106 comments

[ 2.8 ms ] story [ 175 ms ] thread
I can't imagine a scenario where this could be viewed as not infringing, yet I'm not holding my breath. Even if it were found to be infringing, I have little hope the NSA would stop dragnet-like behavior.

I keep hoping the water will get shut off to the datacenters across the valley.

The legal justification is that it is the same as police setting up a road block and reading license plate numbers as traffic flows by, or in the case of packet inspection actually doing "drunk driving" stops, which are legal.

Edit: I'm actually wrong here, I looked up the source I originally read this on and realized I misinterpreted it. It's only one possible answer, not the answer: there is no case law, it hasn't been tested yet.

It is more like taking photos of the contents of everyone's cars and then using a computer to look for weed.
(comment deleted)
Should put more pressure on the water company. Power too.
Has standing been granted? That's been a huge stumbling block for these cases in the past.
Yes it has.

A district court originally ruled that Jewel et al didn't have standing, but the 9th Circuit disagreed[1], ruling that the allegation was a concrete and particular injury that was easily traceable to the NSA's actions. This was also well before Snowden's revelations, which only added (significantly) more evidence to the EFF's case.

[1] http://cdn.ca9.uscourts.gov/datastore/opinions/2011/12/29/10...

I'd argue that the NSA needs to retain limited spying capabilities, but with very very strict control of how the data is used and stored. Dragnet surveillance is not acceptable or necessary.

It's the sharing of this information that should be dramatically limited. Other government agencies (at federal, state, and local levels) need to be prevented from actively spying on citizens. Corporations also need to be prevented from spying on citizens, they are just as bad and just as careless with data.

I'd love some discussion on this topic, please convince me I'm wrong.

Of course there needs to be more regulation on the long-term storage of this data (1-2 years max seems sufficient) and the sharing of this data (absolutely no sharing with other agencies unless it's a major threat to national security) and absolutely no sharing any access of these databases with foreign governments.

The NSA plays a critical role in keeping the country safe. It's becoming easier and easier for crazy, misguided, and foreign enemies to harm the nation and it's citizens, somebody has to protect us.

Other countries are not going to give up their NSA equivalents and eliminating the NSA would cripple US intelligence. Knowledge is power is especially true when dealing with the scale that governments deal with. The fact is that the US is one of the prime targets for terrorism, both independent and foreign nation sponsored.

I'd argue that this behavior is in violation of international law as well as the constitution.

http://gigaom.com/2014/07/16/un-human-rights-report-blows-ap...

Things have changed dramatically since the constitution was conceived. Nobody predicted the internet, WMDs (which could easily be smuggled into the country, they're not just movie fiction), and other nations having spying capabilities.

My main thought is that the US must stay ahead of other nations intelligence agencies. Other than protecting myself, my family, and the country I don't really have a good reason for this though.

> My main thought is that the US must stay ahead of other nations intelligence agencies.

The solution to this is to make surveillance hard for everybody. Pass laws and build technologies that make bulk surveillance not only prohibited but impractical regardless of third party lawlessness. The goal is not to thwart only the NSA, that barely accomplishes anything. You also have to thwart China, Russia, organized crime, malicious corporations, etc.

How does preventing the NSA from looking at traffic crossing an internet backbone serve to thwart China, Russia, organized crime, malicious corporations, etc.? If anything, I'd think it would give them an advantage.

(Note that I'm not saying that there shouldn't be limits on what the NSA can do, only that stopping other malicious actors isn't applicable in this case)

> How does preventing the NSA from looking at traffic crossing an internet backbone serve to thwart China, Russia, organized crime, malicious corporations, etc.?

Because it gets the NSA and its budget out of the "make security worse" business and puts them back full in the "make security better" business. Because if they aren't allowed to do it then they won't want anyone else to be able to do it either.

I'd argue that sorry state of internet security is almost entirely the result of bad coding practices/protocol design, and the private sector in general neither has the will to fix it nor wants the NSA to assist in fixing it. In fact, as it stands right now, NSA isn't even responsible for fixing public sector network security issues - what little responsibility the government takes for that largely falls on DHS and NIST. According to their web page[1], NSA is responsible for securing classified government networks. Killing off their intelligence component isn't going to make the internet safer for US citizens.

[1] http://www.nsa.gov/about/faqs/index.shtml

DUAL EC DRBG: No more of that.

Or as another example, consider what happens when the NSA discovers a security vulnerability in a common crypto library. If the NSA is allowed to use it for surveillance then they will do that instead of disclosing it, meanwhile the vulnerability persists in the wild just waiting for someone even worse to discover it. You can imagine the epic fail if the Chinese government got hold of Heartbleed six months before the OpenSSL maintainers.

