That's my job.")
You certainly have a court decision or at least an official accusation to support your claim? Just asking.
You might find some of what you're looking for on the wikipedia page I linked to. But courts are only very rarely the place where accusations against heads of states are examined, especially when it comes to superpowers.
I read it carefully. Name "Putin" is not mentioned anywhere in the Investigation section.

Please stick to the facts.

If the accused can prevent a proper investigation I will make my mind up based on the clues that exist.
The more you look, the more you will find. Plato's Cave is amazing eye opener to everything we do daily.
Medvedev was and is Putin's pawn, he acts the way Putin tells him.
I know that, I just meant "someone like him" (weak personality that does what others tell him to do, even if he's head of a state).
You're right, sorry I should have read your comment more carefully.
Not germane to this topic, but I'm sure there are quite a few GLBT people that might have an opinion on just how much of an asshole Putin is.
It's not exactly him. In my experience most Russians are homophobic to the core, unless they know some LBGT personally.
For those who know Formula 1, I think Bernie Ecclestone and Max Mosley are the sort of examples that might work. Of course, some would say they are and were the bullies that needed standing up to. Heh, I suppose that gets us to the terrorist / freedom fighter type debate!!!
Anyone who serves in a role as top leader of a country or large corporation is an asshole -- it's a job requirement.

What you're seeing in Putin is the ability to be independent. He gets to enjoy watching the Americans squirm at low cost. What's the US going to do to Russia? Our diplomats will be rude to each other, maybe we won't attend the Russian summer ball and snub the Russian ambassador, each country will declare some spies persona non grata.

At the end of the day, the areas in which the Russians and Americans cooperate are areas that they have a mutual interest to do so.

Others, like the Germans or Spain are different. They piss off the US, we cut off the faucet of intelligence, money, privileges, etc.

I must admit, I'm no Apple fanboy but in this case, I can easily picture a NSA rep threatening Steve Jobs and Steve Jobs telling him to f* off.
I wonder what would a Tim Cook-made iMessage look like from a security standpoint (probably a lot more like Skype/Hangouts than how it works right now).
iMessage is in no way NSA-proof:

http://blog.cryptographyengineering.com/2013/06/can-apple-re...

tl;dr:

  * Apple distributes the encryption keys
  * Multiple keys can be associated with an account (iPhone, Mac – and the NSA?)
  * Apple can retain metadata
  * Apple doesn't use certificate pinning
My understanding is that this isn't that bad. If you use iCloud, then the NSA can read your old messages. If you don't sync your iMessages with iCloud, under the assumption that not every iMessage gets encrypted to an NSA key in addition to the recipient's keys, your messages are safe until the NSA/other law enforcement explicitly targets you, and even then, they can only read new messages and not previous ones.
How do you know it was Steve Jobs that prevented Apple from joining earlier? Perhaps Apple just wasn't a priority for the NSA until 2012.
It's conjecture, but it's likely. Apple as a company has put a high value on user privacy, which was heavily influenced by Steve. He was also known for maintaining a high degree of personal privacy for such a public figure (for instance, refusing to put plates on his car).
Apple is a company producing consumer devices, while the others are companies offering Internet services, which is what PRISM targets. Apple has only recently had some success in the Internet services space with iCloud.
One of those most successful devices is a phone. One that has been selling pretty well for 6 years.

That's incitement enough to try to get them on board.

Until iCloud/iMessage, all the actual information was transmitted through third party services (i.e. network providers, email services, etc.)

Why go after the myriad of handset manufacturers when you could just get the network providers on board?

There are things network providers can't do: activate mic remotely, capture local-only data, keylog apps that use encryption, etc.
The list was about joining PRISM, it doesn't say anything about backdoors in mobile phones. They may very well be present in all iPhone generations.
Curious as to why Amazon isn't on that list then? Perhaps it's true that Bezos has more in common with Jobs.
Apple had internet services since around year 2000. Apple had mac.com emails for a very long time, as well as

http://en.wikipedia.org/wiki/MobileMe

.Mac: July 17, 2002 – July 9, 2008

MobileMe: July 9, 2008 – June 30, 2012

iCloud was launched on October 12, 2011, one year before Apple entering Prism.

http://en.wikipedia.org/wiki/ICloud

The main difference before iCloud was that you had to pay for it. I can however remember that I've had free .me account before iCloud, so even .me must have had enough users.

You must not have read the part where he said "recently had some success"
Well, in the NSA's eyes, that main difference is important. Free (and highly pushed by the very popular iPhone and iPad) meant people actually starting using iCloud. The cost-benefit analysis shifted tremendously from .mac/MobileMe.

It is fun to think of Steve Jobs as the lone person saying "fuck you" to the NSA. But it isn't realistic. It isn't like the other companies are run by meek people who love bending over to authorities.

I can remember that I've had a free .me account before iCloud, so I believe even .me must have had enough users: it was freely available to every iDevice user. There were millions of them fast.
How does that follow? It is not just about the cost, but the amount of utility for the NSA. There are plenty of free services that are not on the PRISM list and I am sure even Apple employees would freely admit their pre-iCloud user numbers were disappointing. They would not have bothered to rebrand the service in the first place if they had a significant userbase.

Looking at the PRISM company list, we are talking data service companies with users in the tens of millions (minus the oddball Paltalk). Apple just wasn't in that group until recently.

I thought you were joking about the number plates thing, but it's true (and apparently legal) ...

http://thenextweb.com/apple/2011/10/27/mystery-solved-why-st...

This reminds me of a friend of mine who proxies all his web traffic through something which strips user agents and referrers. It's very easy for me to tell when he visits my website, because the logs show "-" for each of these fields.

