
Tech companies, bristling, concede to government surveillance program - rdl
http://www.nytimes.com/2013/06/08/technology/tech-companies-bristling-concede-to-government-surveillance-efforts.html
======
enraged_camel
Lately, I've come to realize that the September 11 attacks actually destroyed
America.

In the grand scheme of things, the attacks themselves caused minimal damage
and casualties. We're only talking about ~3,000 deaths and ~$30 billion
damage.

But look at the aftermath. The Iraq War itself cost the USA $5 trillion, and
another ~4,500 lives (American lives, that is. The total number of casualties
is well over 100,000). At home, the PATRIOT Act enabled countless breaches of
freedom, and the TSA has cost untold number of hours wasted at airports. And
now this NSA bullshit.

All of this is beyond Osama bin Laden's wildest dreams. The guy just organized
a couple of airplanes to be rammed into the WTC towers. Heck, he didn't even
expect them to go down, and was pleasantly surprised when it happened. In
light of all the freedoms America lost since then though, he must be dancing
in his grave right now.

~~~
tptacek
This is an understandable but ahistorical perspective. There was a time not
long ago when wiretaps weren't yet considered searches, and where voicing
support for communism could get you dragged in front of a tribunal. The ideals
of this country aren't an end-state; they're a goal that we will constantly
struggle to achieve.

~~~
newnewnew
If we're going to discuss McCarthyism, we need to remember that the US
government _was_ riddled with soviet spies during the Roosevelt
administration[1][2][3][4]. Communist spies outside of government were also
instrumental to soviet espionage efforts, including the theft of nuclear
technology[5][6]. McCarthy was responding to real threats, although my high
school history class didn't talk much about them. Members of the Communist
Party USA were instrumental in the Soviets obtaining weapons to destroy life
as we know it and the lesson we take from the period is that _McCarthy_ was a
bad guy.

McCarthy wrote a book arguing that the Soviet Union was the real winner of
WWII[7], thanks to the help of willing US accomplices. Looking at the map of
Europe before and after the war you have to admit the guy has a case. But who
would read a book by Joseph McCarthy?

[1] [http://foseti.wordpress.com/2013/03/06/harry-dexter-
white/](http://foseti.wordpress.com/2013/03/06/harry-dexter-white/),
[http://en.wikipedia.org/wiki/Harry_Dexter_White](http://en.wikipedia.org/wiki/Harry_Dexter_White)

[2]
[http://en.wikipedia.org/wiki/Nathan_Silvermaster](http://en.wikipedia.org/wiki/Nathan_Silvermaster)

[3]
[http://en.wikipedia.org/wiki/Perlo_group](http://en.wikipedia.org/wiki/Perlo_group)

[4]
[http://en.wikipedia.org/wiki/Alger_Hiss](http://en.wikipedia.org/wiki/Alger_Hiss)

[5]
[http://en.wikipedia.org/wiki/Julius_Rosenberg](http://en.wikipedia.org/wiki/Julius_Rosenberg)

[6]
[http://en.wikipedia.org/wiki/Whittaker_Chambers](http://en.wikipedia.org/wiki/Whittaker_Chambers)

[7] [http://foseti.wordpress.com/2012/08/19/review-of-americas-
re...](http://foseti.wordpress.com/2012/08/19/review-of-americas-retreat-from-
victory-by-joseph-r-mccarthy&#x2F);

~~~
einhverfr
Espionage efforts are one thing, but when people are jailed for "inciting
rebellion" for the "crime" of distributing the writings of Karl Marx, the
undeniable fact that there were lots of spies here (as we had lots of spies
there) falls so far short of justifying the sorts of abuses that went on.

The government argued that the Communist Party USA had no right to spread
political _ideas_ in the US, and targetted _lawyers_ who dared to defend them.

Whatever the extent of Soviet spying in the US (and it would have been
extensive for obvious reasons, as with the other side), the McCarthy era was
an assault on the foundations of democracy in this country. If you want to
justify that because the threat is real, I suppose we should just give up on
this whole Constitutional Rights thing....

~~~
newnewnew
Of course, there is no moral equivalence between US spies and Soviet spies,
since there is no moral equivalence between subjugation to the totalitarian
soviet state (which soviet spies were fighting for) and the liberal democratic
capitalism of what remained of the West.

Violence is a nasty thing. But violence in service of slavery is a far nastier
thing than violence in defense of human rights and freedoms.

~~~
einhverfr
That's an interesting defence of McCarthyism, that we must do away with
American liberty because otherwise we will lose it to the Soviets.

~~~
re_todd
+1 best summary of McCarthyism ever.

