
US tech giants knew of NSA data collection, agency's top lawyer insists - tippytop
http://www.theguardian.com/world/2014/mar/19/us-tech-giants-knew-nsa-data-collection-rajesh-de
======
magicalist
As davesean points out below, this isn't talking about fiber tapping and
whatnot, this is talking about FISA orders

> _Neither De nor any other US official discussed data taken from the internet
> under different legal authorities. Different documents Snowden disclosed,
> published by the Washington Post, indicated that NSA takes data as it
> transits between Yahoo and Google data centers, an activity reportedly
> conducted not under Section 702 but under a seminal executive order known as
> 12333._

So the companies knew that they were receiving secret court orders to disclose
data. Well, duh.

Edit: he even says so explicitly:

> _“All 702 collection is pursuant to court directives, so they have to know,”
> De reiterated to the Guardian._

Thanks for saving that for the last line. All the rest is just trying to
connect dots they have no new evidence for.

------
gojomo
First, even if the companies did know, there was probably a tacit agreement
with the NSA that the NSA would always allow them plausible deniability. "Not
only are you doing your country a great (and legally-required) service, but
everyone involved will go to their graves with the details. Have you heard
about how [competitors/famous-companies X, Y, Z] have fully cooperated for
decades? You haven't? Exactly."

The NSA seems to have been forced by events to break that likely mutual-
understanding.

Second, what does it mean for a "company" to know something? What if one
compartmentalized group of employees know – perhaps ex-military/intelligence
people themselves – and believe they are both compelled to comply _and_ to
keep the full details from upper management (for everyone's protection)?

Does that count as the "company" knowing? I could see the CEOs saying, as they
have, "no", and the NSA saying, as they are here, "yes".

~~~
voidlogic
Internal corporate collaborators unknown to the executives speaks to a failure
of corporate security/infosec. I'd imagine current CEOs are increasing their
organizations security measures to protect not only against corporate
espionage but also state players. If you are CEO and you are forced to comply
that is bad, but not nearly so bad as complying without knowing it is
happening. Not knowing doesn't allow you to leverage legal, oversee the extent
of compliance or plan for the contingency of the compliance becoming public.

~~~
gojomo
How many CEOs view their interests as separate and opposed to their home-
country security services? That's who protects them from terrorism, sabotage,
blackmail, and kidnapping! A corporate infosec policy that keeps out everyone
_except_ a few quasi-official security-state moles may be exactly what they
want. Earn brownie points, avoid paper trails, "everyone" wins.

Probably, helping the security-state even makes keeping other security threats
out, easier: if you play ball, they want their secret, exclusive access to be
unique. They fortify the holes behind them, _and_ can use their many, many
vantage points to warn you about other emerging threats. Otherwise, you're on
your own.

Do you want to be friends with the best-funded, legally-advantaged infosphere
apex predator, or enemies?

~~~
jacalata
So your first post seems to say"the CEOs could plausibly not have known" and
this post seems to say "of course the CEOs went along with it!" Which is an
entirely different claim. Could you clarify?

~~~
gojomo
It's not binary. I'm considering a range of situations which explain both the
denials and the NSA lawyer's report.

The CEOs might know, and think it safe to lie. (That's the "First" part of the
topmost post.) They might not know because the NSA only approached targeted
lower employees, and the combination of the law and the company's own
structure prevents the full decision/compliance from every being told to the
CEO. (That's the "Second" part of the topmost post.)

And the reason that the don't "know" could be that the NSA is really good at a
targeted approach, or that the CEO has helped by making sure enough people to
make the NSA happy are empowered and compartmentalized to do so, without it
getting back to him. In such a case, he honestly doesn't "know" exactly
whether or how much the NSA is poking around, but that's ignorance-by-design.

If the government were angry at a CEO engineering such ignorance to avoid
criminal liability, they'd prosecute under the theory of willful blindness:

[http://en.wikipedia.org/wiki/Willful_blindness](http://en.wikipedia.org/wiki/Willful_blindness)

But since the CEO is in this case doing the government a favor, the government
will "look the other way" about the CEO "looking the other way"...

------
jrochkind1
This caps off some pretty amazing reasoning.

Earlier, the government insisted that simply collecting information in their
databases was not a 4th ammendment violation, because the actual 'search' only
occured when they _search_ the database, not when they collect and put in
their database.

(I think maybe they even defined 'collect' so it somehow only applied when
they did a search, not when they actually collected?)

Now they:

> _...strongly rejected suggestions by the panel that a court authorise
> searches for Americans’ information inside the 702 databases. “If you have
> to go back to court every time you look at the information in your custody,
> you can imagine that would be quite burdensome,” deputy assistant attorney
> general Brad Wiegmann told the board._

> _De argued that once the Fisa court permits the collection annually,
> analysts ought to be free to comb through it, and stated that there were
> sufficient privacy safeguards for Americans after collection and querying
> had occurred. “That information is at the government’s disposal to review in
> the first instance,” De said._

Combine them both, and, well, you see where you get.

