They are fighting for the right to tell their customers about the government mining their data(through google). Google already tells their customers what they mine in theToS and Privacy Policy. I see no hypocrisy.
Also, Google isn't brokering the information they gather. From what I understand they're simply using it to target ads (which is what they actually sell), while keeping the data itself very close to the vest.
If you've got something on offer, and want to know who might buy, Google won't tell you who is interested. They'll just deliver your message to the right people, and if you get a suitable response, you'll know that their service was worth the price.
There's a world of difference between the mediated transactions they have with their customers, and the exchange that takes place when the government says "hand over the data itself."
If you're referring to the whole wifi thing, tell me, what information do you expect the street view car to be able to pick up in the 10 or so seconds it would have been associated with the AP? Their engineers have basically come out and said that was a fuckup, and I'm inclined to believe them because I find it hard to imagine what use that random data would be.
And to be honest, I'm more likely to believe a Google engineer rather than a namecalling troll who's virulently against them for no good reason.
Anyone familiar with the constitutional law on this? From a laymen's perspective it seems obvious that the government has some ability to restrict 1st amendment rights on matters of national security. If that wasn't the case, there would be no way to enforce legal restrictions on classified information. It would be the end of all government secrets, both good and bad. Or is this debate simply about where the actual line is drawn for national security and whether this this type of disclosure crosses that line?
National security most likely qualifies as "compelling state interest" in general, but it's not the only thing the government needs to infringe on constitutional rights. The government also needs to prove that the infringement is narrow and specific.
Even then, I wonder if the "compelling state interest" could be challenged on not being compelling enough.
(I am definitely not a lawyer, just remembering a con law class I took and refreshing my memory with Wikipedia.)
I'm a lawyer, although not one that regularly practices First Amendment law. That said, zachrose is right that strict scrutiny applies here. Usually, to restrict truthful speech based on the content of the speech, the government must show that (1) there is a compelling state interest and (2) that the government's restriction on speech is narrowly tailored.
National security is pretty compelling, but it's unclear how prohibiting disclosure of the number of requests is narrowly tailored to that interest. Without knowing more details about the nature of the program, it's hard to say why the number matters. But if the NSA can't demonstrate how disclosing a specific number, as opposed to an approximate range, has a noticeable impact on national security, the law would likely not be in their favor.
I guess I don't really understand "national security is compelling". National security, like basically everything else, is a matter of degree. There are presumably compelling and uncompelling national security risks. If the court is weighing some amount of speech restriction against some amount of national security risk, presumably the size of the risk matters?
What are the governments burdens here? Can they merely assert there's a security issue here or do they have to prove it? Does it have to pass some kind of severity test in order to restrict speech? I'm genuinely curious what the case law says on this stuff.
Most restrictions on classified information are enforceable because those with access to the information have voluntarily surrended their first amendment rights in respect of classified information as part of the agreement they entered into when they obtained a security clearance.
It's much less clear when you are talking about someone who hasn't agreed to the clearance process. In 1979 the Department of Energy tried to prevent The Progressive magazine from publishing an article by Howard Morland describing the design of the Hydrogen Bomb. The article was derived from unclassified sources, but the government argued that information about atomic weapon design is "born classified". There was no conclusive judgement, as the government eventually dropped the case and the article was published.
> In the petition, Google is seeking permission to publish the total numbers of requests the court makes of the company and the numbers of user accounts they affect.
Nice confirmation that the "in the last 6 months" numbers reported by Facebook et al are worthless. No company has yet said how many users are affected total. I assume it's all users, by an earlier "request" (actually all but an order). Why shouldn't an organization that gains a bigger budget the more people it surveils demand the moon?
If we're to believe the number of requests reported so far are 1-to-1 with users, all the information could fit on a single drive. The Bluffdale, UT facility seems capable of handling a good amount of data for each of the entire digital population, even if half of the buildings is space for bureaucrats.
Hey, Google. Reporting what the government is requesting en-masse is nice, but how about you actually give us end-to-end encryption for as many of your services as possible, so we don't have to second-guess our thoughts and chats anymore simply because we know the government is watching and will be getting that data no matter what? It might help with the whole trust issue you're having now.
As has been replied to you several times, you don't want your web-based client in charge of client-side encryption. Yes, it may help as a second line of defence against run-of-the-mill phishing and hacking attempts, but it does absolutely nothing against government requests, as the government can either request the private key that you've stored on their servers, or the government can force them to give you broken encryption software. See, as always, [1].
Whether or not your browser client is providing the encryption, however, you've also rendered completely useless any reason for having web mail in the first place, as you've become next-to-useless to them (no content for ads, no content for things like Google Now) and all their infrastructure is useless to you (no content to search over, no content to spam filter, etc). You no longer have a relationship except they're your SMTP gateway and a backup drive. You can get those today all over the place, you don't need google. If you want to stick with Google, go download a desktop mail client and chat client and install the open source PGP and OTR plugins for them. You can do this right now.
First, that was the non-original version of Hushmail, and over a decade (of development of more capable browsers) has elapsed since the original. Second, the business model would then change to charging for email. Google does that for many services already; paid Google business apps accounts currently provide "no content for ads."
I'm not saying it's not possible (business-wise) as a product offering, I'm just saying there's not really any point to webmail at that point. You can pay Google to be an SMTP gateway and encrypted mail backup now, true, but there's no difference between that and any other email provider at that point, except maybe uptime. No web interface, no search, no spam filtering, no label filtering, no Google Now interaction. Those are all the reasons I like gmail, so I'm not sure about the point of it if those are gone. Just go client-side at that point; at least you'd be able to search your email. And if you're using an email client, you don't need (and probably don't want) google to provide content encryption.
As for the browser side of things, it seems like it would be much much better not to rely on google, but to write a browser extension that identifies the gmail textbox and runs some version of PGP using a private key in your OS/lastpass/whatever keychain. The main thing you'd want to do is somehow isolate the input textbox from the page so that keystrokes only go to the extension, and only the encrypted data goes into the page, preferably when the Send button is pressed.
If Google were to be technically capable of decrypting your email so they can show it to you in a browser, and you're a target for an investigation (a narrow one or an overly broad NSA one), why on earth would the court order/warrant not demand that they decrypt your email to show them, too?
All of these are good points. You make a strong argument that there might be little need for a web interface.