That's really interesting. It sounds like an easy way to get targeted by the people who do want to track you, though. Still -- do you have any idea what he uses for that?
How does your friend do that? I'd be really interested in reading on how to setup a proxy like that.
Burp, fiddler maybe, webscarab maybe. Some kind of proxy with any sort of meaningful capabilities.
> It's very easy for me to tell when he visits my website

Simply drawing attention to the fact that his attempt at anonymity acts a key personal identifier in this instance.

>This reminds me of a friend of mine who proxies all his web traffic through something which strips user agents and referrers. It's very easy for me to tell when he visits my website, because the logs show "-" for each of these fields.

I wonder if the best strategy, then, is to figure out a very common user agent string and use that. The EFF's Panopticlick might be a good start: https://panopticlick.eff.org.

Steve Jobs went through a background check for a top-level security check in the 80s. I wonder if he ever received it?

http://www.wired.com/threatlevel/2012/06/steve-jobs-security...

I find it hard to believe that the NSA didn't see one of the most valuable and popular companies in the world as a priority until 2012. I bet they were salivating as soon as the first iPhone launched.

With a public record as a LSD user, I wonder how they could have justified giving him clearance.
I don't think that would effect his chances. All of our latest presidents have admitted or have been proven to do illegal drugs of some sort. Not to mention that the U.S. government has done some crazy things with drugs, especially LSD.

https://en.wikipedia.org/wiki/Project_MKULTRA

http://www.cracked.com/blog/five-fun-facts-about-the-cia-and...

As I understand it, getting a security clearance doesn't especially care about whether you've done anything illegal, it cares about:

1. Whether you're likely to voluntarily leak any secure information.

2. Whether someone who dug up some dirt on you could blackmail you into leaking secure information.

Or as the saying goes, it's fine to have a mistress, but having a mistress that your wife doesn't know about is a problem...

Having gone thru the sec clearance thing in the 90s, the third thing is if you have financial issues (like an expensive addiction with much income) and some foreign intelligence service can "help". So they're pretty interested in finances. Which wouldn't have been a problem for Jobs...
A friend in college wanted to be an FBI agent, so I got to hear alot about this.

I believed they polygraphed you about drug use, and I recall that they had a threshold number of "experimental" sessions with marijuana that were ok, as long as you disclosed them during the background check and polygraph.

The FBI still uses the polygraph? I would hope the FBI would be looking for the kind of people that know a polygraph is near worthless.
I remember an Australian talking about the various levels of clearance - confidential, secret negative (anything stand out in your history), secret positive (in-depth active examination of your history). He said that the process wasn't about finding dirt on you, it was about finding out if you had any dirt that could be leveraged against you. For example, if you were gay and being outed would be a problem, then that's leverage. If you didn't care and were clearly open about it, that's not leverage.
That harmonizes with my experience. I was interviewing for a "top secret" job with the US and spent some time studying the system and looking over the appeals rulings of the clearance process.

Generally, the key things were, "are you a crook? are you liable to be bribed/coerced?".

E.g. one chap was a transvestite, but the appeals court ruled that since his wife and minister knew, it wasn't something that could be leveraged against him.

If the record is public, then it actually provides a lot less leverage for blackmail than a history of secret use of LSD.
Then again, Apple was (and still is) huge on the mobile sector. As far as surveillance goes, I'd expect mobiles to be of high priority.
Why bother with a phone manufacturer when you can have access to all communications directly at the network provider? Much more convenient.
Possible but unlikely. Steve Jobs was very influencial within Apple. Jobs' opinion was almost certainly a strong factor. Apple had been a leading and popular mobile phone manufacturer for many years before 2012, why wouldn't the NSA be interested in them?
We don't know. We just went with the more plausible explanation, instead of jumping through hoops to avoid it.

Apple not being a priority for NSA until Oct 2012? Pfft.

Or it means even NSA knew that Apple has mostly sucked in data and web services.
Well if we're going to randomly speculate on such things, Scott Forstall resigned on October 29, 2012.
Is this just a function of the relative popularity of the services?
What amazes me is that among those corporations with revenues in the tens of billions of dollars, not one of them challenged the constitutionality of the decision in court. Not one, not once.

Not that it would be necessary in an obvious case like this, but each one of Microsoft/Skype, Google/Youtube, Apple and Facebook could easily have hired the nation's best and brightest one thousand lawyers at $1,000 an hour, full time for 10 years to defend privacy. It would have been well within their means. Yet, each of them chose to back down. Each of them chose to fail their users' trust.

I don't think its due to cowardice. If these organisations cared the slightest bit they would have acted to protect their users. Not in the wildest scenario would the US government have jailed the leaders of Apple, Google or Microsoft. My best guess is they got something in return.

For all we know, some of them may have challenged it but they cannot make those details public because they're not even allowed to admit the NSA requested such information to begin with.
Not in the wildest scenario would the US government have jailed the leaders of Apple, Google or Microsoft.

That may be naive. Most people have skeletons in their closets. The government would use these to pressure those leaders to acquiesce. I suspect the most dangerous skeletons are ones which seem harmless to you, but cast in the proper light they can be used as a justification for punishment. E.g. Something which seems harmless now can retroactively be used to claim you were doing insider trading. Few people would step up to defend you, even if the charges are baseless, because recently it's been fashionable to hate capitalists, and trading stocks is the epitome of capitalism. So it'd be very much "obey us or we will litigate you into bending your knee anyway."

Jobs was immune because he was the CEO equivalent of a rockstar. To try to pull baseless charges against him would outrage the public. Yet I'd imagine the public would get grim satisfaction out of seeing Ballmer punished, even if the charges were baseless, because most people don't like him. It's shallow, but it seems true.

I can see two sides to this.

On one hand, the CEO of Qwest was convicted of insider trading, and he claims it was retaliation by the NSA because Qwest would not participate in warrantless wiretapping.

On the other hand, the federal government had a perfect excuse to prosecute Steve Jobs in 2006 with the options backdating scandal, but chose not to. Those would not have been baseless charges--Apple really did backdate those options. The government just concluded that Jobs was not personally culpable.

