
NSA paid millions to cover Prism compliance costs for tech companies - uptown
http://www.theguardian.com/world/2013/aug/23/nsa-prism-costs-tech-companies-paid
======
sage_joch
In related news, DuckDuckGo has seen a huge spike in traffic
([https://duckduckgo.com/traffic.html](https://duckduckgo.com/traffic.html)).
Even if the NSA has probably circumvented DDG's privacy features, it's still
worth using them for _trying_ to preserve user privacy. And in my experience,
DDG's search results have improved drastically, to the point that I very
rarely have to resort to Google.

~~~
mike-cardwell
I wonder what Gabriel Weinberg would do if the NSA told him to hand over his
SSL keys so they could view all his traffic. Would he shut down like Lavabit
did? Would be interesting to get a statement out of him about this.

~~~
state
Have to give you more than an upvote here. This is an excellent point, and
could be extended to many companies that are concerned with privacy. It would
be great if their leaders made preemptive public statements on how they would
handle that situation.

------
mikegioia

        The judgment revealed that the NSA was collecting up to 
        56,000 wholly US internet communications per year in the 
        three years until the court intervened. Bates also 
        rebuked the agency for misrepresenting the true scope of 
        a major collection program for the third time in three 
        years.
    

This "judgement" showed they were only collecting 56,000 emails per year? Give
me a break. Even if their system for collecting foreigners' emails was
actually trying to only collect foreigners' emails, I would whole-heartedly
expect them to nab more than 56k/year accidentally.

I think if you dig in, you'll find it's a few orders of magnitude higher.

~~~
rayiner
> I think if you dig in, you'll find it's a few orders of magnitude higher.

Based on what? If the goal is just to capture all the wholly domestic
communication possible, why engage in this elaborate charade of procedures
that are done in secret and not publicly visible anyway?

~~~
rhizome
Occam says that they lied to the judge because _even they_ would have a
problem with it. Turns out, they were right. This is why they keep it so
secret: they knew or suspected nobody else would allow them to do it they way
they were.

------
belorn
"I’m not sure I can say this more clearly: we’re not in cahoots with the NSA
and there’s is no government program that Google participates in that allows
the kind of access that the media originally reported." \- Drummond

One do wonder what NSA paid good money for if not for a government program
which Google participated in.

~~~
sbwm
A program that does not "allow the kind of access that the media originally
reported"?

~~~
wbhart
The companies have hinted there is much more they would like to talk about,
but aren't allowed to. It must be hugely frustrating for them to see headlines
like this, and be saying "yes, but you are missing the really important facts
which we know but aren't allowed to tell you!".

I wondered if the comments in those slides about these companies "joining the
program" were meant to be an internal joke. In other words, this could be
internal NSA jargon for "screwed up their security badly enough that we were
then able to wholesale intercept data going between their servers".

These latest revelations would seem to imply that no, it's not an internal
joke.

~~~
Zigurd
If they are in fact frustrated, an honest statement would be "We won't lie to
you. Draw your own conclusions. That is all."

~~~
malandrew
Yes. Even better would be statements like Wyden and Udall have made. They
should say something like:

"We won't lie to you, but we think this information should be public and if
you knew what we know, then you'd be writing and calling your representative
urging them to allow us to talk about it."

They could go even farther by passing judgement with the addition "... because
what is being done in the name of the average citizen presents an existential
threat to democracy and the betterment of a free and open society."

------
devx
This why I'm not comfortable with the idea of companies getting paid for this,
and actually being profitable for them to do it. If it wasn't _sustainable_
for a company to give so much data to the NSA, they would protest a lot louder
about it. Remember how hard Google fought against SOPA, because SOPA would've
been very unsustainable for them, and it would've even put Youtube in danger
of being shut down.

Being paid, combined with them getting immunity for this sort of stuff just
makes the companies a whole lot more complacent about it, and much more likely
to agree to giving them all the data they need, knowing that almost nothing
can happen to them,as long the process is kept secret - and they probably
didn't worry too much about that, because secrecy is NSA's job.