A few other thoughts, though:
- You could still do spam filtering, of course. If it scores highly as spam and the user trusts the spam filtering, it could be deleted or moved into a likely spam folder. (I'm assuming plaintext email is encrypted automatically right away.)
- If the encryption is handled on the client side, Google would NOT be technically capable of decrypting your mail. They would not be able to comply with a court order demanding they decrypt your mail. This is what the original version of Hushmail did, before they added the flawed later version that was exploited by FedGov in, if I recally properly, precisely the way you describe.
Maybe Google has a business relationship with the NSA. It's likely the reason Google hasn't added encryption and never will - the boss doesn't want it.
I don't get it when people keep repeating something like this. Google pushed a lot for adding TSL/SSL encryption between Google's servers and the client, to the point of inventing several performance improvements in TSL start-up. However they sure don't encrypt inside the client [note] and then sends it as a blob to server to storage, mostly because that's not really how webapps can work (for practical "can work" values). For example this wouldn't allow you to full-text-search all your own emails in gmail.
Moreover this would mean significant performance regression every time you would open up any Google web app, because the client would have to decrypt all data, without much help from indexes.
[note] Even encrypting and decrypting in the client would only help so much. It is likely they could be ordered to splice they data while in the client for any person of interest.
Cloud web apps simply requires a legal system that respects peoples' data.
So what can the gov't do if companies don't co-operate? With individuals, there is blackmail and illicit co-ercion. What does the gov't do to corporations worth updwards of 100B to get them to comply?
Yeah, that's right according to the Supreme Court, corporations now have citizenship, so they should have First Amendment rights too. Wouldn't that be ironic if that ruling actually did some good for our nation.
If anything good comes out of this NSA thing, I think it's the fact that liberals will be forced to concede that Citizens United was, in fact, the right decision. Do you really want the government arbitrarily banning speech by corporations that it deems to be impermissible? There is a reason the ACLU came out in favor of the ruling in Citizens United...
For as much as I'm familiar with the CU vs. FEC case, the reasons don't stack up all that well for corportation's 'right of speech' in this context. Trevor Potter I think very reasonably explains why here: http://www.pbs.org/moyers/journal/09042009/watch2.html
Mainly, that it's essentially overstepping the speech of the less powerful. It results in the poor having unequal, lesser freedom of speech.
I would have expected you to be on my side on this issue, as you seemed to be more of a 'spirit of the law' guy rather a 'letter of the law' kind of guy.
If the difference in power of one class vs. another were the overriding concern when deciding to limit speech, then that logic would also apply to two individuals in different classes. Would you also say that a white teenage son of a rich businessman should have their speech curtailed in comparison to the poor Hispanic daughter of a single mom?
I've got a bit of a textualist streak. I'm more amenable to looking at the spirit of the law and the motivating justifications in something like the 4th amendment, where you can hang your hat on the word "unreasonable" than with something like the 1st amendment, which is written in terms of "Congress shall make no law."
Anyway, I'm curious to know more on why you think CU was the right decision. I advise watching all 31 minutes of the Trevor Potter vs. Floyd Abram debate if you have time and if you haven't watched/read it already.
I was very sad that ACLU came out in support of CU, I think they were wrong on this one.
What does that mean? Reaching an audience today takes money so a individual who wishes to be heard will need to raise money from her like minded citizens. Are you suggesting the the EFF should not be allowed to buy issue-oriented advertising during an election season?
I'm not a terrorist; I'm a law abiding citizen of the U.S. Can I opt out of the PRISM thing? All I'm doing is adding unnecessary noise to their data. I want to do the patriotic thing and help my country, and in this case the best way to do that is to shrink the pool of data that they must monitor. (And no, I'm not kidding!)
If you want to help the country and they won't let you do so by opting out of prism, you can always mail the government a check to make up for the prism resources you're consuming:
If you're ordinary enough you're probably not triggering any flags, so you'd probably already not really being considered part of the dataset.
One person opting out probably won't help them at all, but it would be interesting to consider a more scaled up "opt out" program whereby you go through a one-time deep check and might be granted less monitoring as a result. They would need to sufficiently automate it to make it feasible, though. I also suspect the people who feel most strongly about opting out would also be against the idea of even a one-time check.
> but it would be interesting to consider a more scaled up "opt out" program whereby you go through a one-time deep check and might be granted less monitoring
No, that would not be interesting, that would be treason.
Hypothetically, couldn't Google just decide to break the gag order, be charged with a crime, and then argue this issue in front of a jury of their peers, and then be acquitted, establishing a precedent? It would probably be appealed all the way to the Supreme Court. I know Google is probably risk-averse enough to not do this, but they'd garner a lot of good will I think. Maybe I'm missing some gotcha that they'd never be granted a trial and the board of Google would end up in secret prisons.
> ...argue this issue in front of a jury of their peers, and then be acquitted, establishing a precedent?
This is conceptually confused.
Juries aren't judges or lawyers. They don't get to rule on questions of law, and their verdicts don't set precedent.
If Google does what you suggest and then a judge rules that, as a matter of law, the FISC order was unconstitutional, that means that what Google would have been accused of doing was not illegal -- which means no jury ever gets involved.
If on the other hand a judge holds that what Google would be accused of was illegal, then you get a jury to decide whether, as a matter of fact, they did what they're accused of. But in that case, an acquittal by the jury wouldn't set a precedent that their actions were legal, any more than a jury finding someone not guilty of murder sets a precedent that murder is legal.
All of which means there's no reason for them not to seek a declaration of the order's unconstitutionality before breaching it.
No. Jury nullification does not mean a jury gets to rule that 'thing X is not illegal'.
Rather, it's a jury saying 'I know thing X is illegal (and I can't change that), but I'm going to say that the defendant is not guilty of doing thing X, even though I think he did, because I think thing X shouldn't be illegal'.
That may sound like a fine distinction, but it isn't, it's crucial. A legal precedent that X is not a crime means no-one can thereafter get tried for X (where the precedent applies). A jury nullification doesn't have that effect.
This is, I think, the only way for these tech giants to come out of this scandal better off than they went in -- to take a stand, and take the fight to the feds, hard.
Google does have legal resources far beyond anything a normal citizen has, and since they have been compelled to secretly give up their data, they also have the legal standing to file suit (presumably, although who can know when you have secret laws decided in secret courts via secret decisions...).