------
andyjohnson0
If the companies knew about the data collection but were prevented from
speaking about it due to being served with national security letters, does
this admission change what they can talk about? And/or does it indirectly
confirm the existence of NSLs?

~~~
lern_too_spel
No. They were only prevented from speaking about how many they received, and
still are except in broad buckets. The existence of NSLs and the fact that
they were about collecting certain users' data have both been directly
confirmed by all parties since NSLs existed.

------
linuxhansl
> “If you have to go back to court every time you look at the information in
> your custody, you can imagine that would be quite burdensome,” deputy
> assistant attorney general Brad Wiegmann told the board.

Come again...? So we're breaking the separation of the three powers because
otherwise the authorities have to be inconvenienced with the "quite
burdensome" task of "going back to court"? He can't be serious.

------
znowi
I suppose if at some point Larry Page himself confirms that they did know all
about NSA surveillance and actively participated, people will still find ways
to acquit the beloved company :) I'm not sure if it's the force of the "no
evil" brand or maybe inherent dislike of the government, but user loyalty in
PRISM companies is quite remarkable.

~~~
psbp
Why single out Page and Google?

~~~
jeremyjh
They singled themselves out with "don't be evil". Which was an implicit
critique of other tech giants.

------
patrickg_zill
Sheryl Sandberg has received a lot of press coverage, most of it pretty
positive, for her book "Lean In".

As COO of Facebook, she must have known a great deal about what was going
on... it would be very interesting for me, given her talk of leadership, if
she were asked some questions about this....

------
dan_bk
Simply disgusting.

------
pktgen
Throwing the tech companies under the bus...

~~~
Fasebook
Well, they're all playing in traffic together.

It's like their mothers never told them to look both ways before crossing the
street, or to not play in traffic, for that matter. Or maybe their mothers
hated them and told them to go play in traffic and that's why they hate the
world. There are so many ways this allegory works. Ultimately, they're all
going to get paved over by a road crew, if not hit by a very large bus.
(cough, ahem, HD video, excuse me my digestion hasn't been right lately).

------
davesean
No one denied complying with 702 orders. The main contention about PRISM isn't
that the entities receiving data requests knew that they were receiving these
requests, the main contention was/is about the "direct access" allegations
which is what these companies actually denied, that and knowing the government
codename for the program.

Bad reporting.

~~~
poulson
The second paragraph of the article claims that companies knew about
"upstream" collection as well. This is, from my understanding, the main point,
as the Google engineer Brandon Downey issued the very harsh statement, and I
quote, "fuck these guys", when the infamous smiley-face slide leaked.

EDIT: Apparently the "upstream" collection does not refer to the _third_
capture method in question, which exploited the fact that Google did not (at
the time) encrypt its internal communications.

~~~
davesean
The "fuck you"s were directed at interceptions under executive order 12333
which as the second to last paragraph makes clear was not a subject of
discussion.

PRISM and UPSTREAM featured in the same slide which would explain them being
discussed together, but UPSTREAM isn't subject to tech firms' whims so the
discussion might have been concerning telecom firms as well.

The reporting isn't clear, best read the transcript when available.

~~~
poulson
I stand corrected. Thank you for clarifying.

------
andyl
Of course they did (do). Just like telcos.

What is amazing is the carelessness that the government shows w.r.t.
protecting the interests of American tech firms. NSA could hardly have done
more to destroy worldwide trust and credibility in our tech industry.

~~~
eliteraspberrie
I suppose the grass is greener on the other side. As a Canadian I trust the US
tech industry. Everything that has been exposed in the US has been happening
here too, and then some. The options are: spend lots of money to be spied on
here; spend much less money to be spied on in the US.

~~~
annapurna
Couldn't agree more.

------
Fasebook
Ooops this universally installed and standardized language is universally
installed and standardized, how did that happen?

------
Zigurd
Tl;dr: They ALL knew. They were ordered to comply. The denials are lies.

~~~
joshstrange
No, it appears this is only talking about the FISA court orders

>> “All 702 collection is pursuant to court directives, so they have to know,”
De reiterated to the Guardian.

So, yes, companies knew they were being served with FISA warrants (that they
complied with) but AFAICT they were unaware that the NSA was tapping their
data lines like the example where they tapped data lines between Google's (and
others) data centers. [1]

[1] [http://www.washingtonpost.com/world/national-security/nsa-
in...](http://www.washingtonpost.com/world/national-security/nsa-infiltrates-
links-to-yahoo-google-data-centers-worldwide-snowden-documents-
say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html)

~~~
Zigurd
> _Section 702 is not the only legal authority the US government possesses to
> harvest data transiting the internet._

~~~
mpyne
The existence of other legal authorities does not imply that tech firms are
voluntarily working with NSA to help NSA harvest their data transiting the
Internet.

It doesn't even make sense anyways; what does Facebook have to do with
surreptitiously tapping into a router in Belgrade or Quito?

~~~
Zigurd
Whether cooperation is voluntary, or not, is not the issue. Nor is tapping the
carriers, with or without their cooperation. The article says that cooperation
can be compelled.

The issue is that some of the participants in PRISM denied providing "direct
access" to their data. Some people here are saying those denials are
meaningful when we do not have a complete picture of how cooperation is
compelled.