Maybe they were using it as leverage.
Well, PRISM seems to have been created in '07. Plus Apple didn't matter very much in '06 -- not in the same way Google mattered. Apple didn't have much user data for the government to be interested in, because iPhone didn't launch till June '07.

That's actually a perfect example of leverage that the government would have used against a technology company to pressure them into doing the government's bidding.

I remain astonished that Martha Stewart was targeted, convicted, and jailed. I don't care either way if she did some thing wrong. I care about the unequal application of justice.

In contrast, I can't imagine anyone targeting Oprah. She'd destroy (PR-wise) anyone challenging her. Recall that beef lobby's attacks.

Jobs is like Silicon Valley's Oprah.

I agree - it's what I mean when I say that I think they got something in return for not fighting the FISA requests. Could be antitrust cases that were dropped, tax hikes that were cancelled or more personal matters.
Correction: Yahoo did fight, and lost. The details aren't all released, but here's a precis of what's public:

http://www.wired.com/threatlevel/2013/06/yahoo-failed-fisa-f...

It's possible that there's as-yet undisclosed legal action with some of the others; the secrecy around just about any proceeding in the FISC makes it very hard to tell.

I wondered the same thing. With secret courts and secret hearings, who knows who is fighting or not for our rights?
Fighting unconstitutional laws in the phony secret "court" set up by the same laws is not really fighting, is it? It's sort of accepting the terms.

Take the battle to the real courts and ask them to decide on the matter.

Unfortunately, those are real courts, their functions and jurisdictions have been established by the Congress.
If congress can redefine courts into what is basically an administrative panel, then the entire separation of powers can be short-circuited.

It's not a court just because congress says so.

That's the crux of the matter. The root cause is that half of Americans are okay with such courts.
> The judicial Power of the United States shall be vested in one supreme Court, and in such inferior Courts as the Congress may from time to time ordain and establish.

Congress certainly does have the 'say so' -- at least with 'inferior Courts'. That still leaves the Supreme Court though as final arbiter.

I'd like to agree with you. I believe there is a category of societal actions that constitutes a court of justice within the framework of a civil society; secrecy doesn't fall into that category.
Exactly how do you get standing to sue the government for something they are not doing with something that does not exist?
It's been my observation that revenue in the tens of billions of dollars doesn't enable a company to make bold, risky moves -- it hinders it. People become very risk-averse when there's a lot to lose. Many of these well established, high revenue companies can't even take the risks that are necessary to continue having revenue in the tens of billions of dollars, much less stand up to nation-states.
Well, how does one fight dictatorship in a court that is owned by dictatorship?
FISA give them the right to install real-time monitoring on premise.

That means if you fight, they put a server in your shop.

It was just not worth it until now. That's going to be the real legacy of the Snowden leaks.

Seems like "Think Different" was more real than "Don't be Evil". Even with all the Apple's closed ecosystem.

This reminds everyone to look at different angles when we criticize people/companies and understand that, even now, an individual makes a lot of difference.

"And can you just imagine how much more sales Apple would get now for not being on that list?"

Barely any change at all, I'd bet. And not worth the legal hassle they could have been up against if it came to a knock-down, drag-out battle with the US Government over <spins the dial>.

I can imagine that U.S. companies wouldn't do anything, but European companies would be much more motivated for transition. As we speak, the top managers in Europe do try to find an alternative and everybody likes the easy way out. At the moment, baring some other potential compromising evidence, Apple would be such a way was it not on the Prism slide. Transitioning to big the powerful non-compromised Apple would be probably valued as less pain than transitioning to your in-company-made Linux distribution.
not worth the legal hassle

That's not the Steve Jobs I read about. Like him or not, he was a man of principle.

He was also pragmatic enough to pick the right battles. That,s a prerequisite for success in any business.
Again, not the Steve Jobs I've read about.

Having your factory retool weeks before you launch an unproven product because you don't like the glass? Not very pragmatic.

I think pushing your suppliers hard to correct a serious flaw in a key product is pragmatic.
"serious flaw" == hyperbole
I think the lesson of Apple's recent success is that such things matter.
Principles must have come to him later in life because I'm sure his first daughter would have something to say about that.
Being principled does not necessarily mean they are principles you agree with!
I'd imagine for Steve Jobs...

everything is worth a fight.

(comment deleted)
"Microsoft is oblivious if it is not doing something to divorce itself from the NSA"

No John, unfortunately it is not really an option to move 57,000 employees and a headquarters out of the United States. That is what would need to be done. None of the people making statements for these large corporations are lying voluntarily.

I wonder how much pressure the NSA can and does exert on corporations that refuse to coöperate in this manner. And whether those on the list really had an actual choice in that manner. I guess a large government organisation has plenty of leverage if need be.
I think the FISA court order on Yahoo is a known example.
(comment deleted)
You mean would the NSA bring up the CEO of the company on random charges after he says no, put him in jail, and get someone more agreeable to run the company? They've done it before! Look up Qwest.
It's unfortunate that just when companies are considering bringing work on-shore again, that these reasons are starting to appear that encourage them to completely move their operations elsewhere. I am not sure where 'elsewhere' is at the moment though? Iceland?
Dvorak's article is a regurgitation of previous HN discussions on this topic.

I have said in the previous HN post and I will say it again here: don't pile on Microsoft alone. These spying policies make every US-based services company untrustworthy to whomever privacy is important. Come to think of it, I'm not sure whether you can rely on European services either because it seems that gov't surveillance is widespread.

On the other hand, maybe if we do pile on Microsoft, and stop using their products for this reason alone (even though Google, Apple and others are in the same boat), it will force them and their lobbyists to influence their gov't shills to put a stop to these programs.