> This is, I think, the only way for these tech giants to come out of this scandal better off than they went in -- to take a stand, and take the fight to the feds, hard.
This is a PR-stunt, nothing more. Google could have "challenged" any and all gag-orders even before PRISM was leaked.
Was giving NSA wholesale access to user data bad in 2009? -Why not challenge that shit in 2009? Gag-orders getting in the way? -Well why not challenge those in 2009 then?
I'm not as emotionally invested as you seem to be in whether Google is good or bad. It's a corporation, so I assume they will do whatever they can to make money, and will be generally okay with fucking people over if needed, especially if not many people will know about it. Just like Yahoo, Apple, Microsoft, and everybody else on that scale.
So why didn't they challenge it in 2009? Probably because there wasn't that much in it for Google, since wasn't a big national shitstorm blowing that way. But now there is. That is the point I am making.
So, now, Google could serve their own corporate interests by fighting hard against the rise of the secret police. Would that make Google an awesome person? No, it would still be a selfish corporate entity trying to get money, just like it always has been
But, it would (rightly) be perceived as a force for good, on the right side of this particular battle with tyranny. That would help you, me, America, and the world... but it would also help Google, it would seem.
And some of these other "fucking scumbags" (which I assume is your term for "corporations acting normally"), like Apple, Yahoo, etc., might be encouraged to do likewise.
In other words, it takes public outrage to create the shitstorm (which you will have noticed is in the mainstream media, not just nerd forums like this one), but once the outrage is in place, that helps align the interests of corporate behemoths like Google with what you and I would probably agree is Good (i.e., not having fucking secret police using secret laws to evade the control by the citizens of the nation).
I'm well aware that they're all just huge corporations going after their own interests. That's beside the point. You seemed to be commending Google on "taking the fight to the feds, hard", and I just wanted to point out that there's no reason to commend them.
> So why didn't they challenge it in 2009? Probably because there wasn't that much in it for Google, since wasn't a big national shitstorm blowing that way. But now there is. That is the point I am making.
Yes. I'm also well aware that corporations engage in damage control only when it's necessary. But again, there's no reason to commend them for doing precisely that, especially when that's all this is about.
>>> So, now, Google could serve their own corporate interests by fighting hard against the rise of the secret police. Would that make Google an awesome person? No, it would still be a selfish corporate entity trying to get money, just like it always has been
>>> But, it would (rightly) be perceived as a force for good, on the right side of this particular battle with tyranny. That would help you, me, America, and the world... but it would also help Google, it would seem.
Even in 2009, all those huge corporations were well aware of the "rise of the secret police", because all of them were either already participating in PRISM, or in the process of being strong-armed into doing so. Had they perceived fighting this kind of evil to be in their own self-interest, they would have done it right from the start. They could even have joined their forces in opposing the government, but they chose to remain silent. Not a word about the systematic raping of people's privacy all over the world.
PRISM was just as evil in 2009 as it is now, and taking a stand against evil was the right thing to do in 2009, just like it is now. Parading around as some kind of paragon of corporate virtue while secretly shitting all over your users' privacy, on the other hand, was something that only Google did. Also, if a highly intelligent bunch of people running a powerful corporation is interested in fighting the rise of the secret police, it'll be aware that's something that should be done right away instead of after waiting around for several years for the situation to get even worse.
Google can't be rightly seen as a "force for good", no matter how eagerly you swallowed their disingenuous PR-bullshit about the joys of being Open back in 2009.
>>> but once the outrage is in place, that helps align the interests of corporate behemoths like Google with what you and I would probably agree is Good (i.e., not having fucking secret police using secret laws to evade the control by the citizens of the nation).
It's important to realize that they've already proven they simply don't give a fuck. As long as they're making pleasantly massive piles of money and their armies of lawyers are keeping their taxes low, they're quite happy with the Status Quo. Don't think Google gives a fuck or even thinks it can change anything. Don't think it even wants to change anything.
I'm not commending them, I'm simply pointing out that in the new circumstances, these corporations might benefit from fighting the creeping police state, and thereby doing The Right Thing™.
Back in 2009, they wouldn't benefit from it, so none of them did it.
I don't believe Google is inherently "open" or "not evil" any more than I believe Big Macs are "nutritious" or "delicious".
What I am saying is that massive public outcry about secret police circumventing democracy may not affect the government or their secret police very much -- not until it gets a lot more massive anyway -- but it could have the effect of making the interests of multinationals like Google more aligned with our interests.
Which would be a force multiplier, since one Google has the firepower of two or three million average citizens.
Did they benefit from fighting the creeping police state in 2009? -Apparently not, because they didn't.
Do they benefit from fighting the creeping police state in 2013? -Apparently not, because they didn't - at least until there was that massive shitstorm blowing their way.
Again, if they considered fighting the police state to be in their interests, all of those companies would have done it long ago. Since they haven't, we can conclude that they don't, and therefore, if a massive shitstorm prompts them into doing damage control and pretending they give a fuck, that still doesn't amount to Doing The Right Thing. It only amounts to bullshitting us some more.
You're asserting without evidence that FedGov had or has "wholesale access" to user data. This is a false assertion.
Google's legal brief filed yesterday cites the "PRISM" flap, and false allegations like yours, as justification for being able to lift the gag order. They didn't have as strong an argument two weeks ago.
You are asserting that my assertion is false. It's just as convincing for me to then assert that your assertion that my assertion is false is false.
> Google's legal brief filed yesterday cites the "PRISM" flap, and false allegations like yours, as justification for being able to lift the gag order. They didn't have as strong an argument two weeks ago.
Oh? How about fighting against gag orders because they're unconstitutional and immoral to begin with? How's that for a "justification" for lifting one? Worse than "PRISM flap" and "allegations"?
I think too many people and companies are tip toeing around the issue. Some more people need to take a stand for what they believe in and stand up to the government. If google believes so strongly that their rights are being violated they should hold a press conference and publicly release all the gag orders and data requests they have received. Let the government try to charge them with violating the gag order and then they can really challenge the order Federal court not this secret court.