------
Mystalic
This is a lesson in the power of language. The companies involved and their
denials of knowledge of PRISM were not lies, but clearly they were making it
easier for the government to extract data for surveillance, under an unnamed
program with specific point people in each company who were only allowed to
talk to the government and not talk to their CEOs about the extent in which
the government was extracting data. It may go even deeper. We just don't know.

The thing that upsets me most is that I suspect nobody except for the
whistleblower will take any real heat. I hope more will come forward with more
details in the coming weeks, before the government makes an example of the
whisteblower.

Will this incident change user behavior? I doubt it. We're too dependent on
these companies to cut them off en masse.

~~~
ritchiea
I dunno, it sounds to me like the companies in question were being hit with a
lot of government requests and they did the natural thing to take them
seriously and make it easy for their employees to deal with: make an API for
it and automate the parts of the process that can be automated.

It is inevitable they are going to be hit with requests for information, they
could dig their heels in on some things but ultimately they legally have to
provide some of the information requested. They could have implemented APIs
without any idea of how the NSA structured or code named the technology
internally on the NSA's side. And I'm sure Google, Facebook, et al implemented
whatever they implemented with little knowledge of how other companies were
complying or not.

What I imagine happened is that any company that took compliance seriously,
likely for their own staff's benefit, as a side effect became a stronger asset
to the NSA than companies like Twitter who resisted.

And lastly, I'm not saying any of this is good. It just seems extremely
plausible and not part of a massive conspiracy to give the NSA access to as
much data as possible.

~~~
glenra
> _It just seems extremely plausible and not part of a massive conspiracy to
> give the NSA access to as much data as possible._

Wait, why can't it be _both_ of those things? What could the phrase "massive
conspiracy" _mean_ if it doesn't apply to a situation like this?

"conspiracy" suggests a bunch of people were trying to accomplish a goal in
secret, at odds with the interests of the general public. Yup!

"massive" implies significant scale - that it was a LOT of people sharing a
LOT of information. Check!

I'm not seeing anything missing...

~~~
ritchiea
Some things happen in secret but are not part of a conspiracy. Conspiracies
require secrecy because they are unlawful or unethical. It is codified into
law (which is public) that the US gov will make classified information
requests like the ones presented to the companies in question. Automating the
exchange of information that the government has announced will by law be
exchanged is not a conspiracy even if the specifics of what information is
exchanged and the mechanics of the exchange are a secret.

~~~
glenra
This data exchange is arguably both unlawful and unethical. Unlawful in that
it's an illegal search under the 4th amendment to the constitution. Unethical
in that it makes liars out of these companies when they claim their customers
have a reasonable level of privacy.

What conceivable "probable cause" could justify data collection on the scale
being discussed? Practices being "codified into law" (largely secret laws,
being interpreted in secret ways) doesn't really let anyone off the hook here.
Or it shouldn't, at any rate. (Congresscritters and presidents still have an
oath of office that promises to defend the constitution, right?)

~~~
ritchiea
That is not the case according to the article. I understand how you could
believe this is happening but specifically with the SV companies we have no
evidence of it and even the Washington Post is backing down from some of their
boldest claims (e.g. NSA had direct access).

------
cromwellian
So basically, PRISM is just a system for negotiating electronic dead-drop
locations to pick up data when companies are compelled by an NSL to archive
and copy an individuals data? If it were done by printing out the data and
dropping a physical box in a pre approved location, would be be as scandalous?

What are we to believe PRISM is now? Is it

a) a firehose feed that allocates arbitrary, indisriminate, ad-hoc querying
over large swaths of user data in cloud datacenters?

or

b) is it an automated system for sending out National Security Letters, and
the polling dropbox locations for compliance, and then importing the data into
some centralized government intelligence repository?

a) is an absolute outrage, there should be rioting in front of congress and
the whitehouse

b) is pretty much just making delivery of information they are compelled to
legally deliver more efficient. Although if I were these companies, I'd make
it as painful as possible by printing all of the information requested on
sheets of paper in Comic Sans and mailing it USPS.

~~~
spydum
Is mailing hard copies more secure? I tend to think of phone calls and hard
copies as less secure.

~~~
c0nfused
I don't particularly mind the security implications of the technique. However,
It certainly is less convenient if you are the recipient.

------
Q6T46nT668w6i3m
_In one recent instance, the National Security Agency sent an agent to a tech
company’s headquarters to monitor a suspect in a cyberattack, a lawyer
representing the company said. The agent installed government-developed
software on the company’s server and remained at the site for several weeks to
download data to an agency laptop._

Uh, wow.