Yea, remember that PRISM is designed to target foreign communications, so if you are an American, you might be actually safer.
I don't follow US news - is that what they're telling the voters?
I think it is documented even in the leaked slides.
That's kind of the same argument for European businesses and governments to not use Microsoft/American products. At least if they did it within EU, they would be accountable, and the laws prohibit most of it. But the US spying is unaccountable to Europeans, so they can do whatever they want.

The only proper answer to that is to stop using American products (at least until the US government can prove with extreme oversight from Europeans and Latin Americans and others, that they aren't abusing their spying power anymore).

Or they don't have to go to those lengths to intercept national communications ;)
That's bullshit.

The problem that people like you don't seem to understand is that online communications can be secure, unless the companies owning the servers themselves cooperate and companies have to cooperate if they have to do so by law.

It's only the US that has such a huge budget for spying on people's communications and the US is also part of a select handful of countries going to such great lengths to suppress the freedom of speech about it.

If I were to start a company in Romania (which is part of EU btw), the NSA can suck my dick as there's absolutely nothing they could do to make me cooperate and keep my mouth shut while doing it.

True, but I am talking about the practical risk based on what is known about the spying.
What really bothers me about this is not the actual spying - I always assumed that governments do engage in whatever spying they can get away with.

What really bothers me about this is that U.S. companies and individuals have to keep their interactions with the NSA a secret, while obeying whatever demands the NSA has, including the installing of back-doors.

Trust is a fragile thing and we rely on trust for conducting business and for living our lives. My trust in U.S.-based companies has been shaken. Even if the affected companies (such as Google, Microsoft, Apple) want to be trustworthy for their customers, they can be coerced by law to obey whatever the NSA demands and they must also keep it a secret, with absolutely no transparency - they aren't even allowed to say "yes, the NSA demanded some things and we unfortunately complied". Even worse, they can be coerced into making public statements that are full of lies.

I can no longer trust any U.S. based company again.

For example, right now I'm using Skype. But what if the Skype client has a backdoor allowing one to open and listen to my mike any time they want (it's a proprietary blob, we'll never know). What if this backdoor gets hacked and used by people that are not part of the U.S. government? So in spite of the best intentions of the people working on Skype and the NSA; even if I've got "nothing to hide", Skype is all of a sudden a security liability and nothing (short of an open-source client that I can compile and run) can prove otherwise, because Microsoft isn't allowed to be open about it. And I can no longer rely on the fragile trust I've had for Microsoft, because Microsoft can be coerced into being untrustworthy.

See how it goes? We'll see how this unfolds over the next years, however the damage done to U.S. companies will prove to be massive.

>however the damage done to U.S. companies will prove to be massive.

Will?

It probably already has, in lieu of current European rattling.

I don't expect that GOOG or MSFT will suffer any damage in short term. But in long term they have proved unreliable. This erodes confidence. And if it keeps eroding, it will eventually cause them to collapse.

I'll be doing my earnest to move away from any non-OS tool. And will advocate others to do so as well.

This is the most well reasoned argument i heard - and reflect my sentiments perfectly. Its not that i am too afraid the NSA can read my email or listen to my phone convo, but that they can coerce, "lawfully", the ISP/telco to do things against my wishes, and keep it secret from me.

These gag orders are the kind of things that creep into society and they are the first weapon against would-be activists that's perceived to be against the corporate interest (or the interest of the elite). It doesn't take much for chilling effect to set in. Fight it now, or it will be too late when it has the power to threaten the laymen.

What is the whole "people like you" bit?

He made a valid statement and didn't express much else of his opinions or state of mind.

Unfair to immediately lump somebody into a pre-judged bucket for a single statement.

That's the real bullshit here.

You're accidentally mixing PRISM with the most recent leaks that say Microsoft has given the NSA ways to bypass encryption methods and so forth.
It was merely claimed that PRISM was designed to target foreign communications.

That was entirely a lie. From day one their system has been targeting Americans. The proof is overwhelming at this point.

There's often a critical distinction between what gets claimed and what actually occurs in government. With a government that is so undeserving of trust, that's a very important distinction to keep in mind.

Let's boycott the hell out of Microsoft. They gleefully sold out their users to the NSA.
As long as you also "boycott the hell" out of:

Yahoo Google Facebook PalTalk YouTube Skype AOL Apple

Who have also been mentioned as complicit in this whole scandal.

Just to be fair :-)

By the way, I actually agree with you and have been slowly switching all my home stuff to linux and trying to get away from Google Dependence (although I type this in Chrome on a Win 8 laptop... damn work computer)

If you think a company has behaved badly, why are you under any obligation to be fair to them?

It might be extremely difficult to boycott every company involved, so why not choose one to make an example of? The idea that you must boycott all or none appears irrational.

A boycott is supposed to carry a sheen of justice, and this suggests at least a nod towards being fair.
It's as though you're being bullied by two people, and when you try to deal with one of them, you're accused of being unfair because you can't deal with both!

It sounds very much as though it was the bullies who decided what was "fair" in this instance.

The boycott request was a call to community action. You're reframing it as a single individual's struggle for survival, which isn't the same thing.
I see; you think it's right for the individual but wrong for a group.

Why? What changes?

I didn't say it was right, I said it was different and that your reframing wasn't appropriate.

What changes? For a start, the more people that are involved, the less each knows of the situation. A single individual being bullied is aware of each incidence and what it going on at all times. A group doesn't - witness mob justice as a clear counterpoint. A group is highly susceptible to hearsay and misdirection.

As for why it's unfair - if we expect the judicial system to be fair when it acts on our collective behalves, it is dissonant to not expect other group action to also be fair in how it's meted out.

So you don't think it's right for an individual?

I don't see why a group being "susceptible to hearsay and misdirection" is a good reason for their ire to be directed at more companies rather than just one.

I also don't see any reason why a group fighting against the injustices they can tackle, obliges them to take on the ones they can't.

EDIT: To take your example of the justice system - if I steal from someone, it would not be a valid defence to point out that other people had not been successfully convicted of stealing, therefore I should not be prosecuted.