The justice department almost certainly wont try to charge them with violating the order because they know that it will get declared unconstitutional by the supreme court and a giant company like google has plenty of money and lawyers to take it all the way to the supreme court. Most companies are too scared to see what will happen if they violate the unconstitutional order
My current theory on this is that companies such as Google probably generate vast amounts of metadata (there must be a fair amount of it behind Google Now), primarily for advertising purposes, and that it's this which PRISM has "direct access" to under some sort of gagging order.
Let's presume that PRISM is the NSA getting the ability to copy unencrypted data being transferred across these companies' internal networks. Is that one request that affects every account or one request that affects zero accounts? I would expect that the latter would be asserted while the former is more true. And I can almost hear the justification: "if people weren't sending email from Gmail to Gmail and instead from Gmail to foomail, we could be collecting all of this information. You need to give us access to your network, or we need to break you up into smaller pieces which need to send information unencrypted to work."
It's not copying data being transferred, it's copying data sitting on-disk (which does include sending along updates to that data on-disk). NSA was getting that data even before PRISM, but companies were compiling it and sending it manually.
If one server queries a MySQL database on another server inside my network (using private IP addresses), I don't encrypt what's transmitted between the two servers any more than what's done by default. And that default isn't SSL or anything of the sort because I'm expecting that my network admin knows what they're doing with firewalls to keep the unwanted packet sniffers out of the private network. Besides, I don't want to spend the extra CPU cycles on encrypting when I can just fortify the firewall.
That seems pretty reasonable within a datacenter. Nobody(?) would encrypt traffic from local client to local mysql server. But accessing remotely over network links that could be tapped by governments or other antagonists? If you had dedicated netsec and infosec departments as big as Facebook's, you might encrypt that.
Some of the companies named in the PRISM slide deck are in a state of constant information warfare with hostile governments (like China) and governments openly desirous of tapping all networks (like India). They are also continuously beset by piratical criminals from all over the world. It seems unreasonable to assume that they would transmit data over long-distance links in the clear.
I'm not saying they do encrypt everything or even most things. But as the basis of one's theories about PRISM, it doesn't seem like a good assumption.
Email sent from mail server to mail server on port 25 is unencrypted. It's in the mail exchange spec. The only way email is secure is if it never leaves your internal network, and that's because of the network architecture, not encryption (which might include VPNs).
I don't imagine that hotmail or gmail move data from one server to another using SMTP. It's designed to exchange mail with external parties at arm's length. There are far more efficient ways to move data.
I appreciate how the article frames it as a matter of Google preserving their own reputation, as opposed to principle, or it being "the right thing to do." They have been receiving information requests with gag orders attached for years, but are only fighting it now that the cat's out of the bag and they have something to lose. Until then, it seems that Google was fine with the situation as it stood.
I think it's an important distinction to make, and underlines how companies ultimately serve their own self interest before anything else; they're not acting nobly, and the ultimate responsibility lies with the individual.
Much as I would love to see Google prevail in this, there is just no chance that would happen. The implications to any other form of Govt gag orders (think sealed court records) would be immense.
> ...The implications to any other form of Govt gag orders (think sealed court records) would be immense.
Gag order also of Greenberg/Guardian, then what are ES' options?
> "....The Ministry of Defence has issued a D notice preventing the UK media from 'publish[ing] information that may "jeopardise both national security and possibly UK personnel"'.
It will be interesting to see how few or many FISA requests there really are. Google implies its a small number. The government was okay releasing the numbers opaquely, inside an aggregate of all law enforcement requests, which also implies to me the number may actually be low. If it's conspicuously low, we're left to wonder what alternative sources of raw data they're relying upon primarily. They may be trying to avoid that implication, thus, release of a low number may appeal to Google, but not the government.
My initial reaction to all the positive actions by these companies is to be a cheerleader and urge them on for "fighting the good fight", but I can't help but then turn around and be cynical. After all, as far as we know they were not proactive at all until the leak happened.
Do they have the users' best interests in mind? I honestly can't say so.
This is where we need more than one company to stand up. If Google is the only one doing it, and the government vigorously slaps them around a few times, more than likely they'll stop before they go out of business. And then all the tech companies get put in their place -- want to resist government overreach? You're going to get damaged.
On the other hand, if they all resist, who is the government going to retaliate against? The entire industry? It would be too great a hit to the economy.
So the question is whether Facebook, Apple et al are going to take the short view or the long view. If they let Google be the only one to stand up then maybe it will encourage the government to damage their competitor, but in so doing set the precedent that the industry won't stand together on issues like this, which can only make the government more brazen in the future.
Ultimately, a company has to have a compelling business interest to justify pursuing something like this. Until this became a public issue for these companies, it might be hard to argue that they'd be acting responsibly to pursue a legal case where the only result would be more detailed disclosure of these requests (not any change to the requests themselves.)
Google's arguably been the most active of the major tech firms in getting permission to disclose ranges of requests to date (has anyone else?); it's not clear there would have been a good business reason to pursue what may end up being a very expensive case if it proceeds all the way up through the court system.
And herein lies the issue of "companies exist solely to line the coffers of shareholders", with no responsibility to other stakeholders which is a narrow interpretation which had come about especially in the last 30 years or so. It's not a certain thing, although very common. Thorsten Veblen would call it a problem of remote capital, although other factors have also been at work since the 1960s.
For your statement to be relevant, you'd have to show that if they were concerned about stakeholders other than shareholders, they would have acted differently. That's not self-evident. It's not clear that this suit would have a material benefit for any stakeholders - including users - until now.
It would only do slightly more than the current disclosure to expose the issue of such requests, and it would incur significant risk and cost in return. Given the recent controversy, I'd say this suit now benefits Google employees and shareholders, but I'm not sure it really does a lot for customers in reality.
Let's say Google wins the right to disclose the exact number of requests instead of the range it's been reporting. Will that really materially improve the situation for users?
I do not see how your points are relevant to my argument.
Not everything needs material benefit. Symbolic benefit can be as structurally useful and beneficial as a countable material benefit. For if a powerful set of companies acts, the power relationship with the government (and consumers, not always beneficially of course) then changes.
the whole point is that Google did't ask before, so the benefit is less than it would have been had they (and others) acted earlier. I am suggesting this is because of a lack of real stakeholder accountability. The benefit to users now is still appreciable, even though they weren't looking after their customers' interests as strongly as perhaps they might have in another era.