Now, when are we going to create backlash against the ISP's and carriers for
allowing NSA to scoop up most of the web's traffic? Almost nobody is
mentioning them in these stories, even though they play an even bigger role
than the companies listed in PRISM.

~~~
delinka
It costs money to respond to these requests. Should companies not be permitted
to seek reimbursement for such things? Most courts have for a long time
allowed companies not directly related to a lawsuit to bill for materials and
effort to comply.

------
kaonashi
So if they're getting money directly from the NSA, it's hard for them to claim
that they were in the dark as far as allowing the NSA direct access to their
data.

~~~
diminoten
So if you buy a hot dog from someone, are you now unable to claim you hired
them to kill your wife?

The NSA could have paid for a _lot_ of things besides "direct access to
Google's data", as you claim. There are hundreds of shades of gray here.

~~~
kaonashi
They paid for Prism compliance. The Prism program entails access to the data.

~~~
diminoten
Since when does 'access' mean 'direct access'?

~~~
joshfraser
Remember when Gmail got hacked by the Chinese? It was reported at the time
that they were using the interface that Google had set up for the US
government to get access to user emails. They don't need a warrant to view
email headers or emails that are more than 6 months old.

Link:
[http://www.cnn.com/2010/OPINION/01/23/schneier.google.hackin...](http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html)

~~~
diminoten
> They don't need a warrant to view email headers or emails that are more than
> 6 months old.

Interesting you say that, because in the article you linked, it says this:

> In order to comply with government search warrants on user data

Can you explain this discrepancy?

~~~
falk
Read these for more information on the six months rule. It's rather ridiculous
and I didn't believe it when I first heard about it.

[http://www.wired.com/threatlevel/2011/10/ecpa-turns-
twenty-f...](http://www.wired.com/threatlevel/2011/10/ecpa-turns-twenty-five/)
[http://en.wikipedia.org/wiki/Stored_Communications_Act](http://en.wikipedia.org/wiki/Stored_Communications_Act)

~~~
diminoten
Okay, but how does this make Google incapable of saying they didn't know the
NSA had direct access to their data?

~~~
rhizome
Because they, and the other companies who used the exact same terminology,
never said what they meant by "direct."

~~~
diminoten
You'll have to really connect the dots for me here, I guess I'm just not
getting how the 6 month rule has anything to do with the meaning of "direct".

------
Spearchucker
This is the first of Snowden's revelations in which I see a marginal upside.
As a foreigner, this isn't _my_ tax money.

------
espeed
Maybe the time has come to resurrect Wave
([http://en.wikipedia.org/wiki/Apache_Wave](http://en.wikipedia.org/wiki/Apache_Wave))
and usurp email by turning Wave into a p2p PFS
([http://en.wikipedia.org/wiki/Perfect_forward_secrecy](http://en.wikipedia.org/wiki/Perfect_forward_secrecy))
communications platform.

See "Perfect Forward Secrecy can block the NSA from secure web pages, but no
one uses it" ([http://blogs.computerworld.com/encryption/22366/can-nsa-
see-...](http://blogs.computerworld.com/encryption/22366/can-nsa-see-through-
encrypted-web-pages-maybe-so)).

------
Zigurd
"They didn't have 'direct access' to our bank account."

~~~
samstave
I bank at a small credit union. I very rarely have direct access to my own
account. I regularly have to go through proxies and gateways via the ATM
network. :)

------
nawitus
And this money is funneled to startups. Enjoy your "blood money" :).

~~~
VladRussian2
i think there is a whole big unexplored story with the "black" ... err
..."Special Source Operations" money what NSA pays to Google/FB/etc... for
their services in secret programs like PRISM - for example how the companies
"launder" the money so they can be reported [to SEC, etc...] as part of the
"white" revenue. Or may be this money not reported? Special secret exception
in special secret GAAP/SEC rules? "excluding special one-time non-GAAP items
and secret revenue from NSA our earnings is ..." :)

For example, government agencies buying "likes" from FB - seems like a perfect
way to pay for PRISM participation using kosher looking transactions.