You're an idiot if you can't see why this would be unreasonable.
What about ubuntu tracking/sending our info to Amazon? Which Linux distro would you recommend, that is easy to use, and not sell out it's users?
All areas of Ubuntu that report to Canonical/Amazon/etc can be disabled and/or uninstalled. I personally find this the optimal way from base install to get to a desktop I enjoy using but otherwise I would probably have a look at debian.
Mint seems to be popular. But honestly if you care about this sort of stuff you're going to have to get a bit technical, at which point you might as well use something really serious like OpenBSD.
As long as you also "boycott the hell" out of:

Yahoo Google Facebook PalTalk YouTube Skype AOL Apple

Done and done (including Microsoft) for well over a decade; I don't get this whole "can't be trusted anymore" thing. These companies could never be trusted, and never should have been.

May be best to focus all boycotting energy on one company, like was done for the Montgomery Bus Boycott.
I am already switching away from Google services and software because of this (and because they decided to drop XMPP from Hangouts)
Linux for all the things! That's the only viable solution
One wonders how tainted Linux is, if one considers systems including SELinux. Yes, I realise the point of SELinux is to make it more secure, but the association with the NSA (they created it) makes it very difficult to trust.
What can you possibly mean? It's open source i.e. code is available to anyone's inspection.
But who does inspect it, not me for sure. So, how safe actually is Linux? And how safe is any distribution?
The fact that it is available for everyone to inspect means it can be peer reviewed: http://en.wikipedia.org/wiki/Peer_review

That doesn't mean you're supposed to review it or that it is reviewed at all, but it is a requirement for the open source development model.

About the Linux kernel, see this example: http://kernelnewbies.org/UpstreamMerge

From Quality control section: "Some of the world's best developers will be going over your source code with a fine comb. This may be embarrassing for a few days or weeks, but in the end the code tends to work better and be more easily maintained. In some cases the upstream developers have made network and storage drivers 30% faster, making the hardware more attractive to customers."

It's definitely better then not open source, but still I'd love to know more about those "world's best" developers and who pays them.

Open source is the necessary but not the sufficient condition. It needs to be reviewed by independent people, otherwise the open source part is useless.

It's also safe to say that the NSA are not completely stupid. Any nefarious code would unlikely be completely obvious, even to top developers.
Putting aside the point that it's open source, most distributions don't ship it. Ubuntu / SuSE use AppArmor.

RedHat / Fedora ship with SELinux.

A couple of years ago at a Linux conference in Germany I had a discussion with a Microsoft employee at their booth. At that time I was a 'hardcore' linux user with no trust in Microsoft at all. The discussion with the employee went like this:

  Me: "Hello. Could you tell me what Microsoft is doing at this Linux conference? I honestly want to know that."
  Him: "We are here to show how our products can work well together with Linux related products."
  Me: "Why would I as a Linux user use Windows or any other product from you? We all know that you spy on me - at least indirectly."
  Him: "Oh no. You are misinformed. We have a lot of business customers with very sensitive data. Can you imagine what would happen to us if they found out that we spy on them? Business users are very sensitive in that area. We were screwed. And we do not spy on regular users as well. You may also know that this would be totally illegal according to German law."
  Me: "So you are saying that you do not spy on businesses or other kind of users of your products?"
  Him: "Yes! We were screwed otherwise!" *giggle*
He had a smile on his face for the whole discussion. Maybe because he had this discussion with those paranoid Linux users for the last couple of days of the conference. Paranoid!

Microsoft is so screwed guys.

Edit: I was not rude to this guy. We had a beer together later that day. I am sure he did not know anything about PRISM and was just doing his job.

To me seems you were just kinda rude to some guy that was getting paid to do his job.
To his job.. and lie?
A random Joe employee isn't going to know the details of a government backdoor (at least I'd hope so)
If companies can later claim that their employees statements weren't properly informed what is to stop companies making any claims they want via their lower level employees.
The company and those with the information can still be culpable but the salesperson on the frontline isn't to blame unless they have a clue. What they say is still said by the company and the company should still be liable for harm caused by any of the untruths told on their behalf because the company does know even if the individual does not.
Indeed the guy most certainly didn't know shit. On the other hand, rude or not, Lina turned out to be right and the MS-guy turned out to be ignorant of the type of company he was working for, as well as defending.

Additionally these so-called "paranoid" questions didn't came out of thin air either. 10-15 years ago I also was very distrusting of Microsoft and what they were doing (there was a lot of anti-trust going on ...). But somehow they starting doing a few things right, wrote some good software and OS in the mean time and they "regained my trust" to the point I'd speak out against senseless M$-bashing, and perceive it as something childish.

Well, that I am no longer going to do, lest I have to eat my words. That "trust" is completely gone, and I feel kind of foolish for believing it existed in the first place, "trust" is a kind of thing that happens between two persons, not between a person and a gigantic corporation. The latter is too volatile, there can be no build up or breakage, it's every moment again different, dependent on who is in charge and which individual personalities are involved in a decision. Rationally, one instant snapshot cannot make or break the trust of the next one.

I do feel kind of foolish. I'm typing this on Win7, planning to install Linux for a while now, but I had some crazy wild ideas for a dual-boot scenario in mind that I never got around to and everything just worked so there was no hurry.

Before next week I'll be back on Linux, maybe even sooner.

> to the point I'd speak out against senseless M$-bashing

Senseless bashing - including intentional miss-$pellings and holding one company (Microsoft) to different standards to others (Facebook, Google, Apple) is still childish.

However, not all bashing is senseless - Microsoft has a lot of explaining to do. Sure, so do Facebook, Google and Apple but that doesn't let MS off the hook. It makes the case for installing a Linux instead a lot stronger.