Relevance to what? This is a most pertinent issue with respect to the actions of executives of a large business. If executives are competent, then if their concerns are broader, they will act. And there is certainly no requirement for me to demonstrate this in conversation such as this. Your statement appears to commit a burden of proof fallacy.
And the point I'm making (which you seem to miss) is that the value of taking this step has actually risen. Prior to PRISM, if Google did this, it would incur similar risks/costs but only a limited number of people would care. Post-PRISM, when it's a national issue, the PR benefit for it has risen tenfold, while none of the other prior benefits have decreased. Regardless of how they're prioritizing stakeholders, the overall balance of risk/reward has changed drastically, so it doesn't tell you much about which stakeholders were prioritized.
Again with the 'carefully worded denials' - the denials were similar because they were accused of the same thing, which is allowing "direct access".
The most worrisome and misunderstood part of these reports is the "direct access" bit: can the government arbitrarily query company servers? their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and yes also the secretive FISA requests.
So by revealing the number of FISA requests they receive and their scope they hope to clear this "direct access" mess. As even FISA orders are much more acceptable than wholesale access.
As for the development being reported here: I think it has merit seeing how this clearly falls under the first amendment, but I'd like a lawyer to chip in.
From what Google's said, it appears the government can't arbitrarily query Google's servers. Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government can access and that the data cannot be accessed without this happening.
That's Google. We've yet to hear from many of the other companies in the program about whether this sort of access is technically impossible, or whether it's an honor system that the government is supposed to follow.[1] I haven't been closely following the Facebook, Microsoft, or Apple statements, so maybe they have also been explicit that it is a restriction that is implemented by technical means. Some of the companies haven't said anything yet.
How many of the companies really make sure there is legitimate documentation for each request? Do they really do this every time, or have they become resigned to the fact that there's nothing they can do, so they just rubber stamp each request coming through, even without the proper legal documentation?
[1] This seems to be a major issue--the President and NSA leaders have claimed that analysts "cannot" access your phone metadata and phone call content without the correct legal instruments. But by "cannot", they seem to mean "they are not allowed to" rather than "it is not possible for them to".
> Google has stated pretty clearly that someone at Google has to check off before an account is pushed to a machine that the government
my understanding of PRISM and all this is that the entire internet is vacuumed and everything is stored, just in case. I cannot imagine a guy "checking off" on every email or every mailbox for millions of gmail users every day or even once a month manually. With 11K terabytes of digital data created per hour by US, I cannot imagine any sort of manual system being implemented.
It has to be totally entirely automatic, otherwise it won't fly.
Any understanding of PRISM outside the classified world seems to be incomplete. Some people version of PRISM seems to involve caching the whole Internet. That might sound implausible, yes. But we won't know until or if the whole thing gets declassified.
Yes, but that vacuuming is apparently being done, just not under PRISM (for example, see https://en.wikipedia.org/wiki/Room_641A). PRISM is just one method of getting the data.
There was a fifth Powerpoint slide published by the Guardian[1] which clearly distinguished between PRISM and "Upstream" methods which collect "communications on fiber cables and infrastructure as data flows past."
The PRISM program mentioned in the Powerpoint slides is very likely the same program that is mentioned in unclassified documents such as Army Field Manual (FM) 3-55, Information Collection[2]:
> 6-12. Two joint ISR planning systems—the collection management mission application and the Planning Tool for Resource, Integration, Synchronization, and Management (PRISM)—help facilitate access to joint resources. PRISM, a subsystem of collection management mission application, is a Web-based management and synchronization tool used to maximize the efficiency and effectiveness of theater operations. PRISM creates a collaborative environment for resource managers, collection managers, exploitation managers, and customers. In joint collection management operations, the collection manager coordinates with the operations directorate to forward collection requirements to the component commander exercising tactical control over the theater reconnaissance and surveillance assets. A mission tasking order goes to the unit responsible for the collection operations. At the selected unit, the mission manager makes the final choice of platforms, equipment, and personnel required for the collection operations based on operational considerations such as maintenance, schedules, training, and experience. The Air Force uses the collection management mission application. This application is a Web-centric information systems architecture that incorporates existing programs sponsored by several commands, Services, and agencies. It also provides tools for recording, gathering, organizing, and tracking intelligence collection requirements for all disciplines
They don't need to store all the data if they can just compel whoever is storing it to give them access to said data. (Which seems to be what is alleged).
re: [1]... Right. In fact, this morning I think we heard this is definitely policy and not technology. We were told that for this to happen [paraphrasing from memory] "One person would have to break the law [analyst], his boss would have to break the law [because he's supposed to approve the access], and remember this entire process is 100% auditable, so we'd catch them for sure."
Of course, this isn't remotely reassuring for a bunch of reasons. Most of all though, I'd be curious to hear more about how the auditing process works. He kept saying "auditable" I noticed, not you know... "actually audited".
Snowden mentioned in the Q&A that 5% of the GCHQ accesses are audited, as one example. He mentioned 5% as if it's a low value but that's actually fairly high, especially if randomly-picked.
Yeah, there are generally two things keeping society in order. Ethical beliefs about right and wrong and fear of punishment from the powers that be for breaking the law. My concern with the NSA is that there is a culture of "the current laws are unduly stifling on our jobs, so us ignoring them is 'required'", coupled with management's belief in same and thus non-interest in prosecuting people that cross the line. Not to mention such prosecution would inevitably be public and thus the program exposed and the public seeing it is being abused. Taken together you have a perfect recipe for safeguards that exist in theory and are utterly ignored in reality, "for the greater good".
Why do people assume that Google has the only copy of what is on Google's servers. It is not hard for the NSA, since they are already admittedly the "man in the middle" to have copies of all data going in and out of any server they target.
Google and Facebook are trying to clear their name here.
But what I'm afraid of is that this mess with deciding exactly how much access the government has to Google will turn into a distraction from the larger picture. Which is that, in all likelihood, the NSA does not have access to Google. What they do instead, and what the name PRISM implies, is that they connect to the backbone (Verizon/AT&T), scoop up ALL data, and store it in their freshly built data center in Utah.
The slides I saw seemed to indicate when certain applications or filters came online. Such as a filter for Facebook data, or a filter for Google search/map/GPS data, etc. That's how I interpreted the graph, at least. It would indicate the NSA is rolling out specialized applications to handle data coming to and going from specific sites. Which allows them to more intelligently decipher what is being said, in more or less shotgun fashion.