~~~
waterlesscloud
Sounds like...direct access.

------
_delirium
_In at least two cases, at Google and Facebook, one of the plans discussed was
to build separate, secure portals, like a digital version of the secure
physical rooms that have long existed for classified information, in some
instances on company servers. Through these online rooms, the government would
request data, companies would deposit it and the government would retrieve it,
people briefed on the discussions said._

If true, that would explain the very carefully worded language of both Google
and Facebook that they did not give the NSA "direct access" to their servers.

------
runn1ng
_In at least two cases, at Google and Facebook, one of the plans discussed was
to build separate, secure portals, like a digital version of the secure
physical rooms that have long existed for classified information, in some
instances on company servers. Through these online rooms, the government would
request data, companies would deposit it and the government would retrieve it,
people briefed on the discussions said._

So _THAT_ is why all the responses repeated "direct access".

------
mpyne
Does this mean I was right?
[https://news.ycombinator.com/item?id=5843051](https://news.ycombinator.com/item?id=5843051)
[https://news.ycombinator.com/item?id=5843029](https://news.ycombinator.com/item?id=5843029)

~~~
rdl
Probably, although IMO this was pretty obvious from the $20mm budget. The only
question was "is it a repurposing of the existing law enforcement API" or
something slightly unique, and was it "Google/FB in the loop" or totally
automated.

NSA presumably wouldn't want most Google employees to know they're FISAing
info on KSM. They may be willing to read in a few Google employees to handle
turning over the data, though.

There may be some special magic to hide the actual target from Google while
Google still gets to review the order itself. (the name of the target is
presumably non-meaningful to Google).

------
danso
If I'm reading the OP correctly, then, based solely on what they've reported,
it seems that the denials made by FB and Google were not only truthful, _but
sincere_ (as opposed to being either weaselly or outright dishonest or
both)...Here's the key passage:

\---

> * “The U.S. government does not have direct access or a ‘back door’ to the
> information stored in our data centers,” Google’s chief executive, Larry
> Page, and its chief legal officer, David Drummond, said in a statement on
> Friday. “We provide user data to governments only in accordance with the
> law.”*

 _Statements from Microsoft, Yahoo, Facebook, Apple, AOL and Paltalk made the
same distinction._

 _But instead of adding a back door to their servers, the companies were
essentially asked to erect a locked mailbox and give the government the key,
people briefed on the negotiations said. Facebook, for instance, built such a
system for requesting and sharing the information, they said._

 _The data shared in these ways, the people said, is shared after company
lawyers have reviewed the FISA request according to company practice. It is
not sent automatically or in bulk, and the government does not have full
access to company servers. Instead, they said, it is a more secure and
efficient way to hand over the data._

 _Tech companies might have also denied knowledge of the full scope of
cooperation with national security officials because employees whose job it is
to comply with FISA requests are not allowed to discuss the details even with
others at the company, and in some cases have national security clearance,
according to both a former senior government official and a lawyer
representing a technology company._

\---

The NYT is talking only about FISA requests, which are a secret process but,
as far as everything reported about that process has said, targets
individuals. Moreover, when FISA is used on Americans, it's a process that
involves a court-approved warrant.

So you can argue that FISA is wrong or that it is administered with a rubber
stamp (and in my opinion, yes, this is most definitely worth scrutinizing, and
it has been for however many years it's been put in place), or that no ethical
company should ever comply with a FISA request...but that's not the same
ballpark as what's being alleged with Verizon or with PRISM.

The point about these companies making it "easier" by creating a systematic
delivery process, such as a "lockbox", to send over the requested data is an
interesting detail, but kind of a non sequitur. __Either FISA is OK or it is
flat out wrong __...what does it matter which digital process is set up to
fulfill that request?

~~~
chaz
This article seems to make the most sense. As a hypothetical example, Google
might have been manually fulfilling thousands of FISA requests. It sucked up
time, took engineering resources, was error-prone, and lacked the legal paper
trail to track such requests. In addition, the government wanted something
faster, that used fewer agents to submit/collect data, and could more easily
get updates.

So one day, an NSA agent negotiates with Google to build
fisarequest.supersecret.google.com. NSA agents can directly upload FISA
request documents, as easily as submitting expense receipts. In turn, Google's
legal department can view each request and decide to comply with the click of
a mouse, as easily as approving an expense report. If authorization is
granted, the NSA can now view the emails of the requested user, and new emails
can simply be viewed with a refresh of the browser. As Schmidt and Drummond
say, Google can decline a request if it's improper or overly broad, and ask
for additional information -- again, as easily as a manager looking at a
questionable minibar expense on a trip report.

