

U.S., companies: Internet surveillance does not indiscriminately mine data - ennuihenry
http://www.washingtonpost.com/world/national-security/us-company-officials-internet-surveillance-does-not-indiscriminately-mine-data/2013/06/08/5b3bb234-d07d-11e2-9f1a-1a7cdee20287_story_1.html

======
btilly
If I were a Chinese official reading this, my #1 priority would be to try to
get access to PRISM.

No matter what checks and balances the US may employ to make sure legitimate
access stays within bounds, any time you have an automated system, you're open
to the possibility that someone can get access and automate it in ways you
don't like.

~~~
tsotha
>If I were a Chinese official reading this, my #1 priority would be to try to
get access to PRISM.

No it wouldn't. You'd be after the things Chinese spies are already after:
trade and military secrets. They don't care who's calling who.

~~~
btilly
Just to clarify. Prism is separate from the Verizon data dump. We're talking
access to information that Google, Facebook, and other internet giants can
track about you. Including emails.

China is demonstrably interested in this. When they broke into Google's
network, they went straight for the private emails of Chinese dissidents.
(With, apparently, much less success than they would like.) When they broke
into the NY Times, they went looking for any information about dissidents that
the NY times might have.

From the sounds of it, access to PRISM gives them that, all nicely gift
wrapped and correlated with other signals of interest, tools to locate known
associates, etc.

Why are they interested in this? The Chinese leadership apparently do not see
a war with the USA as their top risk. (Though they do prepare for the
possibility.) That is because they know that the USA is not in the habit of
lightly invading nuclear powers which could easily level multiple US cities in
retaliation. But overthrow by revolution is something they are terrified of,
with good cause.

------
dclowd9901
They simply don't get it: I DO NOT BELIEVE THE US GOVERNMENT HAS ANY RIGHT TO
VIEW MY DATA THAT I ENTRIST TO PRIVATE COMPANIES. In the event they somehow
have stumbled upon the right, I should be notified that my data has been
examined.

~~~
dm2
How can you trust the US government less than private companies?

Data mining exists at every company because of its value.

I'm much more concerned that private companies (Lexis Nexis I'm looking at
you) have access to so much of my data and have no obligation to inform me of
what data they have.

The US government exists to protect the United States and its citizens. If we
put left vs right politics aside, why is there inherit distrust of the
government? What would make you trust them? More transparency?

If anybody is to blame it is congress. As elected representatives, they should
have ultimate responsibility as to what happens in this country. They should
also be held liable for ALL of their actions, but good luck getting them to
approve that. How can congress enact laws that only affect themselves or give
them more power? That is corruption and should be considered treason.

~~~
protomyth
> How can you trust the US government less than private companies?

The US government can throw me in jail, private companies cannot. The US
government can sick the IRS, FBI, and Secret Service after me; private
companies cannot.

Congress has a lot of the liability, but so does the President. Read up on
FDR's use of the IRS and what happened to the various Tea Party groups in 2010
with 501(c)4 status[1]. This is why the expansion of federal government reach
is feared.

1) someone will argue about the nature of 501(c)4 so just remember that
Obama's reelection campaign relaunched as one to advocate for his political
agenda for his 2nd term.

~~~
dm2
What is your point about the Tea Party groups and 501(c)4? In my opinion, that
is just another loophole that needs to be closed, same as religious
organization tax exemption.

~~~
protomyth
One side was treated different than the other. Pure and simple failure to
follow the rules. When government agencies don't follow the rules and treat
all as equals then we have problems. Clearly having a 501(c)4 with a political
bent isn't the problem or else Obama's reelection campaign relaunch would have
seen the same scrutiny and rejection.

> In my opinion, that is just another loophole that needs to be closed, same
> as religious organization tax exemption

Regardless of your wish to close loopholes, the current law needs to be
followed: equally and fairly. Going back to how taxes should work is a side
trail and not relevant to how the government has acted against different
parties.

------
OldSchool
The best thing the government could do to legitimately appease citizens is
pass a statute that nothing gathered through these means will be used to
prosecute anything but terrorism or threats to national security. If that's
the real purpose, then they should have no problem putting it in writing.

~~~
bilbo0s
Just playing Devil's Advocate here...

What's to stop them from classifying... say .... computer hacking... as a
threat to National Security?