There haven't been any actual concrete disclosures showing that DUAL EC DRBG was backdoored, just loads of conjecture. Maybe it was, maybe it wasn't - the same conjectures were put forth regarding the manipulated S-boxes in DES and it turned out twenty years later that the NSA was actually strengthening the algorithm, not weakening it. If DUAL EC was backdoored, it was a pretty pathetic attempt: it was hardly ever used (only 720 confirmed vulnerable servers out of a survey of 21.8 million[1]) and due to its slow speed there were recommendations not to use it long before Snowden came along. One year later and nothing in the Snowden cache has been leaked providing concrete proof showing a backdoor; I'm not holding my breath for it.

Regarding Heartbleed, the NSA denied having knowledge of the bug before its disclosure. There was a follow up post on the Whitehouse blog[2] that discussed some of the criteria the administration would use in determining whether or not the NSA should disclose a 0-day.

It sounds like you're wanting them to actively search for vulnerabilities in software they didn't write and might not even be used by their targets (the Chinese government could have taken advantage of Heartbleed, but I don't know how many Chinese government sites use OpenSSL). That's not what we currently fund them to do, and I get the impression that most American tech companies wouldn't want the NSA's help anyways.

[1] http://dualec.org/

[2] http://www.whitehouse.gov/blog/2014/04/28/heartbleed-underst...

If things have changed so drastically, then you should have no problem securing a constitutional amendment.
Things have changed dramatically since the constitution was conceived.

That's a truism, but oddly at least one Supreme Court Justice thinks that the US Constitution hasn't changed. See http://www.claremontmckenna.edu/salvatori/publications/RARSc... for some elaboration.

I personally think this is a perverse view, leading to weird contradictions like the "Third Party Doctrine".

Given the history of US intelligence agencies (COINTELPRO, SHAMROCK, etc), my main thought is that they're a bigger threat to me, my family and my country than just about anything else.

> Things have changed dramatically since the constitution was conceived.

If this is true, why aren't all the NSA apologists trying to promote a constitutional amendment? The drafters of the constitution knew that the original document wouldn't be sufficient for the changing needs in the future, and gave a very clear method to modify tour "highest law".

While I suspect I wouldn't agree with such an amendment, I would certainly give the argument for it a full hearing and debate. Given how mixed attitudes are, it's hard to predict how successful such a proposal would be in practice.

What I do know, for now, is that trying to subvert the constitution's guarantees in an attempt to skip the necessary amendment with "vigilante justice" is at a minimum a violation of some people's oath to defend the constitution. At worst, trying to subvert the constitution (and the guarantees it provides) might even qualify as sedition. Reality is probably somewhere between those points, of course.

Of course the NSA needs this ability -- as an agency whose recognized goal is having information, they of course will always need all information.

The question is whether we need the NSA, and whether we're willing to forfeit our rights and principles to provide them with all information.

Our "rights" were put in place before mass communications were available, long before the internet was conceived.

Presidents being shot. Planes flying into buildings. A nuclear weapon or any bomb being detonated inside of the country are all things that I do not want to happen. I don't know how to prevent these without SIGINT dominance.

If these events can be prevented without the chance of any human using the collected data for any other purpose and the data only being stored for a very short period of time, then I'd have to say I'm on the side of the NSA.

I think that corporations and law-enforcement agencies using intelligence and mass collection techniques are much more of a threat.

Yes, the sharing and data-retention of the NSA should be greatly limited and controlled and monitored in my opinion, but eliminating their ability to protect the country (their ultimate goal) might not be worth it.

Read up on the "base rate fallacy" (http://en.wikipedia.org/wiki/Base_rate_fallacy). Specifically example 3 from the Wikipedia page (http://en.wikipedia.org/wiki/Base_rate_fallacy#Example_3).

The result of the "base rate fallacy" in the context of the bulk data collection program is that the false positives will swamp the true positives in any general search results from the data-set.

Regarding Example #3, you investigate ~10,000 citizens and only ~100 are real terrorists, when we are talking about peoples lives, it's worth saving as many as possible in my opinion. There is also the fear aspect that is difficult to calculate. How does fear of a terrorist attack affect the economy?

Just look at the Ford Pinto. It was calculated that it would be cheaper to pay the families of victims than it was to fix the exploding gas tank.

> it's worth saving as many as possible in my opinion.

You don't mean this. If you did, you would support mandatory exercise regimens and diet monitoring, and aggressive eugenics programs that include mandatory sterilization of folks at very high risk for nonviable offspring.

> [Pinto anecdote]

The facts seem to disagree with you. Read page eight (listed as page 1020 in the text) of this PDF: http://www.pointoflaw.com/articles/The_Myth_of_the_Ford_Pint...

> "You don't mean this. If you did, you would support mandatory exercise regimens and diet monitoring, and aggressive eugenics programs that include mandatory sterilization of folks at very high risk for nonviable offspring."

You can't compare dying in a terrorist attack to the personal choice of not exercising or eating unhealthy.

On page 1037 of the Schwartz Paper you linked to it stated that the California Supreme Court's opinion was that it actually encouraged auto manufacturers to consider the safety trade-offs in the sake of cost. I fundamentally disagree with this.

I personally think that consumer responsibility to research every safety aspect of every product they purchase is bullshit. There should be no corners cut when it comes to safety and if there are then it should be made known to the customer before purchasing the product.