His job was to represent Microsoft, which involves answering questions (to the best of his ability given the access to information that he has). As long as the questions were not worded or spoken in an unnecessarily pointed/aggressive manner I really can't see any reason to call the question asker rude. "It confuses me to find you here, could you please explain so I can fill in the blanks in my knowledge about your company" seems a perfectly valid question to ask of a company representative, and raising a security concern for said rep to respond to is valid too.

You can't expect a show rep to know about anything like prism though - that information would have been "classified" and available only to those well above his pay grade.

well as far as he knew he was telling the truth, the whole truth and nothing but the truth so help him Steve Ballmer.
A couple of years ago some microsoft sales employee probably didnt know about any of this. Also he is talking about mostly self-hosted MS services and i doubt the NSA really has access to that. Also found your conversation style to be quite cocky.
Yep. If someone represents company X at a conference, then consider yourself lucky if they are actually an employee - never mind an informed employee with a high standing in the organisation.
Keep in mind this was in Germany and it doesn't read like native English. I.e. you're almost certainly reading a translation.
Actually im german myself and by reading the translation i immediatly realized it was someone from germany translating that ;) But its more about the general tone that comes across a bit rude..Anyway OP clarified so its fine!
I keep hearing this on HN and reddit, but I think this is a mainly an echo-chamber effect. I'd say its far more likely that the vast majority of people don't actually care or realise what was happening, or they do realise and still don't care. I'd be surprised if the NSA leaks have any noticable impact on Microsoft's revenue.
Pretty much. The truth is, unless your company serves Internet security careerists or people impassioned about Internet privacy, your customers do not care.

The company I work for has absolutely no intent of dropping Microsoft products in lieu of the NSA leaks, even with large amounts of sensitive customer data. I can't imagine many large companies would. It would require such a vast amount of work it's unfathomable to even imagine most companies considering it unless they were about to lose nearly all of their customers.

Caveat: customers do not care, at this stage in the game.

And serves them only. The other part is most corporations already have the feeling that the government is spying on them, and a public acknowledgement of the fact wont change their implementation details. Now, if you said "Microsoft is spying on you with your direct competition." that would make them sit up and take notice.
Actually people in Europe do care and I would expect something to happen as a result. I don't expect MS to go out of business, but it wouldn't surprise me if they lost certain key projects over the next decade.
The way I read your pseudo-transcript, I assumed the kind of spying you were talking about was MS spying on other businesses to the advantage of MS. I would imagine that's the kind of corporate espionage type spying the MS rep was talking about. PRISM is MS handing over data to external agencies, not MS spying on people themselves.
That is still to the advantage of MS - saving on legal costs of fighting those agencies like Yahoo did.
(comment deleted)
/me reads article.

/me checks byline.

Holy crap. Yeah, I remember when Dvorak was quite the Microsoft fanboi.

My how times change.

I think he wrote about the MS OS/2 2.0 fiasco, including the unethical "Microsoft Munchkins" attacks.
Any serious discussion of moving US businesses off Microsoft stalls when it reaches the "non technical" departments.

I put "non technical" in quotes because many of the people in HR, Accounting, Marketing, etc. are very tech-savvy. Marketing folks, for example, would love an all-Mac office setup, but they generally have to have Windows PCs for Powerpoint, Visio, and CRMs, to name a few. HR needs their IE6 in-house apps. Accounting can't even hire anybody who wants to try getting their work done on a Mac.

I realize I'm not even talking about Linux here; I think that just underscores my point.

Does anyone have a counterexample? Because I would pay top dollar for a Linux solution to these problems, but haven't seen anything worth buying.

Your problem isn't technical, it's financial. Moving away from Windows and Office means converting all the organisation's documents to another format, re-training users in the new OS and productivity suite, re-writing VBA scripts (which often doesn't work well).

Then you'd have to de-couple the entire organisation from Active Directory. And refactor (at best) or re-write (at worst) all custom in-house apps that rely on either Windows or Active Directory.

It's just too expensive.

>I realize I'm not even talking about Linux here; I think that just underscores my point.

I've seen about 10-20% Linux use and about 0% Mac use in industry (Finance - Buy and Sell side). YMMV.

Linux is incredibly popular because people claim (rightly or wrongly) that they can have a lower latency setup. R-Project is very popular with people because they can have engineers customise it in ways not possible with Mat Lab.

But at the end of the day it all falls back down to MS Excel.

Apple don't have any enterprise ready tools for managing a system of 50,000+ client PCs and 30,000+ servers. So they don't get a look in, save the few iPads that are just perks and never used for any work that I've noticed.

Uh, I might sound like a clichy old grumper but is this really any news since the 90's which is when Microsoft found the internet?

It's practically been the operative description of Microsoft for decades that they're interested in profits (and potential profits in certain circles disjoint from the end users), not the privacy or security of their users.

> Why We Can No Longer Trust Microsoft

LOL. Who was dumb enough to have ever trusted them?

To be honest I dont blame too much on Microsoft. Being a business they needed to survive. It is not like they have a choice and government could very well bring another antitrust trial. Microsoft refuse to play balls to US government at first and they were nearly spitted into 3 different companies. So like any big cooperation they have to pay money for lobbying to buy them safety.

And Microsoft is evil, I mean in Google's sense of evil and even Microsoft admit it.

But What about the one who claim them self do no evil and itself being so righteous. Joined Prism on 1/14/09?

And I would really love if the Movie could add bits on Prism agents coming in like some fucking retard, and Steve would tell him to Fk off.

NewsPaper and Media, intentionally or not trying to diversify the hate and focus on PRISM away from Government.

They are ultimately the one to be blamed.

I think it is time to rethink everything, Not just Microsoft. Cloud computing is at risk now too. From Amazon to Google Drive, Gmail, etc. Shared hosting is not even secure any longer. Our connections from our isp can be the source of their spying.

People want the ease of computing not secure computing. The polls show it. In the US everyone but the geeks are OK with the NSA. Sad.