Said NSA agent does this with multiple companies, internally brands this as
PRISM, puts together a Powerpoint deck, and declares victory. It's "direct
access" since it's coming straight from Google and on a Google server, and
it's "real-time" in that a request can be authorized quickly, and there are no
more .zip files with data dumps involved.

Google has never actually heard of PRISM, and only knows that they built a
tool to make it easier to do what they were already doing with legal FISA
requests. To them, the NSA doesn't have "direct access," which is a loaded
term for unfettered superuser access.

The entire program costs only $20mm because the government now requires only a
few agents to submit requests and collect data. The cost of building the tools
is borne by the companies, who see it as a cheaper way to comply with an
existing legal obligation.

~~~
ig1
Google has specifically stated that they don't take this ("drop box")
approach:

"We cannot say this more clearly—the government does not have access to Google
servers—not directly, or via a back door, or a so-called drop box."

~~~
cpeterso
The drop box could be an NSA server and not a "Google server", depending on
who manages the hardware.

------
revelation
Wow, one second of unconcentrated reading, and a bunch of weasel words fly
right through the blood barrier into your brain.

 _They opened discussions with national security officials about developing
technical methods to more efficiently and securely share the personal data of
foreign users in response to lawful government requests._

Really, NYT? More _securely_? And the users, they are all _foreign_? And all
the government requests, deemed _lawful_ from the outset?

Come on, at this point, are they even trying with the balanced reporting
thing? Tech companies may be _bristling_ , but the NYT is surely lodged in the
government wing.

------
andrewfong
Maybe I'm missing something, but this seems like an overreaction. The specific
allegation is that companies have set up "digital version of the secure
physical rooms that have long existed for classified information, in some
instances on company servers." Why is this a problem? Do we honestly except
companies to print out paper copies of digital data just to inconvenience
government agents who ultimately have a legal right to that data?

I understand wanting to narrow the scope of the data available, but no one has
put forth evidence yet that Facebook is periodically giving the government the
equivalent of an SQL dump. Unlike Verizon, they appear to be producing limited
information in response to a specific request on foreign nationals..
Streamlining this process doesn't raise the same issues for me as does the
Verizon order.

------
chris_mahan
Twitter said no? I like twitter more!

~~~
weisser
Twitter by nature is very public messaging platform and therefore this data is
less private.

I'd be curious how many DMs are sent compared to public tweets.

~~~
rdl
Plus anything on SMS can already be monitored easily in the clear at the telco
level. Most of the "interesting" twitter users are probably using SMS.

------
unreal37
Huh?

"Each of the nine companies said it had no knowledge of a government program
providing officials with access to its servers, and drew a bright line between
giving the government wholesale access to its servers to collect user data and
giving them specific data in response to individual court orders. Each said it
did not provide the government with full, indiscriminate access to its
servers."

Tech companies do not allow widespread open access to their data. They respond
to legal requests that come from FISA for records on individual users. Huge
difference.

~~~
leoc
> They respond to legal requests that come from FISA for records on individual
> users.

We were reassured about the 'individual users' part by the tech companies
yesterday. And yet:

> FISA orders can range from inquiries about specific people to a broad sweep
> for intelligence, like logs of certain search terms, lawyers who work with
> the orders said.

What's the truth here?

------
richardowright
Something still doesn't add up for me on this.

1\. How does this explanation relate to the slide that the US is the World's
Telecommunication Backbone? The only explanation I can think of is that
Google, etc... were only providing information for servers that were
physically in the US.

2\. How does this prism name relate to the program? To me, the prism name
seems more linked to fiber optic cable than to this sort of data monitoring.
Perhaps it's an allusion to splitting the data stream and reflecting it to the
NSA.

~~~
leoc
Yes, the second slide from [http://www.washingtonpost.com/wp-
srv/special/politics/prism-...](http://www.washingtonpost.com/wp-
srv/special/politics/prism-collection-documents&#x2F); sounds more like this
[http://www.nytimes.com/2009/04/16/us/16nsa.html](http://www.nytimes.com/2009/04/16/us/16nsa.html)
doesn't it?

> Officials would not discuss details of the overcollection problem because it
> involves classified intelligence-gathering techniques. But the issue appears
> focused in part on technical problems in the N.S.A.’s ability at times to
> distinguish between communications inside the United States and those
> overseas as it uses its access to American telecommunications companies’
> fiber-optic lines and its own spy satellites to intercept millions of calls
> and e-mail messages.

Maybe the second slide in the WaPo selection refers to the wiretapping
operations, the third and later ones reproduced by WaPo refer to the "FISA
API" operations involving Google, MS, Facebook etc. and the transition between
the two topics is in the omitted slides between 2 and 3.