The majority of people and decision makers disagree with me, but that's the great thing about this country and the internet, freedom to disagree and participate in open discussion.

> You can't compare dying in a terrorist attack to the personal choice of not exercising or eating unhealthy.

Indeed - after all, the risk from a terrorist attack is so many orders of magnitude less likely we can often ignore it completely. It's noise, and deserves little special preparation.

On the other hand, heart disease and other diet related problems are one of the largest risks faced.

It's not about the largest risk, it's about personal freedoms and choice.

I should have the choice to decide whether or not I am unhealthy, it doesn't affect anyone but myself (and my family if they are dependent on me).

The government should not have the choice on whether or not to protect citizens, that's their job, citizens are depending on them to perform that action.

While I know people would be healthier and "better off" by eating healthy, I have no right to force people to eat a certain way.

If I want to smoke cigarettes, drink alcohol, or smoke marijuana, that should be my choice, not yours to make for me, as long as it doesn't affect you.

If I want to ask the government or a company to delete all information they have about me, I should have the right to do that, just my opinion of course.

You can not say both this:

> The government should not have the choice on whether or not to protect citizens, that's their job, citizens are depending on them to perform that action.

And this:

> If I want to smoke cigarettes, drink alcohol, or smoke marijuana, that should be my choice, not yours to make for me, as long as it doesn't affect you.

Sorry, let me clarify, the government has the responsibility to protect me from things that I have no control over, like a foreign invasion, terrorist attacks, and other citizens (and government agencies) obstructing my rights.

Makes perfect sense to me, do you still think that they are mutually exclusive statements?

If it's about decreasing the chances of dying because of the actions of someone else at all costs (economic, personal, etc) - then the first thing the government should do is ban cars for the vast swathes of the population that don't strictly require a car (i.e. live next to a big city). That's 40'000 easily avoidable deaths each year - all they take is some inconvenience from everyone and a bit of investment in public transport infrastructure, in exchange for a dozen 9/11's worth of terrorism avoided every single year. As a bonus, the US's oil consumption would plummet and it would almost instantly achieve any environmental targets it can dream of.

What's that - you still want the freedom to drive? Even though it involves a fairly significant (0.01%) risk of dying because of things not under your control? Well, some people want the freedom to not be monitored all the time, even though it involves a much smaller than 0.01% risk of dying because of a terrorist attack. And all people should, and would, if terrorism didn't capture the imagination so vividly.

If we can get the US government to divert 75% of the money spent towards terrorism prevention towards autonomous vehicle research and electric vehicle subsidizing, then let's do it.

Maybe you're right, maybe we're both partially correct, it's a complicated issue and I do appreciate the discussion.

It's a cost/benefit analysis, though. The benefits are miniscule: you protect fewer people than die every year due to drunk driving or many other causes, and at a cost that harms us all.
What if I want the freedom to communicate privately? Ok, we'll only spy on the terrorists. But how do we know you're not a terrorist? We'll have to read your email before determining whether we can read your email or not...
> While I know people would be healthier and "better off" by eating healthy, I have no right to force people to eat a certain way.

You also have no right to go through their private communications unless you have a direct probable cause. (IANAL, the exact terms are probably different, but you get the idea)

> You can't compare dying in a terrorist attack to the personal choice of not exercising or eating unhealthy.

Except that the chances of each occurring are wildly different.

Chance of dying from terrorist attack in the US from 2007 to 2011: 1 in 20 million [1].

Chance of dying from choking from inhalation and ingestion of food: 1 in 3,649 [2].

20,000,000 / 3,649 => 5,480.

You are five thousand eight hundred forty times more likely to die from choking on your breakfast/lunch/dinner than to die from a terrorist attack. The difference is so extreme that you'd be better off ignoring the terrorist attack threat and instead installing a feeding tube so you no longer need to chew and swallow your food. You'd statistically live longer that way than worrying about protecting yourself from terrorist threats.

[1]http://swampland.time.com/2013/05/06/chances-of-dying-in-a-t...

[2] http://www.nsc.org/news_resources/injury_and_death_statistic... linked from here: http://www.nsc.org/news_resources/injury_and_death_statistic...

More people get wrongfully killed every year by police officers than they do by terrorists. Why not deal with the low hanging fruit first?
(comment deleted)
That's a rather simplistic model. What happens when a non-terrorist is scanned twice? Does he have the same 1% probability of being a false positive (e.g.: false positive due to limitations of the camera, direction he's facing, atmospheric conditions, etc.) or 100% chance of being a false positive every time? (e.g.: he looks identical to one of the terrorists) The problem as stated suggests that there's an equal chance of being a false positive every time. In that case, the simple solution would be to place cameras at regular intervals - when an alarm goes off, wait a minute or two. If an alarm for an adjacent camera goes off, compare the two photos and see if it's the same guy. You've now significantly reduced both your false positive rate and false negative rate.