Hence, the name PRISM. It's a project to split the full Internet stream into a Facebook bucket and a Google bucket, etc.
The problem I have with the "duplicate the Internet" theory is that it favors the hard solution vs the easy solution.
The hard solution is to secretly duplicate traffic from every data center operated by each of these companies, reverse engineer every HTTP request that goes back and forth so that the data can be parsed, maintain it for every product change that happens at these companies, circumvent HTTPS by compromising the certificate authorities, store it all, and still maintain a massive analytics tool that can make sense of the astounding amount of data coming through.
The easy solution is to avoid all of the technical ugliness of acquiring the data, and just legally make the companies give you the relevant information, neatly structured and packaged. NSLs are the ultimate hack.
It honestly wouldn't surprise me if the gov't has issued a secret subpoena for every PRISM provider's SSL key (e.g. Google/Facebook/Yahoo/etc). That way they get to claim "hey, we're not giving them full access" and the government gets what they want anyway.
As I understand it, they don't have to focus to the data center of those companies when doing the duplication.
For example for emails: emails travel unencrypted through the hops, and they would store them all, and then constantly analyzing them. When something suspicious comes up, they would go to the email provider to ask for more data. So for example if gmail address is there, they would go to Google and use their PRISM interface to get more data associated with that gmail adress, if it will be yahoo email, they will go to Yahoo for more data, etc.
Gmail users sending to each other will only relay inside Google's own private network. If all of my co-conspirators are using Gmail, there are no external relays to be tapped. Someone would have to read all of our SSL/TLS traffic to see what we're writing about.
This is even more complicated when the data centers are in other countries, and none of the data actually enters the US. So if two EU users were accessing Gmail from the EU, the data may never enter the US at all. This means any network tapping would have to be done in the EU as well, requiring cooperation from many international telecom companies.
It's still easiest to just force Google to hand it over via NSL. Google's still legally bound to deliver the data even if it isn't physically stored in the US.
I wouldn't be so sure if that was the easy solution, as it depends on the cooperation of those companies.
They at least have the choice to resist in some way or another.
They also could be using both solutions simulatneously.
From their perspective, why not?
A lot of the communication won't be encrypted anyways, and some of it will be, but they may be able to decrypt it at some point in the future.
The hard solution isn't just a little bit harder ... it's several orders of magnitude harder and more expensive. It's also highly vulnerable to simply using encryption. The easy solution works because the US companies are bound by law to cooperate. There's no reason to believe that legal pressure on these companies has failed to get the government what it wants.
It doesn't help just to have network transmission data if the data is encrypted. Google has increasingly been moving all of their services to https, I think facebook might be also.
If the government had a wiretapping program for fiber-optics, they wouldn't call is PRISM. Why? Because you don't name your top-secret stuff with descriptive names that imply what it does.
PRISM is a web-app. The slides make it pretty clear its a web-app. The army field manual link helpfully posted before in this discussion outright says its a web-app.
> So by revealing the number of FISA requests they receive and what sort of data is being sought they hope to clear this "direct access" mess. As even FISA orders are much more acceptable than wholesale access.
Not necessarily. As another commenter pointed out [1], a single FISA order doesn't have to correspond to a single citizen. One order can encompass millions of accounts.
> their denials address that, they clearly say that is not the case, instead they sftp the data after being served with court orders or warrants and such, including the secretive FISA requests.
While I think it's reasonable to doubt the claim that the NSA has true direct access to servers, I haven't been given a reason to doubt that information can be requested without court orders, warrants or FISA requests.
> Not necessarily. As another commenter pointed out [1], a single FISA order doesn't have to correspond to a single citizen. One order can encompass millions of accounts.
They would want to publish the scope of the FISA requests.
The other companies aren't going this far and I think they deserve a credit for what they're doing.
And I disagree with commend you link to, the solution isn't limiting data collection, sure it makes you a target but more data equals a better product. It's an issue of government overreach not engineering decisions.
I agree with this entire comment. Even the part where you disagreed with part of the comment I linked to. I even responded to that poster before replying to you. :-)
(Sorry about that. I meant to link to the comment for the text of the FISA order, and not for the jab against Google.)
Steve Gibson presented a good case[1] that the companies are telling the truth, but that NSA nevertheless has the equivalent of full access by tapping the tier-1 or -2 router nearest to each. Fiber-optic "splitter" makes the codename "Prism" cogent.
You didn't add any valuable information to this discussion. Why doesn't Gibson know what he's talking about? Explain what exactly regarding SSL breaking? What's the jump?
If you're talking about this, you should have a cursory understanding of what SSL is and why the MitM attack Gibson is describing is, at best, far fetched.
His point wasn't "all fibre optic" but that by tapping specific routers, e.g. one close to Facebook where FB traffic is concentrated, the NSA can filter and store nearly all FB traffic while FB has full deniability. At the referenced link are links to court documents in which exactly this kind of tap was revealed to exist at AT&T.
As to SSL, is there a claim that NSA has broken it? I wasn't aware of that. Not relevant to Gibson's idea, anyway.
> At any rate, assuming all fibre optic is tapped, how does that explain breaking SSL?
Large governments don't need to break SSL. They have SSL root keys and can man-in-the-middle at will. Doing so across the board would likely be detected, but targeted usage likely wouldn't be.
If this was widespread, I'd expect someone to have found a Google cert signed by different root. Then again I suspect Google pins their certs in chrome for a reason.
> Doing so across the board would likely be detected but targeted usage likely wouldn't be
This whole conversation is about wholesale data access, so targeting is not relevant. Besides, even if you are talking about targeting, the claim is, they are storing data and then targeting 'retrospectively'. So without a time machine there's no way they are going to be able to go back and MITM the targeted conversations they want to listen to after the fact. They would have to be MITM everything all the time.
> how does that explain breaking SSL? That's a really big jump.
How about this: the NSA has issued a secret subpoena for the private SSL key of every listed provider (Google/Facebook/Yahoo/etc). They are using those keys to transparently decrypt traffic and suck up what they want.
This is a distinction without a difference. If I (the NSA) can request yesterday's backups, isn't that close enough? I don't particularly care if they have direct access to Google's servers. Having access to the backups (through sftp or whatever other mechanism) is bad enough.