------
aiiane
_> The data shared in these ways, the people said, is shared after company
lawyers have reviewed the FISA request according to company practice. It is
not sent automatically or in bulk, and the government does not have full
access to company servers. Instead, they said, it is a more secure and
efficient way to hand over the data._

That sounds to me like PRISM _is_ in fact just a name for an overall
consistent system of routing data from specific individual requests.

------
leoc
Meanwhile,
[http://www.forbes.com/sites/jonathanhall/2013/06/07/washingt...](http://www.forbes.com/sites/jonathanhall/2013/06/07/washington-
post-updates-hedges-on-initial-prism-report&#x2F); "Washington Post Updates,
Hedges on Initial PRISM Report"

------
moskie
Can someone sum up the actual evidence for the claim that PRISM, or something
like it, exists? What do we have besides a PowerPoint presentation?

And what are the sources for the claims in this article?

> _In one recent instance, the National Security Agency sent an agent to a
> tech company’s headquarters to monitor a suspect in a cyberattack, a lawyer
> representing the company said. The agent installed government-developed
> software on the company’s server and remained at the site for several weeks
> to download data to an agency laptop._

> _In other instances, the lawyer said, the agency seeks real-time
> transmission of data, which companies send digitally._

I would like to know the source of this information, and to be presented with
evidence that it is true.

------
gasull
This is the important bit:

 _Google, Microsoft and Twitter publish transparency reports detailing
government requests for information, but these reports do not include FISA
requests because they are not allowed to acknowledge them._

 _Yet since tech companies’ cooperation with the government was revealed
Thursday, tech executives have been performing a familiar dance, expressing
outrage at the extent of the government’s power to access personal data and
calling for more transparency, while at the same time heaping praise upon the
president as he visited Silicon Valley._

So Larry Page and Zuckerberg are just deceiving the public because they are
ignoring FISA requests.

I'm so outraged right now.

------
spydum
Maybe it is just me, but could PRISM just refer to secure portals where data
that was summoned from a FISA request (either as spartan as access logs, or as
deep as emails, depending on provider), could be securely delivered upon
collection? It doesn't have to describe the actual COLLECTION system, just the
exchange between government and corporation. As someone has just mentioned, a
secure Dropbox. Just as if they had a legitimate search warrant for details,
you would hope they had a secure way of providing that information to the
requesting agency.

------
JumpCrisscross
Systematically using private companies to spy on foreigners and further the
state's security regime. Hmm, sounds like what the U.S. was recently
castigating China and Huawei for.

------
vijayboyapati
"SAN FRANCISCO — When government officials came to Silicon Valley to demand
easier ways for the world’s largest Internet companies to turn over user data
as part of a secret surveillance program, the companies bristled. In the end,
though, many cooperated at least a bit.

Twitter declined to make it easier for the government. But other companies
were more compliant, according to people briefed on the negotiations. "

Twitter is heroic. Shame on Google, Facebook and all the other state-stooges

------
MetaCosm
Effectively what these companies are trying to do via stronger and stronger
denials is prove a negative... which of course is borderline useless.
Regardless of the truth, to PROVE they were not involved is impossible.

For those companies called out but not involved (as the Post walks back its
language), it has to be an exceptionally frustrating experience.

------
gasull
I'm more upset about Larry Page trying to deceive the public than about Obama.
I trusted Google. I feel betrayed.

------
gasull
I've posted this a few times, but I'll do it again:

Why aren't we all using Bitmessage already?

[https://bitmessage.org](https://bitmessage.org)

[https://www.youtube.com/embed/t_dTotavJZ8](https://www.youtube.com/embed/t_dTotavJZ8)

~~~
graue
Why aren't we already? It's new, unproven and most of us haven't even heard of
it yet. A quick glance at the website suggests you have to install a native
program, which, compared to a web app, adds friction, makes it harder to use
and requires trusting the authors with full access to your computer. There
isn't a mobile app. OS X support is "only lightly tested".

And, even if none of that were the case, the most important reason we aren't
using it already is because the people we want to talk to aren't using it,
either.
[https://en.wikipedia.org/wiki/Network_effect](https://en.wikipedia.org/wiki/Network_effect)

~~~
gasull
Bitmessage is open source.

[https://github.com/Bitmessage/PyBitmessage](https://github.com/Bitmessage/PyBitmessage)

------
buo
I haven't seen mentioned here that Intel is one of the companies mentioned. I
find this particularly worrying: if the hardware itself is compromised, it's
game over.