One of the thing that always bugs me is that whenever privacy/security issues come up is that everyone seems to assume that the authorities are naturally going to gravitate to the least efficient, most invasive means of carrying out their job, simultaneously implying that it's preferable to have (in this example) 100 terrorist operating amongst us and not do anything than to put our heads together and propose an intelligent solution.

> One of the thing that always bugs me is that whenever privacy/security issues come up is that everyone seems to assume that the authorities are naturally going to gravitate to the least efficient, most invasive means of carrying out their job,

Have you flown in the past 10 years? Shuffling through TSA checkpoints in my socks makes me feel like authorities do gravitate to stupid measures.

In all fairness, that was in direct response to some idiot getting on a plane with a shoe bomb.

I don't think it's necessary, but if they didn't require that then people would be blaming them for not taking enough action.

The times I've flown it hasn't been too much of a hassle, though I suppose it's highly dependent on the airports you pass through and whether or not it's an international flight coming into the US.

I was thinking more along the lines of things like speed cameras - they capture more speeding violations, don't discriminate based on race/gender/whether or not you're driving an expensive car/etc., and they note only the fact that the driver violated the speed limit. The driver gets a fine in the mail shortly after. It improves on the model where the police only pull over a fraction of violators, and you spend 15 minutes waiting, subject to intimidation, further questioning by the officer, the officer gets to glance in your windows to see if there's anything else that violates the law, and in the end you still get a fine. Yet, almost everyone I've talked to about speed cameras hates them and sees them as invasive, sometimes going so far as calling them Orwellian.

I agree about the TSA checkpoints, though. There are plenty of examples on both sides of the arguments. My point is that the general assumption seems to gravitate to "they'll implement it stupidly, so they shouldn't have that capability at all". It's not necessarily a binary choice between no security and stupid implementation.

> and they note only the fact that the _vehicle_ violated the speed limit. The _vehicle's owner_ gets a fine in the mail shortly after.

There, fixed that for you. Now, I'll admit, a large part of the time the owner is also the driver, but with speed cameras it is not the "driver" who receives the fine, but the _owner of the vehicle_.

The one difference with "speed cameras" and the NSA's data mining is that measurement of the rate of travel of a vehicle (assuming a properly calibrated and non-malfunctioning speed measurement device) is so close to 100% accurate as to be considered 100% accurate.

No "connect the dots, infer here, infer there" data mining in the NSA's dataset will ever be even within several orders of magnitude of accurate as compared to a properly functioning, properly calibrated, speed measurement device.

And that underlying, non zero, error rate is what triggers the base rate fallacy issue in statistical analysis. When an occurrence of X is extremely rare in a very large population without X, then the test for X has to be impossibly accurate for the results to not be swamped by false positives. And this is a completely counter intuitive result, which is why it is so often overlooked.

Pertinent quote from the Shiner article at https://www.schneier.com/blog/archives/2006/03/data_mining_f...:

"Let's look at some numbers. We'll be optimistic. We'll assume the system has a 1 in 100 false positive rate (99% accurate), and a 1 in 1,000 false negative rate (99.9% accurate).

Assume one trillion possible indicators to sift through: that's about ten events -- e-mails, phone calls, purchases, web surfings, whatever -- per person in the U.S. per day. Also assume that 10 of them are actually terrorists plotting.

This unrealistically-accurate system will generate one billion false alarms for every real terrorist plot it uncovers. Every day of every year, the police will have to investigate 27 million potential plots in order to find the one real terrorist plot per month. Raise that false-positive accuracy to an absurd 99.9999% and you're still chasing 2,750 false alarms per day -- but that will inevitably raise your false negatives, and you're going to miss some of those ten real plots.

This isn't anything new. In statistics, it's called the "base rate fallacy," and it applies in other domains as well. For example, even highly accurate medical tests are useless as diagnostic tools if the incidence of the disease is rare in the general population. Terrorist attacks are also rare, any "test" is going to result in an endless stream of false alarms."

> There, fixed that for you. Now, I'll admit, a large part of the time the owner is also the driver, but with speed cameras it is not the "driver" who receives the fine, but the _owner of the vehicle_.

Exactly as it should be. It's your responsibility as a vehicle owner to not let bad drivers use your vehicle.

RE base rate fallacy - true, but I guess that's why they want even more data. A single test may swamp you with false positives, but positive results from many different sources can correlate into useful info.

> It's your responsibility as a vehicle owner to not let bad drivers use your vehicle.

I read the fine print in everything that I sign. I never noticed any such language in either the state driving regulations, or the restrictions imposed by my automobile insurer. I did notice obligations to operate one's vehicle in a safe and prudent manner at all times.

Schneier is making the exact same mistake in that article that I pointed out in the Wikipedia article - he is propping up an overly simplistic hypothetical system with a given error rate, then stating that the authorities have to waste their time investigating every single instance without applying any further filtering. I don't know where Schneier is getting his numbers from, as there is significantly less than 1 billion people in the US at any given point in time, and no one in the FBI is going to advocate for using a system that requires them to investigate nearly one tenth of the U.S. population every day.