It's a checks and balances thing. If you're a large ISP and you retain physical control over your servers and network, if you're asked to hand over too much information, it's at least possible to delay and fight it in court. If they have root then you don't even know what they've done.
If they had to request anything from Google or FB, they wouldn't need such huge storage capacities. My guess is that these large companies have been forced to forward data (e-mail, chat lines, posts...) to the NSA as it arrives. It's not "direct access", it facilitates all the searches the NSA could wish for on NSA's own servers and does not contradict any of Google's, FB's or the NSA's claims so far from what I can tell (they store the data, then "collect" it as needed).
First of all, it doesn't really matter what Google says because they could be lying. Second of all, there are trivial ways around "direct access". Google will have world class mirroring capabilities, so they need only mirror to a government server. They could do this manually (per request) or automatically. This would fit within "no direct access".
When news of the PRISM program was first revealed two weeks ago, officials at Facebook, Google and other tech firms informally conferred on a public response...
The leaked slides say clearly the government can query the servers at will. They get real time login data, logout data and payload data.
I don't know why people keep putting this into question, giving Google the benefit of the doubt, when they were caught pants down, no questions asked.
If the companies mentioned in the slides just complied with the law, why would they be singled out in those slides? Honoring search warrants and FISA requests is an obligation, not an extra.
The reason Google was singled out as a partner since 2009 is because they gave the government full unrestricted access.
The reason Google was singled out as a partner since 2009 is because they gave the government full unrestricted access.
Which part of the PRISM slides make you think that? They certainly indicate pretty much full access to accounts which have been OK'd by Google (at least in archive form), but that is very different from 'full unrestricted access' to servers. I'd say we don't really know the extent of it, and welcome Google's decision to try to challenge the government in court to reveal more details.
As far as I read them the few PRISM slides we've seen don't really indicate:
1) The extent of access (how many accounts, how many accounts per order etc)
2) The mechanisms for FISA access
3) Any time delay in receiving documents/access
4) Whether data is realtime or not after access is granted
and the figures that FB, MS, Apple have announced hardly constitute full unrestricted access to all accounts as you seem to be implying. It's still a serious invasion of privacy, there are serious doubts about the efficacy of the FISA court supervision, and for foreigners I'm not even sure there are any protections at all (the NSA might not even feel obliged to get specific permission for non-US communications), so for everyone outside the US this is really invasive, but I'm not sure I can agree with your characterisation of these slides as showing full access (full access to what, to all Google servers, seriously?).
Well, judging by your comment history(about 100% anti-Google), I won't be taking your word for it. I'm still waiting for the dust to settle and see where Google ends up.
Right now, it's just a bunch of people pointing fingers at each other. The truth will be found once everyone calms down.
I recommend everyone have a look at the leaked documents and the extent to which all those companies participated in it and then judge their public relations reactions afterwards.
After the scandal was revealed, and only after it was revealed in an unprecedented act by Snowden, did Google come out in favor of their customers. This is ridiculous.
Google was caught pants down and there's no amount of PR bullshit they can use to white wash this and pretend the government forced them to do it. They willingly participated in exchange for political status with the government, that is the raw truth.
| After the scandal was revealed, and only after it
| was revealed in an unprecedented act by Snowden,
| did Google come out in favor of their customers
Was Google not already in court opposing NSLs? Filing with FISA was something that the EFF recently spear-headed.
I'm not saying you should trust Google with all of your secrets, or even all of your data, but it should be an informed decision.
Right, but saying "Google only starts caring about its users now," is not true. For example, Google challenged the National Security Letters prior to the Snowden leak.
Can you explain what each slide of the document means and how the program was actually implemented? I still have no idea despite reading a variety of different articles.
>> The court approved each of the 1,789 government requests it received in 2012, except for one that was withdrawn.
Scary as hell, considering that one request can be as broad as: “It is hereby ordered that [Verizon Business Network Services'] Custodian of Records shall produce to the National Security Agency…all call detail records or ‘telephony metadata’ created by Verizon for communications (i) between the United States and abroad; or (ii) wholly within the United States, including local telephone calls,”
Google should cut the crap with PR moves and stop hoarding so much data about everything we do online. If they have, NSA will get it--one way or another.
> Google should cut the crap with PR moves and stop hoarding so much data about everything we do online.
I like that Google has a lot of data on me---it makes their services much more valuable to me. I don't like that the government can access it secretly.
These are distinct opinions and both can be reasonably satiated simultaneously if there are proper checks and balances in government.
Fucking Google is manipulating these threads, trying to white wash their secret spying deals.
Don't fall for this bullshit, Google has been in the spying business for ages now. They joined the NSA program in 2009 and have been in trouble constantly in every spy scandal there is some google product involved. Wake up already.
Depending on what precisely they do with the data, they could do things quite a bit more damaging than turning off your Gmail account, though it certainly wouldn't rise to the level of sending you to gitmo. The worst would probably be some kind of financial and/or career blackballing, if they sold data-mined information about you to credit agencies, lenders, private investigators, and/or prospective employers, and something particularly damaging were contained in it.
I believe their privacy policy currently says they won't do that, and it's especially clear that they won't do anything except target ads using information mined out of your email. But I don't think there would be anything illegal about it, as long as they didn't do something like outright blackmail (offer to let you pay to expunge negative information or something).
The difference is that if Google did that, everyone would immediately stop giving them that information, which is worth more to them than the advantage they could gain in screwing you over once.
On the other hand, if the government does this, people can do... what, exactly? Stop giving their information to the government? They didn't willingly do that to begin with. Stop giving it to Google? Maybe, but they would have to stop giving it to anyone, which is a lot more difficult than just switching from one service to another.
I'm certainly not the government, and I can quite legitimately be violent when defending myself from illegitimate (aka non-governmental) violence.
For example, if someone breaks into my home and behaves threateningly, I can (rather violently) shoot them, and the government won't object in the slightest. So much for them having a monopoly.
Yeah but the world is not the USA. Some states DO have the monopoly of violence. E.g.: if you try to kill me in Spanish with a knife and I shoot you, I'll go to jail.
Sorry, I was editing and just addressing that :( It's a bad habit of mine. I moved the edit here.
Okay, I know that he specifically refers to the US (he mentioned Gitmo) but remember that even then the state is the one who lets you exercise violence. The monopoly's just lending some of its power to make you shut up and stop whining so he can keep minding his (evil) business.