The system is going to have to change to federated data. Email, Social media, everything. Appliances owned by the individual. Either located in the home or small server appliances "rented" at a colocation facility and every user's info on their appliance. Any warrants are served to the individual not the "processing" or interpreting host that parses the data in their UI or service. The host, whether Facebook, Google, Yahoo, Microsoft, etc would notify the requester that that info is on a server rented solely by the user and they have no standing to grant or honor the warrant as they are the wrong party.

Please note I use voice typing due to fine motor control and this comment may contain errors.

I agree, something like this needs to be done. It will take a lot of work. I think the free software/ open-source movement is robust enough that we can turn our attention to this. Copyleft and free software licenses are social hacks that work in tandem with the free software model. We perhaps need a social hack to underpin this federated data model.
(comment deleted)
Windows should be banned in all countries except America. Open source OS is the only way to go. I'm not saying Linux since it's not exactly the most non technical friendly OS for people requiring more than basic usage but windows definitely isn't the OS for the future and it needs to die.
(comment deleted)
unfortunately, the inertia is too big for any single organization to stop. If you have a business selling software, it would be borderline insane to not target windows as a platform. You may target others, but you _must_ target windows, or basically, get no business. If, or when your resources are limited, you only target windows.

So the problem is perpetuated - windows is the only platform that is basically guarenteed to have a market. So as a user of software, you'd stick to windows, and as a maker of software, you'd stick to making software for windows. Other platform is almost an afterthought. Unless web based software radically changes (i need to unzip a file - what web based software will do that for me?), this will not change.

If you upload a .zip file (don't know about the other formats) to Google Docs, it can access its content.

There are probably other services/tools, because technically, there's nothing stopping you from unzipping files in the cloud, or in web based software. It's just the matter of uploading something and then downloading the content after it's been unzipped on the remote server. So it's just more expensive in terms of network traffic.

The availability of the tools that do that, other than Google Docs, is another thing. Honestly wouldn't know, don't recall ever needing it before.

>Windows should be banned in all countries except America. Open source OS is the only way to go.

That is a very close minded way to look at things. Closed Source does not always = Evil and Opensource does not always = Secure. Competition and choices should always be sought for. Without competition, stagnation is as prevalent in open-source community as in closed source. I rather have the right to choose between a Mac, Windows or a Linux variant than someone making the choice for me.

So, after SElinux, another big push form NSA to open source community?
I'm a fan of Steve Jobs and Bill Gates, so it's sad to see when a company's founder steps down. I feel like the ambition and drive sometimes disappear...then bottom line and dividends matter over pride.
rely on Microsoft Office with any confidence

This seems to imply using Office, like in Word/Excel?, somehow poses a privacy risk. Is that true? And how exactly?

No longer? Like if there were not enough reasons not to trust them (or any other proprietary software vendor) before.
This reminds me of Ken Thompson's famous Turing Award paper from 1984. In that paper, he described a malicious compiler that added security holes to properly written C programs.

The real question isn't about whether you can trust Microsoft. It's can you even trust Intel?

"The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."

http://cm.bell-labs.com/who/ken/trust.html

The more interesting discussion for me would be around which large IT players we actually can trust?
Microsoft, despite denials, appears to be in bed with the NSA. Apparently all encryption and other methods to keep documents and discussions private are bypassed and accessible by the NSA and whomever it is working with.

With that said, do you really want to buy a Microsoft product?

Notice the words appears and apparently. Until there is specific evidence to take those two words away from those sentences, hardly anything will change.

I don't think native MS apps running on a local machine are a risk, I imagine (with a little nieviety) that if MS apps/OS were phoning home on a regular basis with the content of ones documents - someone would have noticed and raised a flag (or did I miss it). Nor is exchange BCC a copy to the NSA - again someone would have noticed. Cloud services excluded.

PS. It's *buntu that spins my propeller.

PPS. I'd be interested in what RMS has to say, not just about MS in this case but the whole PRISM/NSA thing in general - he has been warning us.

>Nor is exchange BCC a copy to the NSA - again someone would have noticed.

True, but what about Windows Phone vs. Android (with Google's apps, not just a FOSS build like Replicant) vs. Apple? Which is the lesser evil for your privacy?

Ah yes, well - OK I'd be thinking, given recent history, Windows Phone would be high on my list of most likely to be evil, but in the back of my mind is always, its the carrier that holds the cards there. But u have a point I had not considered - the mobile arena. What one would you consider the lesser evil?
> Which is the lesser evil for your privacy?

Cyanogen.

With Google's apps? I've already mentioned Replicant (http://replicant.us/) in my original post. Replicant is a fully-FOSS Android distribution based on CyanogenMod.
Windows natively has several data collecting operations on any machine with Windows installed.

Each time you visting a page, IE sends the URL over to be "checked" by Microsoft.

Each update, a summery of all installed packages are collected and sent to Microsoft in order to "improve the experience".

WAT collects your hardware specification, including the serial number of your hard drive.

Each time you connect your operative system to the Internet, it calls home to a Microsoft server to check if the connect works. Its doubtful that they throw away the logs from this.

Microsoft can forceable push new executable code as updates, regardless if settings has turn of updates.

Microsoft word (and Outlook?) do also collect information, but it is supposed to be optional. I don't remember if its on by default, but I am rather sure it is.

Then we have semi-native application such as massager or skype. Both has messages being "scanned".

Some of the sources: https://office.microsoft.com/en-us/word-help/privacy-stateme..., http://redmondmag.com/articles/2010/07/01/what-does-microsof...

>Each time you visting a page, IE sends the URL over to be "checked" by Microsoft.

Huh? Are you talking about hashes being sent for malware check similar to the ones in Chrome or Firefox? If not its a serious privacy issue.

The ones you mentioned about Updates is also true for Chrome updates. [1]

>Microsoft can forceable push new executable code as updates, regardless if settings has turn of updates.

Any source on this?