This also doesn't match with real-world numbers that we know on the NSA metadata program. Schneier was saying immediately after 9/11, the FBI was getting thousands of tips per month, which may very well have been the case back then. But the Presidential Review Group report stated that in 2012 a total of 12 tips were passed to the FBI[1]. To me, that indicates that they've become much better at getting rid false positives.

Schneier's hypothetical program also isn't analogous because it starts by scanning everyone to determine if one is or is not a terrorist, but the actual NSA metadata program (according to Review Group, same article cited above) starts out by examining people the NSA has already identified as terrorists through other means - the controversy isn't in the accuracy rate, it's in the method of collection.

[1] http://www.huffingtonpost.com/geoffrey-r-stone/nsa-meta-data...

Are you trying to imply that's an unreasonable assumption?
Realize that one screwed up person with a gun and opportunity could action the first scenario. Pilots licenses are more of a matter of cost than ideology, and private planes aren’t subject to many of the security measures commercial airliners are. And the only group of people in the history of the world who have used a nuclear weapon to harm innocent civilians was the united states government.

Chaotic events happen. People are terrified of them but having billions of dollars worth of surveillance state does not reduce the risk one iota.

> If these events can be prevented without the chance of any human using the collected data for any other purpose and the data only being stored for a very short period of time, then I'd have to say I'm on the side of the NSA.

This simply can't/won't happen. Human nature dictates that this data can't be held and dealt with responsibly.

upvoted, because your opinion does not deserve to be grayed out like that just because of disagreement.

But I do disagree.

Do not assume mass surveillance can happen "without the chance of any human using the collected data for any other purpose". That's fairy tales. Look up "Loveint",think about everyone you ever dated and their exes. Commercial use is not unheard of, either. Even if - if! - nothing much darker goes on yet, what would stop corruption in the future? That's a much greater threat than terrorism.

> Presidents being shot. Planes flying into buildings. A nuclear weapon or any bomb being detonated inside of the country are all things that I do not want to happen. I don't know how to prevent these without SIGINT dominance.

I don't think they can be prevented with "SIGINT dominance" either.

But more importantly, to me: the idea of consitutional and human rights is that it was agreed, roughtly, that "these things are required to live a dignified, free life". Not literally, but I do think that is the rough idea. So taking away from that is akin to killing everybody. It's not even burning the village to save the village, it's burning the whole village to save a tiny part of it.

In a follow-upp comment you said "when we are talking about peoples lives, it's worth saving as many as possible in my opinion" and I agree. For example, stop mass surveillance, stop selling weapons like candy, persecute war criminals (I mean the ones having a ball and getting invited to gala dinners on home soil, not the ones around the globe in areas of geostrategic interest), that sort of stuff. Otherwise, I'll stick with believing a lot of "security" stuff is just lip service, a way to transfer tax payer money into private pockets without achieving anything other than more control of the domestic population. I'm not talking about cogs in the machine, mind you, but the machine itself. I don't doubt many people in the NSA or elsewhere have good intentions, I just think that's worth very little in the bigger scheme of things.

I'm curious as to what the EFF would propose as an alternative that both allows the NSA to conduct legitimate intelligence operations on the internet and provide acceptable privacy protections. I look at that diagram attached to the article with the two giant filters, the first of which says "filtering aimed at eliminating fully domestic transactions", but they consider it unconstitutional right from the beginning before it even hits the first filter. It strikes me as akin to giving someone a task like "implement grep, but don't read any lines from stdin which don't contain your search term."
If your goal is to stop engaging in domestic bulk surveillance, it's a pretty simple first step that you shouldn't be looking at any domestic bulk traffic that never crosses the national border. You don't have to look at the content of traffic to determine its geographical location.
That's perfectly fine, but this case is built on testimony from Mark Klein concerning Room 641A, which is right on the coastline (it's in San Francisco). That seems to me to likely be an ideal place to capture international traffic.
Well, I would argue the ideal place to capture international traffic would be... internationally. It's pretty hard to capture traffic between Iran and Pakistan from a room in California.

But you're just avoiding the issue. The fact that there is an international peering point in San Francisco is no excuse for them to be capturing traffic between San Francisco and Houston or New York.

Yeah, it'd pretty hard to capture traffic between Iran and Pakistan, but not, say, Russia and Venezuela. The US is a huge hub for traffic transiting the globe, and the risks associated with setting up a foreign collections facility don't apply to a domestic facility.

How am I avoiding the issue? I have absolutely no problem with the NSA intercepting foreign traffic - that's their job. The EFF page shows them filtering out domestic traffic in their diagram, and Mark Klein's testimony, on which the EFF is building their Jewel v. NSA case, doesn't actually demonstrate any interception of US traffic.