Also: Windows had a monopoly even when Linux existed. Monopolies don't always have 100% of the market share, but they're still a monopoly de facto and will fight hard to achieve the full monopoly.
I knew we could defend ourselves against theft of property with violence in Texas, but I left that out because it's not all that common across the United States - we're a bit more liberal with our rights down here.
What's the deal with the prostitute? Breach of services (especially illegal services) doesn't justify violence. Did the prostitute grab the john's money and then try and run off? If that's what happened, I'm not too surprised by the result, since we're allowed to defend ourselves against theft.
If you have an actual monopoly on violence, you don't need to retaliate against other people using violence with your own violence, because there aren't other people using violence.
Now, perhaps the government has a monopoly on legitimate use of force (indeed, Max Weber used that as the criteria to define whether an entity was the government of a particular territory).
The legitimacy of an act (violence in this case) is highly subjective. The legality is a lot more objective. In this particular scenario, I think I would rather say that the government has a legal monopoly on violence. The legitimacy argument breaks down for oppressive governments where some revolting citizens take up violence because they see it as their last and only option. Some might argue that their act is legitimate, but it is still illegal. Now, one could always say that if the violence by government is not legitimate, it is no longer a government. But that is largely a philosophical/literary point. Here, when people are saying that Government has a monopoly on violence, they mean that the voters have granted them a legal right to do use force (which is at least pseudo-aggressive if not violent in all cases). The legitimacy can be contested in courts and debated upon in the next election - but till then, they reserve the monopoly.
> The legitimacy of an act (violence in this case) is highly subjective.
In the sense Weber uses it, it may be fuzzy, but its not subjective (its essentially the aggregate of how it is treated by the people in the territory.)
> The legitimacy of an act (violence in this case) is highly subjective.
The idea that legality is objective in a way legitimacy is not is debatable.
> I think I would rather say that the government has a legal monopoly on violence.
Perhaps, but that seems to be a trivial tautology, in that what is legal is precisely, by definition, what is formally allowed by some government.
> The legitimacy argument breaks down for oppressive governments where some revolting citizens take up violence because they see it as their last and only option.
Weber would state that, to the extent that this is a general failure over some subset of its territory, the entity has failed as the government of that territory -- that, in the case where no entity exercise a legal monopoly on violence over a territory, there is no government, and in the case where there is such an entity but its not the one that is claiming to be the government, then the claiming entity is simply wrong.
> Some might argue that their act is legitimate, but it is still illegal.
In the eyes of the purported government that they are revolting against, but not in the eyes of the purported government that they have formed in the revolution. Legality has no meaning without reference to a governing authority.
Well if you're willing to talk about illegal things the government could do to you it makes sense to talk about the illegal things Google could do to you; i.e., anything.
Our government has decided that it is allowed to do all of those things "legally" in certain circumstances. Execution, asset forfeiture, and detainment are all considered "legal". Nothing besides the government is permitted to do these things, they have a monopoly on that right.
You don't need to put scare quotes around words, I'm well aware of the potential legality of all three categories.
Slavery used to be legal too. I'm sorry the government is not completely perfect, but the answer is to go fix it and make things that should not be legal, illegal. Until then it's like complaining about shell companies used by Google and Facebook to avoid paying taxes (a strategy typically well-defended on HN because they're "technically complying with the law").
> Google by comparison can turn off your gmail account.
I take it you've never lost an important email account, it can be very isolating. For some people that can be deadly.
I'm not saying that them fighting it isn't a good thing, but its hillarious that they're holding themselves out to be crusaders of freedom and privacy when they are one of the most prolific producers of "profile" data. You could even say they create "anti-privacy".
They are not fighting the mining by the government, only the secrecy. They are fighting for the right to tell you what is happening, just like they tell you what they are doing with your data.
The cynic in me thinks that Google is deliberately fighting a losing battle, so that later on they can say, "Hey, it's not our fault -- we want to tell you what is happening, they won't let us!"
I don't think the outcome of the battle matters at all in this case. Google is still putting up a fight. Their track record shows that they do at least tell us what is happening, so "it's not our fault, we want to tell you, they won't let us" is consistent with their actions, AFAIK.
The cynic in me notes that the companies were spurred into action by the leak. Google has always showed some interest in providing transparency about government requests, but even they were not taking the US government to court over it.
The companies involved are taking these actions because the leak may have undermined consumer trust (eg. small drops in activity) in them. Perhaps even wrongly, if PRISM isn't as widespread as the initial leak suggested.
It's not your data once you've submitted it to a Google-run service. The expense of all the services Google provides without monetary compensation is the data they can collect. You trade that to them when you use the site: that's their fee.
Firstly I was responding to the parent who said that Google tells us what they do with our data. Whether you think of it as ours or theirs, they don't tell us what they do with it.
Secondly, if what you say is true, then we should stop complaining about what Google passes it to the government - what business is it of ours what they do with their data?
Thirdly, I doubt that anyone seriously believes that the 'fee' for using GMail is that their messages become Google's property.
It doesn't necessarily convert to their property from an intellectual property POV, but it is "Google's data" in the sense that you contractually allowed them to utilize it as described in the ToS and privacy policies, which one is free to reject or accept.
You know the old saying, "If you're not paying for a service, you're the product." Why expect anything else? Google is a for-profit company and it's an expensive thing to run. They deserve something for the services provided, don't they?
In other words it's nothing at all like a fee, as you described it earlier.
But, if things are as you say, Google can do whatever it likes with the data according to the ToS. If people don't like data about them being given to the Government, or used for any other undisclosed purpose, they shouldn't have used Google.
It sounds like a fee to me. That is the price that Google asks for admission to its services -- access to the data that you transfer whilst using Google services. Monetary fees are also contractually specified. I'm not sure why you think that just because the "fee" is non-monetary that you have to transfer all ownership rights in whole, instead of those defined as the price of entry in the contracts agreed to upon account registration.
The difference is that they mine data in order to better target ads. When the Feds ask them to share the same data with them, it's for reasons that are vastly more disconcerting. Intent is everything, and that's twice as true when you're dealing with a lethal organization that shows every sign of having escaped from its legal restraints.
I expect Google's filing to show up here shortly: http://www.uscourts.gov/uscourts/courts/fisc/index.html