>Microsoft word (and Outlook?) do also collect information.

With Office 365, this is more or less a reality.

>Then we have semi-native application such as massager or skype. Both has messages being "scanned".

Are you talking about URL scanning? So does FB, Gchat etc. Expect your messages to scanned or stored no matter what 3rd party service you use. Always use client-side encryption for secure communication.

The most important one you left out is SkyDrive. I remember installing it on my computer and then signing onto the web interface to find out I could even access files outside of my sync directory. Sure you can turn "off" the feature, but I promptly uninstalled it instead.

I don't trust Microsoft with privacy in the cloud but neither do I with any other 3rd party.

[1]https://www.google.com/intl/en-US/chrome/browser/privacy/

To be fair to SkyDrive, it does quite clearly ask you about that during installation. (At least, it did when I installed it recently.)
I might have clicked through it. I guess I am still paranoid since you can re-enable it on the web, its not a client controlled setting. Surely someone could take advantage, not just the NSA but even a hacker breaking into your Outlook.
(Sorry for the length, but its hard not to create very long question->answer replies in situations like this)

> Microsoft can forceable push new executable code as updates, regardless if settings has turn of updates. - Any source on this?

https://windowssecrets.com/top-story/microsoft-updates-windo... (its old yes, and was disputed as a "bug" by Microsoft. At the same time, no security expects has said that Microsoft did fix it. As such, I default to once burned, twice shy.).

>Each time you visting a page, IE sends the URL over to be "checked" by Microsoft. - Huh? Are you talking about hashes being sent for malware check

SmartScreen Filter and Suggested Sites (http://windows.microsoft.com/en-ca/internet-explorer/ie10-wi...). Both can be turned off, and I don't know what is default. My default assumption is that both is on (or checked in wizard) by default.

>Then we have semi-native application such as massager or skype. Both has messages being "scanned". - Are you talking about URL scanning? So does FB, Gchat etc.

The OP talked about native MS apps as being risk free. Just because FB and Gchat also do bad thing, doesn't make someone else applications less risky to use.

> Huh? Are you talking about hashes being sent for malware check similar to the ones in Chrome or Firefox? If not its a serious privacy issue.

Hashing the URLs won't give you any privacy, because the set of used URLs is public and relatively small. Also, I'm not aware of Firefox doing that, are you sure about it?

At IE and Chrome, sending that data is optional. It's neither opt-in nor opt-out. The browser makes a question at the first use, and you must select one option. IE's question is a bit biased toward a "opt-in or you'll get phished", but there is no reason to think that wording is malicious - one can even claim it's true.

Besides all that, MS sends all known vunerabilities of it's products to the NSA long before either publishing or fixing them. That's enough to give the NSA administrative priviledges on Windows machines.

But WHAT, exactly, can't we trust? I've seen NO technical detail to any of these discussions, yet there are a number of sub-systems that might be compromised:

- low-level crypto APIs (the 'DLLs' referred to obliquely in the article); these are more interesting. I imagine they could be compromised for weak session key generation or other leakage of key / plaintext, or generate the session key in such a way that the mythical 'NSAKEY' can decrypt it. Huge impact, if so, but only to certain software; AFAIK Mozilla doesn't use the Windows crypto API / certificate key store (but Chrome does).

- SSL certificate generation (built-in CA for Windows Server builds); certificates stored and replicated via Active Directory; does anyone actually use this? In fact, does anyone actually use client SSL? It is likely also used for domain peer replication, which could potentially be over an external network (but why would you not use a VPN there?)

- Encrypted File System; already contains an escrow key-recovery mechanism to allow administrators (including domain admins) to recover a lost user key. Only likely to be relevant if hard disk or backup images seized, so less impact.

- BitLocker drive encryption; similar to EFS but uses a hardware TPM and is per-machine rather than per-user. Fairly sure escrow key recovery at the domain level is possible here too. Again, only likely to be relevant if hardware or backups seized.

- Office document encryption; did anyone SERIOUSLY think this was worth using anyway? There are so many key recovery services out there for this (Elcomsoft et al)

- Communications applications (Skype et al); again, did anyone SERIOUSLY think this wasn't already being monitored, even before Skype became a Microsoft product?

- Some other OS-level 'phoning-home' behaviour. I simply don't believe that no-one has spotted this happening, if it's there - we can do traffic analysis too, and there are plenty of people running Wireshark on their own networks.

How do you know Wireshark isn't compromised? Further, MS does phone home all the time to check for updates and so on. If something extra was hidden in there would we know?
Build it from audited source?

As for updates, I imagine if you set up a domain you can run your own WSUS update server, MITM the connection, etc. - and then compare the behaviour with a "regular" home PC.

The problem really is how deep the hole goes - as per Ken Thompson "Reflections on Trusting Trust", 1984.

"So the first news I see regarding Microsoft today is that Ballmer refuses to talk about the company's wearable computing strategy. My first thought was, "This is its priority? Wearable computers? So it can spy on your day-to-day activities?" The next story I read was about how Microsoft is going to reshuffle the organization, which prompted me to wonder, "Re-org? Why? So it can put some intelligence agency folks in charge?""

Seems like Microsoft has a lot of issues to worry about. Doing a reorg when the company is struggling just to put an agency person in charge seems like a lot of work. Why not just put them in charge in a small internally announced move?

Trust or not, I'm still writing code today for the 95% of people that are running Windows and Office. The irony is that the code interfaces to PGP/GPG...
Actually, why nobody mention anything about Intel and Cisco? I would image it would be much more effective to build backdoor to network appliances if you want to spy someone.
True, but if the network traffic between you and, say Office 365, is encrypted, the NSA would need to decrypt that. It'd be so much easier if Microsoft just handed over the actual, unencrypted, files. I can easily imagine the NSA login screen for Microsoft's PRISM interface with a "Yes, I have a proper court order" checkbox under the password field.