You're avoiding the issue by talking about what Mark Klein revealed and ignoring what Edward Snowden revealed. The NSA is not capturing only traffic between Russia and Venezuela or only traffic that crosses a national border. They are sitting on the links into Google's data centers. Google is a domestic entity. So either they're sitting on a link and then filtering out 100% of the traffic (which is preposterous) or they're sitting on a link where 100% of the traffic goes to and from a domestic entity and not filtering it out.
What Mark Klein revealed is the backbone for the case - the plaintiffs in Jewel v. NSA are claiming that they have standing because they are AT&T customers. Here is their argument[1]:

"First, the government unconstitutionally seizes plaintiffs’ Internet communications. Technology at plaintiffs’ Internet service provider, AT&T, automatically creates and delivers to the government a copy of plaintiffs’ online activities, along with those of millions of other innocent Americans—including email, live chat, reading and interacting with websites, Internet searching, and social networking.

Second, the government unconstitutionally searches the content of much of the communications stream it has seized. The government admits that it searches the content of the online communications that it has seized if it believes there is some indication that the origin or destination of the communication is outside the United States."

As I scroll through the statement of facts, I see Mark Klein's testimony, the PCLOB 702 report and Barton Gellman's article from earlier this month cited. Klein's testimony is key to this case because that's how the EFF is establishing that the plaintiffs have standing.

> The NSA is not capturing only traffic between Russia and Venezuela or only traffic that crosses a national border.

The EFF itself is saying right in their article and court filing[2] that the NSA is discarding purely domestic traffic.

> They are sitting on the links into Google's data centers. Google is a domestic entity. So either they're sitting on a link and then filtering out 100% of the traffic (which is preposterous) or they're sitting on a link where 100% of the traffic goes to and from a domestic entity and not filtering it out.

There is absolutely no evidence of this. I assume you're making a reference to the Barton Gellman's MUSCULAR reporting[3], which claimed that the NSA was making use of GCHQ's tapping of international fiber to scan Google's unencrypted international communications for their targets.

[1] https://www.eff.org/document/plaintiffs-jewel-knutzen-and-wa... (see page 7)

[2] Same as above, page 10

[3] http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/04...

There's no doubt that most supposed constitutional rights make law enforcement and public defense more difficult. The idea is that it doesn't matter, because these rights are more important than the alternative.
I'm going to disagree at a tangent: the NSA cannot conduct legitimate surveillance. We shouldn't have an NSA.

First, we don't even know what the contents of the executive order (!!!) that created the NSA are. Their very basis may be illegitimate.

Second, evidence says that the complete secrecy they demand just grows like weeds until it encompasses everything. Then, the follow-on paranoia about the secrecy means they can't use the information they've got. I'll offer the DEA's "parallel construction" as support here.

The NSA, as currently based and constituted, is utterly useless. It only supports a very rigid power structure in doing things that power structure shouldn't do in the first place.

> "The fact is that the US is one of the prime targets for terrorism, both independent and foreign nation sponsored."

Might be worth working at not doing things that make one a prime target instead. This would be a better investment from what I can see. Just look at the growth of ISIS in Iraq. Our governments seem to create more enemies with every attempt to quash them.

I do agree that targeted killings are doing more harm than good.

There are interviews with special operations soldiers saying that they would receive a kill list, they would work their way down the list, then the next month the new kill list would be much longer.

If you raid a house, kill the father/brother/uncle and maybe have some collateral damage, it doesn't matter whether or not that person was against America, you've converted several people in that family and community against America because we just became the terrorists.

America not being a popular target for terrorism is a much more difficult problem to solve. People are crazy, ignorance combined with religion leads to misguided people, even jealousy is a factor. Foreign nations will do almost anything to increase the wealth of their country, that would be very difficult to prevent.

The fact is that the US is one of the prime targets for terrorism, both independent and foreign nation sponsored.

Is that truly an established fact? And if so, why not figure out why (as suggested by another comment) instead of simply retaliating?

This map sums it up. The US scored 3-5 on the terrorism scale that goes up to :: 191 ::.

http://www.nesec.org/images/haz_globe2001.jpg

Interesting. What is the unit of measurement, and is it normalized for population?
If you eliminated the NSA, what do you think our terrorism score would be? Higher, or lower?

That number probably directly relates to deaths caused by terrorism.

"When you do things right, people won't be sure you've done anything at all."

What about all the other branches of government that have brought loads of known (and who knows how much unknown) blowback?
> "When you do things right, people won't be sure you've done anything at all."

So what's stopping the NSA from claiming they prevent alien invasions on a daily basis? After all, it's classified, so how would you know either way?

I too think there might be some compromise possible along these lines. The most troubling thing to me about the current situation is that the NSA often gives tips to the FBI and other domestic law enforcement agencies. There needs to be an absolute barrier here, so the NSA shares nothing short of clear evidence of an imminent terrorist plot threatening at least dozens of lives. Anything smaller than that is not a matter of national security.

Unfortunately, such a compromise might be difficult to enforce. Parallel construction[0] can be used to hide the original reason someone came under suspicion.

So I don't know. But I think it's worth thinking about.

[0] http://en.wikipedia.org/wiki/Parallel_construction

That was exactly what was happening before 9/11 and the Patriot Act.

Other agencies argued that they couldn't properly do their job because they didn't have access to the information the NSA collected.