[http://thecable.foreignpolicy.com/posts/2013/07/02/omg_state...](http://thecable.foreignpolicy.com/posts/2013/07/02/omg_state_department_dropped_630000_on_facebook_likes)

------
tzs
Interesting how they aren't focusing on the most important revelation in that
story, which is that the NSA went to considerable effort and expense to fix
the things that a FISA judge said were unconstitutional.

~~~
rhizome
Flipside: for all the smart people at the NSA, they built systems that
implemented unconstitutional functionality.

------
malandrew
How in the hell is impeachment of POTUS for outright lying to the American
people not under consideration? Is this not being considered because none of
his statements were made under oath? If that is the case, I get the feeling
that we should have a law somewhere that states that everything that POTUS or
a White House spokesperson says is always said under oath with penalty of
perjury for lying.

Once you've been elected to office, it should be perjury to lie to the
citizens that have elected you.

------
jdhopeunique
Ixquick.com is another search engine which keeps no record of ip addresses and
uses ssl. It also serves as a proxy so that you can view webpages through
ixquick by clicking on a "proxy" link under each search result.

------
josephlord
I'm torn. If I was running the company I would want to charge the NSA to try
and discourage them from overusing the capabilities but I don't want it to
become an appealing business for the companies.

------
berkut
Why are the dates in those excerpts in non-US (day of month first) format?

~~~
asgard1024
That's a good catch. Maybe the dates aren't in non-US format, but actual
article is wrong; so the document is from October 12th, not December 10th.

~~~
berkut
"21 Sept 2012" leads little room for interpretation....

~~~
asgard1024
I thought you mean the date of the document. I am not native American, so I am
not sure about this format of the date and it's usage.

------
ape4
Won't this show up in a balance sheet somewhere for the companies?

~~~
cvosteen
I would assume no, especially since these companies are sworn to secrecy when
they participate in these programs. Any equipment purchases would have to be
offset by reimbursements from the NSA, such that they do not have those assets
on the books.

------
pivnicek
In other news, prostitution legalized.

------
monsterix
I am kind of keen to see numbers on the negative impact this program has had
on the (American) cloud and Internet industry. I know a handful of companies
in Europe and Asia who moved away from Google and Rackspace lately and set-
up/revived their own machines.

My best guess is that the monetary loss due to this whole forceful invasion of
privacy would be in order of billions (I am just guessing here; would be great
if someone could point me to a thoroughly researched number though). This cost
is apart from the bazillion sunk money that the US/UK Government put in to get
hold data from the trunk, set up data center of NSA etc. All to just get hold
of less than 50 so-called potential murderers (Avoiding the T-word!).

Looking at the cost of the whole thing and the stupidity of the presented
picture, I think purpose of PRISM is already lot more than just curbing
terrorism.

~~~
samstave
I build and deploy openstack private/public clouds and our business is
booming.

Personally, I think the important lesson here is to see that the barrier to
entry to deploy your own cloud, of any size, is extremely low at this point.

Personally, this has galvanized me to figure out a way to help people deploy
their own, secure, micro-cloud stacks with the ability to deploy your own
services. I'd love to chat with HNers about this - as I believe there is a
whole new market, industry opening up at this point; Fractalization of the
web.

~~~
monsterix
> ... the barrier to entry to deploy your own cloud, of any size, is extremely
> low at this point.

> as I believe there is a whole new market, industry opening up at this point;
> Fractalization of the web.

Totally agree. And it could be state-of-the-art, methinks! I'd say
decentralization is of extreme importance and also a way for people to
converse with static/dynamic IPs (lol).

What stack do you recommend to say a bootstrapping startup of say less than 10
people?

~~~
samstave
The number of people in your organization is irrelevant, but rather what
services you're looking for.

Clearly, any organization can leverage AWS and any number of other cloud
providers.

But - if you want to build your own cloud, then I do recommend OpenStack. I
also recommend that you bring external consulting to get you launched quickly
where your dev-ops folks can get familiar.

go to fuel.mirantis.com to see how to get a tool that allows you to very
quickly and easily put up a stack.

Also, read
[http://ceph.com/docs/master/start/](http://ceph.com/docs/master/start/) as
this is where most people are going from a storage perspective.

Feel free to email me if you'd like to discuss more.

