

NSA secretly monitoring user activity directly from major tech companies - shawndumas
http://www.marco.org/2013/06/06/nsa-prism

======
rasterizer
The "directly" bit is being questioned:

The Washington Post backtracks on claim tech companies ‘participate knowingly’
in PRISM data collection [http://thenextweb.com/us/2013/06/07/wapost-
backtracks-on-cla...](http://thenextweb.com/us/2013/06/07/wapost-backtracks-
on-claim-tech-companies-participate-knowingly-in-prism-data-collection&#x2F);

~~~
brown9-2
This is semantics. The original slides, and the WaPo writeup, made it sound as
if the NSA has "direct access", which to those of us who work in this area
understand to mean "they can login to the servers and do whatever they want".
But it is clear that what is really meant is that the government can access
all of the personal data that these companies have, provided the "proper"
clearance and assertions by the NSA analyst.

TheNextWeb's speculation that the change in wording means that the data is
gathered "indirectly" doesn't make a lot of sense:

 _For one thing, it adds to the growing claim that the agency instead accessed
the information indirectly. In such a case, the most likely method would be
via ISPs or mobile operators, but that remains unconfirmed._

Given that the WaPo wording specifically mentions "company-controlled
locations":

 _In another classified report obtained by The Post, the arrangement is
described as allowing “collection managers [to send] content tasking
instructions directly to equipment installed at company-controlled locations,”
rather than directly to company servers._

What this more than likely means is that the NSA uses special-access "portals"
provided by these companies to do their searching in. Meaning that the NSA
accesses a special, locked down website provided and built by
Google/Apple/Facebook etc to do their searching in, a site that runs within
Google/Apple/Facebook's datacenters/infrastructe, a system that has access to
all of the backend data.

"Direct access" means something different to those of us that work with
software systems like this all day long than it does to a journalist. We
understand that to mean a login and shell access on a server, while the
journalists seem to be misunderstanding "direct" versus "indirect" to refer to
where the data is obtained from.

edit: think about it this way: would the government want access to the raw
bytes stored on Google's servers, which would require them to understand how
to decode Google File System data and be kept 100% up to date on how all of
Google's backend systems work? Or would they prefer if Google provided them
with a private search engine to access data, which Google has to keep up to
date to work with all of the other Google systems?

~~~
rasterizer
The NYT also disputes earlier claims:

 _While the newspapers portrayed the classified documents as indicating that
the N.S.A. obtained direct access to the companies’ servers, several of the
companies — including Google, Facebook, Microsoft and Apple — denied that the
government could do so. Instead, the companies have negotiated with the
government technical means to provide specific data in response to court
orders, according to people briefed on the arrangements._

[http://www.nytimes.com/2013/06/07/us/nsa-verizon-
calls.html?...](http://www.nytimes.com/2013/06/07/us/nsa-verizon-
calls.html?pagewanted=2&_r=0&hp)

~~~
brown9-2
The only thing that is being disputed is the meaning of the term "direct
access". To a technical person, and to a technology company like Google, that
would mean shell access and ability to run arbitrary commands on Google's
server. That is the only thing that these companies have denied in their
statements. It was a somewhat misleading description in the original slides
and original reporting, but it does not really change the scope of what we are
talking about.

~~~
rasterizer
Isn't access to actual servers (shell or otherwise) the real issue here?
complying with subpoenas and warrants isn't much of an issue at all.

~~~
brown9-2
I think it depends on who you ask.

I think the fact that the NSA could routinely search Facebook/Google/Apple for
whatever data they have about a particular person (after being reasonably
confident that that person is "foreign"), without needing to get a new and
specific subpoena each time, is news to most people.