I think it should go back the way it was. Only filtered data that is critical to national security should leave the NSA. There should be public reports and committees to ensure that is happening.

The Patriot Act pretty much says, "here is access to everything, you can even share it with other nations".

If you go back to the original Reuters article[1] (first link from your Wikipedia aritcle), there's a few nuances that most people bringing up parallel construction don't point out:

(emphasis mine)

"...Today, the SOD offers at least three services to federal, state and local law enforcement agents: coordinating international investigations such as the Bout case; distributing tips from overseas NSA intercepts, informants, foreign law enforcement partners and domestic wiretaps; and circulating tips from a massive database known as DICE. ...

...Wiretap tips forwarded by the SOD usually come from foreign governments, U.S. intelligence agencies or court-authorized domestic phone recordings. Because warrantless eavesdropping on Americans is illegal, tips from intelligence agencies are generally not forwarded to the SOD until a caller's citizenship can be verified, according to one senior law enforcement official and one former U.S. military intelligence analyst."

[1] http://www.reuters.com/article/2013/08/05/us-dea-sod-idUSBRE...

I think we should all look at the example of Mohammad Ali's appeals to the Supreme Court regarding charges of dodging the draft. In a documentary about Ali, I recall the one of the supreme court justice's clerks going back through the record, and it turned out the Ali's beliefs (being a member of the Nation of Islam) did qualify him as a conscious objector much like the Seventh Day Adventists. Before this point the courts has ruled the N.o.I. didn't deserve the same treatment for its members. Ruling for Ali posed a large problem for the Supreme Court, if they ruled in a way that set a large precedent that many people could claim they were objectors the country would have huge problems feeding the established "war machine" (the draft). So the justices went back through the record and found a technicality, as such they found a way Ali wouldn't be found guilty of dodging the draft due to a procedural error. See http://en.wikipedia.org/wiki/Clay_v._United_States for all the details.

I expect if the court comes to review the facts in this matter they will either be impeded in succeeding due to national security concerns or find a way to decide for the plaintiffs in the smallest possible way to not upset the established order. Very rarely are judicial decisions groundbreaking in precedent. They are more like the tree trimmers of legislation and executive privilege, they typically only trim branches not cut down entire trunks as this ruling would possibly do for Internet surveillance.

So this the world we live in, encrypt your life.

> encrypt your life

Absolutely. The problem is: communication is a "network good", you don't do it alone. How do you want the "Facebook people" to understand the gravity of the situation? We all do communicate with Facebook people.

Perhaps the situation isn't grave. After all, despite EFF's best efforts, NSA is no more than a casual meme among all the Facebook people.
I genuinely do not understand conversations where people talk about the evils of mass government surveillance and then accept the evils of mass corporate surveillance.

GCHQ supposedly operates under UK law and needs warrants to search their huge databases and operates under the oversight of elected representatives. While that's unacceptable it's more regulated than the chaos of corporate data misuse.

I'm much more worried about governments because of the potential synergy of mass surveillance with their other powers.
GCHQ routinely violates law and lies to its oversight committee, MPs, ministers and Parliament about it. Please do not hold them up as a paragon. Even after Snowden, ministers are not even aware of what JTRIG is, and GCHQ will not comment on intelligence matters even to them.

They are a prime example of an agency gone rogue, and their efforts for mass surveillance and against encryption are not a new thing - ask Brian Gladman.

Do you have any examples of the routine viation of law or lies ro oversight committees?

Which laws do you think GCHQ have broken?

Normally when I ask people this they mention things like RIPA, but fail to notice the excemptions in RIPA for a bunch of GCHQ activity.

Here's what IOCCO say: http://www.iocco-uk.info/

Because mass surveillance by a group that can use violence and deprivation of liberty to enforce its will is a lot scarier than mass surveillance by a group who can't.

Its not that people accept one and not the other, its that one is much more serious, and is impossible to opt out of.

Companies have done all of this in the past read up about the pinkertons and the blacklists run by companies in the USA and elsewhere.
But then again Facebook won't send men in blue full body armour and automatic weapons after you. Agreed that government can get to the corporate data through few hoops, but it feels safer to share with a corporation than with organizations allowed to inflict violence on people.
Nailed it. That put words to a feeling I was searching for. Government collection supposes everyone is or will be a criminal, while corporate collection is less offensive on the surface.

They may want to mine my data to display the appropriate Target ad to me, but that feels a lot more benign than surveillance purely for the sake of possibly removing my freedoms.

Once Facebook has your info, federal, state, and local governments can get it just by asking. They're not really separate anymore.
You're neglecting a critical little detail: Once Facebook has your data, there's (currently) nothing you can do to stop them from subsequently electing, or being forced, to hand it over to someone whose use-case is, let's say, "less benign" than mere ad targeting.
You do know that in the past American companies used private armed police who where not averse to extra judicial killings.
Yes, I am aware of that. I was trying to make a point about interacting with Web companies in first world countries in current sociopolitical climate, not about corporations around the world in all history in general.
Perhaps it feels that way because your farmland is not being poisoned by cocacola giving you industrial waste and calling it fertiliser; or because your children are not being killed by Nestlé miss-selling formula; or because your family is not being tortured and murdered by Shell Oil and the like. Perhaps you don't know anyone who died at Bhopal?