~~~
tsotha
That's what happened with RICO. When it was passed they told us racketeering
was only organized crime. Now you can get RICO charges doing just about
anything.

------
jtchang
Two ways I could see this being set up:

1\. NSA goes to Facebook and tells them to install a server/rack in their data
center. The server needs to be on a port that can "see" all traffic
unencrypted. The servers then transparently record data and analysts on the
backend parse it into something useful.

2\. NSA puts servers on premises but instead they are pushed formatted feeds
of data. This would require them to work more closely with the company to make
sure they provide a feed that is workable. They would store the data and as
requests for data came in the server would feed it back.

~~~
dm2
You're assuming that the NSA requires physical access to unencrypted data.

The NSA has been in the IT security game for a very long time, they employ the
best of the best, and have practically unlimited funds. I'd imagine that very
complicated algorithms determine who to monitor and what keywords to look for.
Images from the middle east or a VPN are likely more heavily analyzed than
images from a college campus inside the US.

Why set up shop at specific social media companies when they have physical
access to backbone routers and root certificate private keys?

Yes, it would be easier to just ask FB/Google/Apple to give them unlimited
read access to their databases, but that would be a scandal waiting to happen.

~~~
acqq
[http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-
server...](http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-
collection-facebook-google)

The slide with the explicit formulation was published, written by NSA, that
made claims of "not inside companies" much less believable:

"Collection directly from the servers of these U.S. Service Providers:
Microsoft, Yahoo, Google, Facebook, Paltalk, AOL, Skype, YouTube, Apple."

This supports the claims of Glenn Greenwald's article and is exactly what
companies claimed not existing.

Read the slide: they explicitely name the collecition on the "fat pipes" under
other code names. As they have the access to the big pipes, the real time data
(c.f. the other slides, earlier) from the inside of companies is certainly
unencrypted.

~~~
dm2
Ok, so the one thing we have figured out in the past couple of days is that
the NSA undoubtedly has the ability to collect almost all user data and
internet traffic, even for US citizens.

Your link is broken, should be:
[http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-
server...](http://www.guardian.co.uk/world/2013/jun/08/nsa-prism-server-
collection-facebook-google)

Now, what do they do with it? The guardian is claiming that 77,000 reports
have referenced PRISM but it is also the name of an internal accounting
program ([http://www.dot.gov/individuals/privacy/pia-
prism](http://www.dot.gov/individuals/privacy/pia-prism))

We have a long way to go with this NSA issue. I believe that they are a great
agency but have a very difficult job to preform, and unfortunately their
mission sometimes requires questionable actions. They're powerful enough to
make anything they want legal retro-actively, which isn't necessarily a good
thing.

Many people assume that the NSA has been "spying" domestically for decades,
because it's arguably necessary in order to sufficiently protect the country.
I love technology but am already tired of this debate. You are not going to
prevent the NSA from data-mining, end of story.

~~~
acqq
Thanks for the link correction.

The Federal Aviation Administration's "PRISM" is obviously not the one
discussed now in public, and not the one ending in the reports to the
president. I invite everybody once again to read the Post and Guardian, they
obviously have so much material and try to post only as much as to make the
public aware of the legal aspects of the system: the blanket special court
orders, allowing companies not to do anything, not even track what is being
requested, the orders valid for months and practically automatically renewed.
It is "legal."

------
OldSchool
Gotta love a headline that's worded in such a way that it looks like a fact.
Thirty straight days of these on every major outlet and most people who were
not already concerned won't be doing anything differently, if they ever did.
As a bonus, no need to worry about breaking the story anymore.

------
fiatmoney
Seems to indicate the NSA is performing some sort of MITM, or running
intercepts from inside the datacenter after the traffic has been decrypted:

"PRISM allows “collection managers [to send] content tasking instructions
directly to equipment installed at company-controlled locations,” rather than
directly to company servers. The companies cannot see the queries that are
sent from the NSA to the systems installed on their premises"

"From their workstations anywhere in the world, government employees cleared
for PRISM access may “task” the system and receive results from an Internet
company without further interaction with the company’s staff."

