
Should the Apache Foundation stop hosting NSA-sponsored code? - mooreds
http://tomslee.net/2013/06/should-the-apache-foundation-stop-hosting-accumulo.html
======
antics
The picture this article is painting is almost completely wrong on every point
that matters.

First of all, the NSA has not sponsored development of Accumulo for more than
a year. The gist of the story is that companies that charge to support other
implementations of Big Table-like systems argued that the government support
of Accumulo directly interfered with their ability to compete. Their main
point was that the government's job was not to compete in an already-thriving
industry, and their lobbying was successful: in summer 2012, the NSA was
formally ordered to halt production on Accumulo. Some of the employees left to
start their own company, last I heard.

Second, as other users have noted, this is not the only implementation, and
dropping it will certainly not make it impossible to do what they do. Remember
that Accumulo was started when no OSS technology could do what it did. Now is
a different time, and arguably it is actually behind.

I agree that it feels good to stick it to "the man", but let's be realistic
here. This move is accomplishing nothing.

------
carterschonwald
Accumulo is designed deeply with authorization and access control in mind.
Every time Ive spoken with [edit: people at the] NSA, I wind up hearing about
how much time they spend just jumping through hoops to avoid looking at
information they aren't supposed to.

Accumulo is also a suitable data store for education and medical data, where
there's also lots of regulation over who can see what.

The linked article is reactionary and has no substance.

~~~
mgkimsal
"I wind up hearing about how much time they spend just jumping through hoops
to avoid looking at information they aren't supposed to."

If they didn't collect so much, it'd be easier to avoid the info they
shouldn't be looking at.

~~~
deno
Even if they “didn’t collect that much” they still need to protect sensitive
data.

~~~
carterschonwald
Exactly. Medical records are a great example. If you get a new doctor, you
have to give them written authorization so that they can get your old medical
records.

They can't just say "look I'm a MD, give me the datas", partly because that
would be a felony!

Same sort of regulation, albeit more complicated, applies to NSA.

------
snowwrestler
This is a political approach--"I don't like one aspect of what an organization
does, so I will harass anyone who associates with them in any way."

It's pointless in this case because the NSA is not subject to such grassroots
political pressure. Their sigintel teams do not give a shit if you use
Accumulo or if Apache hosts it. Harassing Apache will have zero effect on
Prism and related programs, but will harm Apache, which is a known-good
organization.

If you want to change things at the NSA, the political pressure points are in
Congress and the White House. Not Apache.

~~~
tomslee
It's exactly Apache's known-good status that makes it a point of leverage.
Surely the pragmatic thing to do is to put pressure on organizations that you
think may respond, rather than organizations that you know will not. I really
don't understand why everyone is saying that Apache's hosting of this project
is irrelevant and useless to the NSA. Would you say the same about other
projects that Apache hosts?

~~~
snowwrestler
The NSA is one of the most well-funded tech organizations in the world. Apache
does nothing for them and has no leverage on them whatsoever.

------
_delirium
As some of the comments on the linked article point out, Apache Accumulo is
one of several implementations of BigTable; another one, also hosted by
Apache, is HBase. As far as the fundamental technology goes, this particular
cat (key-value stores scalable to very large data sets) is out of the bag, and
used by many people besides the NSA.

Would Apache dropping support for one particular BigTable implementation
meaningfully hinder the NSA?

------
showerst
"Open to all contributions, as long as we agree with you" is a pretty slippery
ethos.

------
Pherdnut
So we want them to be more open but we don't want to host their open source
code for all to see? Believe me, I'm sharpening my pitchfork and lining up my
torches over this thing, but that just doesn't make any sense.

------
tomslee
mpyne. I expressed it badly - I did not mean to say that open source
developers are supplying the NSA with Accumulo, just that Apache is supplying
the NSA with a useful service by hosting Accumulo as a project (and that for
some reason open source developers are OK with this in a way that they would
not be for private corporations selling closed source software to the NSA).

The general picture seems to be what antics says in the first comment: NSA
adapted Big Data technologies to suit their own access control and other
requirements, and then decided that the best way forward was collaborative. A
group of employees set up sqrrl to provide a commercial distribution. But it's
an ecosystem that the NSA gains from, all the same, and the broad membership
of Apache seems like it makes for a place where people may have leverage.

------
tomslee
As the poster of the linked article, I'd like to respond.

antics' "First of all" paragraph is completely consistent with what I wrote.
The "Second" paragraph is an "If I don't do it someone else will" argument:
it's not acceptable for arms companies and I don't see why it's more
acceptable for open source foundations.

cartershonwald's first paragraph is also consistent with what I wrote. I am
sure that the NSA takes more concern over privacy than, say, Google or Yahoo.
But that's not really relevant here is it? And the fact that the technology is
also useful for other things - well, we can say the same for internet
filtering technologies and deep packet inspection, but we still criticize Blue
Coat and others when the sell that to authoritarian regimes. I believe what
I'm saying is consistent with criticising those companies.

_delirium's comment is also "If not Apache, someone else will do it" as above.
Not good enough for arms manufacturers, and not good enough for the Apache
Foundation.

I don't understand showerst's comment.

Pherdnut - I don't think the main argument with NSA is that they are being
secret, it's that they are engaging in massive and illegitimate surveillance.

~~~
mpyne
For showerst's comment, he's basically saying that the idea of e.g. having a
hardware store refuse to stock a screwdriver just because it was invented by a
nuclear weapons development lab is a pretty slippery slope ethically.

After that we won't stock screwdrivers invented by the government (incl. EPA).

Then we won't stock screwdrivers invented by $UNDESIRABLE_GROUP.

That line of reasoning is why both the FSF and DFSG explicitly say that Free
software cannot have terms-of-use restrictions. If it's free for one to use it
should be free for all to use, even those you hate.

Accumulo is a tool. It's a tool that happened to be useful for NSA, but NSA is
_not_ the only group that has "Big Data" problems and so it makes no sense for
Apache to punish the rest of us because Accumulo has a source that you
personally don't like.

~~~
tomslee
mpyne - thanks for clarifying: I see it now. I've never been a fan of
"slippery slope" arguments because once you start on them, you never know
where they finish.

I know why FSF takes the line it does, I'm just saying it is a line that has
taken us to a strange place where open source advocates are simultaneously
supplying the NSA with services to carry out surveillance, defending the
practice, but complaining about the surveillance.

And as for "Accumulo is a tool". That's kind of a "guns don't kill people"
argument. Would you apply the same argument to private companies supplying
authoritarian regimes with deep packet inspection software? I see little
difference in the cases.

~~~
mpyne
I'm not a super big fan of slippery slope arguments either. Then you get
people opposing programs not on their own merits, but what might happen if
that program were in the hands of the "other party", and then later in the
hands of some dystopian totalitarian state.

Either way, I'm not sure why you say open source developers are _supplying the
NSA_ with Accumulo. You have it completely the wrong way around; NSA supplied
_us_ with Accumulo.