This is a tiny fraction of the fucking scary things that big companies do today.

CocaCola- http://news.bbc.co.uk/1/hi/world/south_asia/3096893.stm

Nestlé- http://www.babymilkaction.org/nestlefree

Shell torturing and murdering campaigners- http://news.bbc.co.uk/1/hi/world/africa/8090493.stm

Bhopal- https://en.wikipedia.org/wiki/Bhopal_disaster

You're right of course. It feels that way because of a. companies we're talking about, b. fact that I live in the so-called first world. I probably haven't made that explicit enough, thus making the comment sound much more general than it was supposed to be.

To restate: being a Facebook user in Europe feels safer than government surveillance. Dealing with Nestlé or Coca Cola in poor countries - obviously not so much.

Also thanks for the other two examples, haven't heard about them before.

That's because Facebook is still young, and hasn't finished their Company Town yet.

/the little plot of employee housing in Menlo Park is not what I'm referring to - company towns are usually a financial trap

Probably because a lot of HN commentators jobs/employers rely on weak privacy laws to make their business model's work.
Facebook can't forcefully imprison me so there's that
I can control what a corporation knows about me and they can't throw me in jail.

I'd say its a weeeeee bit of a difference. Admittedly, the average person may not be able to do the first part...so its probably something that should be reduced and legislated.

I agree (while not supporting GCHQ here).

We have lost what we used to think of as privacy. We need to find a new model for managing data / information. IP law is not really upto it but at least has a fairly coherent model.

But yes, government is evil, capitalism is nice does not wash.

One of the points that I hope will be fully put to the sword is the tortured definition that the NSA & Govt. uses of spying. That argument is phrased approximately as: We are making limited digital copies of stuff (-possibly all internet traffic) that is stored in encrypted form and not actually "reading" it. It is only accessed in a much more limited & narrow context for investigations using "minimization" techniques that respect the fourth amendment. So we are not really spying in an unconstitutional manner...

This is almost sure to come up if the case proceeds without being torpedoed by the national secrets defense..and I hope the EFF absolutely prevails in crushing this malarkey.

https://www.eff.org/files/2014/07/24/backbone-3c-color.jpg

Given this graphic in the article, I would guess this the main topic the EFF is pursuing.

While I can see how the NSA's word games can confuse the issue regarding searching, what I've never understood is how nobody seems to notice that those same word games admit to seizing evidence. It's as if everybody forgot the 4th Amendment said "...unreasonable searches and seizures..." or something.

Same tortured definition: Copying(but not depriving you of it) without accessing (reading) is technically not seizing
Right, so let's agree to a system when the government will open every letter, scan the contents, save them to a database, but not read them until after they've run some analysis and determined that your specific letter is of interest. That is precisely what they're doing here, except on a much larger scale than the post office could ever fathom.

It is shocking to compare this to the past. I've just finished reading "Team of Rivals", a biography of Lincoln, and the amount of deeply sensitive stuff that these high-level politicians shared in personal letters to their loved ones and colleagues is astonishing. No politician today would ever put such stuff in writing - if it got into the wrong hands, it could cause incalculable damage to their reputations, relationships, etc. Those guys were being entirely honest in hand-written letters that were delivered days away in different states by a very rudimentary postal system. They clearly had complete trust in the sanctity of the privacy of their letters.

This level of trust in the US government (or any, in fact) is pretty much unthinkable today. We (the people) have lost a lot of valuable ground here.

I've got bad news for you: that is happening, to some extent, already. It's part of how they caught Ulbricht.

They find it far more practical to use collected metadata from addresses to identify postal traffic flows, however, and target their interception based on that.

Fibre taps, in splitting light, deprive you of some of it.

Take that, loophole.

You're not wrong, but that's the kind of hair-splitting (beam-splitting?) that the arguments promulgated by the NSA, et al, depend upon.
That's why I'm doubtful about checking "what the constitution intended". Maybe the US just needs a 28th Amendment stating new rights about the numeric world. We've gone through 2 technological revolutions since 1980, of course the constitution is outdated.

For starters, clusters of data are dangerous in terms of privacy and theft, exponentially with their size. Is it allowed to have a firecracker at home? Is it allowed to have several thousand of them? Same goes for data, whether you're a corporation or a state.

> Copying(but not depriving you of it) without accessing (reading) is technically not seizing

If that is a tortured definition, then it's the same tortured definition used here (as well as many other places) to justify music and movie piracy.

It's different. It's illegal for the government to have this data, even if they bought it. I don't need a court order to be allowed to listen to some music.
How would you explain it to them? Or to the wider public?

Because while you say it is a tortured definition many people wouldn't be able to see it like that. To those people it doesn't make much difference if the data is on the Internet or in a black box, so long as limited specific searches are used and they only happen after warrants.