------
danso
Two things about the submission title, which is currently: "WaPo: Execs From
Internet Companies Acknowledge PRISM"

1\. The original title for the article is "U.S., company officials: Internet
surveillance does not indiscriminately mine data"

2\. The excerpt that the submitted title refers to is this: "Executives at
some of the participating companies, who spoke on the condition of anonymity,
acknowledged the system’s existence and said it was used to share information
about foreign customers with the NSA and other parts of the nation’s
intelligence community."

Some, not _all_ of the companies involved. So too soon to conclude that the
public statements were lies...but Zuckerberg and Page, at the least, could be
said to have lied if the companies referred to in the OP are them (both Page
and Zuckerberg said that they (they as in "we") had no prior knowledge of
PRISM at all)

~~~
waterlesscloud
There's definitely some questions here, though.

"government employees cleared for PRISM access may “task” the system and
receive results from an Internet company without further interaction with the
company’s staff."

What does that mean? Does the company have any oversight over what's being
requested? It doesn't sound like it. How does that square with the statements
from the CEOs that each request is carefully considered and restricted?

“The server is controlled by the FBI,” an official with one of the companies
said. “We do not offer a download feature from our server.”

This is a very fine distinction that doesn't matter much. Word games are being
played here.

~~~
leoc
> What does that mean? Does the company have any oversight over what's being
> requested? It doesn't sound like it. How does that square with the
> statements from the CEOs that each request is carefully considered and
> restricted?

This was covered yesterday, in the NYT article
[http://www.nytimes.com/2013/06/08/technology/tech-
companies-...](http://www.nytimes.com/2013/06/08/technology/tech-companies-
bristling-concede-to-government-surveillance-efforts.html) :

> The data shared in these ways, the people said, is shared after company
> lawyers have reviewed the FISA request according to company practice. It is
> not sent automatically or in bulk, and the government does not have full
> access to company servers. Instead, they said, it is a more secure and
> efficient way to hand over the data.

So, it seems, there are Google-lawyer mechanical Turks clicking "OK" or
"Contest" (or whatever) for each FISA order in the Google FISA-order queue.
_If_ the lawyer clicks "OK" it seems the requested information is slurped
automatically from the Google user-data servers into the PRISM server's outbox
(and/or a live data feed is set up). If the lawyer clicks "Contest" then
presumably something messier and more manpower-intensive happens. A system
like this raises plenty of questions - but it doesn't at all automatically
conflict with or falsify what the tech CEOs said.

EDIT: Actually there's apparently a direct conflict between the NYT's version
and what WaPo appears to be saying here:

> According to a more precise description contained in a classified NSA
> inspector general’s report, also obtained by The Post, PRISM allows
> “collection managers [to send] content tasking instructions directly to
> equipment installed at company-controlled locations,” rather than directly
> to company servers. The companies cannot see the queries that are sent from
> the NSA to the systems installed on their premises, according to sources
> familiar with the PRISM process.

That _seems_ to imply that there's no Google-lawyer mechanical Turks reviewing
the individual FISA orders. Given that that would contradict both the NYT
report and the statement from (for example) Page and Drummond
[http://googleblog.blogspot.ie/2013/06/what.html](http://googleblog.blogspot.ie/2013/06/what.html)
this is a big deal. Given the WaPo's demonstrated ability to misunderstand
information from NSA sources, for the moment I'm inclined to assume that the
_Post_ has got this wrong, too - but let's see. (Another possiblity might be
that some companies are waving FISA orders of the form "give us the personal
data of Suspect X" through automatically, while others still have a lawyer
clicking "OK".)

~~~
danso
This passage confused me too. But this part:

> _According to a more precise description contained in a classified NSA
> inspector general’s report, also obtained by The Post, PRISM allows
> “collection managers [to send] content tasking instructions directly to
> equipment installed at company-controlled locations,” rather than directly
> to company servers. The companies cannot see the queries that are sent from
> the NSA to the systems installed on their premises, according to sources
> familiar with the PRISM process._

Could refer to queries on accounts/targets that have already been approved. In
that sense, it's not much different from a traditional wiretap...once it's in
place, the government investigators want the ability to monitor it
continuously...the difference in this context is that this "wiretap"
encompasses Internet activity, which may require active querying beyond
passive listening.

~~~
leoc
Could well be. (Though I'd assume that as long as a "virtual wiretap" is in
place on an individual the NSA gets a firehose of everything which happens to
that user account (or at least everything the FISA order permits) and then
just filters out whatever doesn't interest it.) For my part I wouldn't be
surprised if "The companies cannot see the queries that are sent from the NSA
to the systems installed on their premises" just turns out to mean "The
connection between the on-site server and Fort Meade is protected by SSL" (and
probably dedicated fibre). To someone looking at the NSA as the bad wolf here
it sounds like an odd thing to emphasise, but from the perspective of an
actual NSA agent the security of these off-site servers handling top-secret
material (in an environment full of highly-technical leftists and
libertarians!) must be an obvious concern. Just for a start, you wouldn't want
anyone at Google _other_ than the appointed lawyers taking a look at what
you're requesting surveillance on... But that's just a guess of course.

------
l33tbro
One question: Where is Anonymous in all this? I was expecting all kinds of
DDOSing going down in the last 48 hours, but they have been unusually quiet.

------
waterphone
> “The server is controlled by the FBI,” an official with one of the companies
> said. “We do not offer a download feature from our server.”

Now we know why they phrased their statements so specifically.

~~~
runn1ng
your comments seem to be helbanned (i am writing it here since it's the newest
non-helbanned comment of yours)

------
detcader
Some guy on Tumblr picked apart Yahoo's carefully worded denial, actually [1]
turns out it's totally bunk

[1]
[http://peterhassett.tumblr.com/post/52499296411/exclamation-...](http://peterhassett.tumblr.com/post/52499296411/exclamation-
setting-the-record-straight)

~~~
Kylekramer
Analysis of text related to subjective ideas can make anything bunk ("What do
they mean 'all men are created equal'? Isn't our individualism what makes us
great", etc.). Line by line analysis are particularly insidious because any
idea can be proposed and appear to be a reasonable response without any
likelihood of response from the original party.

If you want to find problems with the various companies' responses, you sure
can. I am positive things have happened with Google, Microsoft, Yahoo, Apple,
etc. and the government that most people would find offensive. But playing
semantic games that push particular agendas without the full story is
misleading and imprudent.

~~~
josephagoss
But he makes some good points, especially about the heavy use of the word
"volunteer" and also "give", all which imply Yahoo! isn't freely giving access
to the NSA. Yahoo! never said that they were disallowing NSA lawful requests
for bulk data, which is the topic of concern.

(Of course Yahoo! isn't volunteering information, that is not concern at all,
if the NSA demands then its not volunteering information)

The issue is that all the PR from Facebook, Google and Yahoo! are using very
specific non-broad language to say they are not doing a very certain thing, a
thing that is not the concern. The concern is about lawful access to all
servers and not one piece of PR said this was not happening.

(In the current definition everything the NSA is doing would be considered
lawful as the Government post 9/11 is able to use its various provisions to
allow for a whole manner of things that we might disagree with, but we are not
writing the law, they are.)

~~~
dclowd9901
He misses the part about them not giving the government "unfettered" access.
That's narrow enough to meet the criteria of "otherwise" access.

That's the problem with all of these statements. They're very specific with
their language.

------
joe_the_user
Can anyone say exactly what this paragraph is supposed to mean (or really
mean, if there's a difference):

 _Intelligence community sources said that this description_ [direct access]
_, although inaccurate from a technical perspective, matches the experience of
analysts at the NSA. From their workstations anywhere in the world, government
employees cleared for PRISM access may “task” the system and receive results
from an Internet company without further interaction with the company’s
staff._

So they get data from an ad-hoc query without interaction with the company's
staff. And yet it is not direct access? I've read the other back-and-forths
but I'm still not sure what this could even trying to imply.

Edit: and read - _According to a more precise description contained in a
classified NSA inspector general’s report, also obtained by The Post, PRISM
allows “collection managers [to send] content tasking instructions directly to
equipment installed at company-controlled locations,” rather than directly to
company servers. The companies cannot see the queries that are sent from the
NSA to the systems installed on their premises, according to sources familiar
with the PRISM process._

But that the meaning is no more clear. Or the meaning is, we buy an "indirect
access cable at Best Buy and so everything is OK", ie, the distinction is
nothing but word games.

~~~
leoc
There's a major apparent contradiction between that second quotation and other
sources (the NYT, Google itself) - see my other comment
[https://news.ycombinator.com/item?id=5847846](https://news.ycombinator.com/item?id=5847846)

------
efsavage
yet

